Third-party incident response consultants face unique challenges when helping a company respond to an incident. Unlike internal incident responders, you’re unlikely to have full visibility into all of the client’s systems. The client is watching you, concerned about how much they are paying you for each hour that passes before resolution. And your incident response tools must be fast and scalable across many clients and their diverse systems.
In this first of three blog posts, we’ll describe the challenges which both you as consultants and your clients face with deploying incident response infrastructure, and offer an alternative to the kind of heavy infrastructure you may not have the time or funding to deploy.
Endpoint visibility challenges
When you’re first to arrive and assess an incident, you need to start making progress quickly. However, your efforts to limit bad guys’ access and mitigate the damage that has already been done can be slow due to the following factors:
- The client may have limited or no incident response infrastructure.
- Whatever security infrastructure does exist may not be trustworthy if it has been compromised.
- Neither you nor your client’s IT staff may be fully trained in all aspects of how their infrastructure works.
- The client’s IT staff may be unable or unwilling to cooperate.
Infrastructure deployment challenges
Hanging out your shingle as an incident response consultant means you have enough expertise to know which commercial tools get the job done, and how to write your own tools or scripts to backfill gaps. However, not all incident response tools meet your unique needs as a remote responder. That’s because their focus is on continuous monitoring and endpoint threat detection. Consider:
- Many incident response tools were built for enterprises; to maintain visibility on many hundreds of endpoints, therefore, the agents are persistent. Deploying persistent agents to many nodes can be difficult for a consultant to accomplish quickly because they may require lots of configuration and authentication infrastructure, and cause conflicts with other programs that run on the systems. In addition, agents running on all systems at all times could alert bad guys to the investigation.
- Because these tools are built for enterprises, they’re often licensed by the number of endpoints that will have agents deployed to them. This pricing model is challenging for consultants because when you initially purchase the software, you don’t know many agents you’ll need for future investigations.
- If you decide to write your own tools, they may be great at collection, but cannot necessarily scale analysis, be deployed remotely, or have the necessary degree of network access you need to scale.
These challenges can compound one another, slowing an incident response and potentially jeopardizing its effectiveness. To that end, the longer it takes to deploy a response solution, the longer a threat actor can stay active within an organization’s network — and the more damage they can do.
Fast response, fast results
Ensure that you can quickly respond and show your clients results with your own infrastructure that is easy to deploy when time is short and you have little margin for error. Cyber Triage gives you the ability to collect critical data either on site or when assessing the situation from your own office — on demand and without a lengthy testing or approval process, or the potential to affect system performance.
In addition, Cyber Triage’s nonpersistent agents can be pushed to endpoints as needed with the press of a button, and its automated collection, analysis, and review capabilities offer a speedy triage process that not only collects data, but also identifies affected systems faster. This shortens the time to containment and remediation by helping responders to prioritize those systems most in need of forensic analysis.
To learn more about how Cyber Triage meets your needs when responding to client calls, follow the link below.