Every business has a responsibility to its customers, its employees, and itself to keep networks free of potential threats that can put sensitive information at risk. To do so, it must formulate incident response strategies that effectively address and resolve the issues in a timely manner. Whenever there's a network breach of any sort, time is of the essence. After adequate preparation, the containment phase will often vary depending on the nature of the incident.
Effective Strategies for Incident Containment: A Step-by-Step Guide
When you're looking to implement the containment stage, you're seeking to help mitigate risks associated with an incident. There are several steps to take in this phase:
- Focus on short-term containment - during this stage, you want to minimize the immediate impact with a containment strategy. That might mean disabling the ability to share networks or revoking permissions temporarily.
- Back up the System - It's important to back up your system in its current state before making any efforts to recover data. Doing so preserves the forensic data that can help pinpoint the nature of the attack and evidence of who was involved. It's often used in criminal cases and for analysis.
- Take long-term containment initiatives - Once you've carried out the backup for your records and restored your system, it's time to take long-term initiatives that will allow you to resume operations while mitigating future risks. These initiatives could include several actions such as reconfiguring roles and permissions, updating firewall rules, refining server configurations, conducting cybersecurity training, or implementing multi-factor authentication.
Carrying out these steps in order will get you back on par for the next step in the process, which is eradication.
Isolating the Threat: Network Segmentation Best Practices
Network segmentation can help with mitigating risks and containing them before they can do more damage. It involves dividing your network into different segments, each acting individually rather than as a complete system. From there, the network administrator can limit who accesses which network.
Network segmentation offers many benefits, such as improved monitoring, improved performance, increased data security, and protection against additional attacks.
During segmentation, there are some good practices to put into effect.
- Consolidating similar network resources
- Performing periodic reviews and audits
- Creating access control policies
- Avoiding over or under-segmentation
- Limiting third-party access
- Implementing endpoint security and protections
- Following the principle of least privilege
Enacting these policies helps maintain control over the network as a whole until the threat can be eradicated once and for all. Even after that, it might be a good idea to keep some of these practices in effect to add another level of security.
Endpoint Security Measures in Incident Containment
One thing to pay close attention to during the incident containment process is endpoint security measures. Endpoint devices are those on a TCP-IP network and can include computers, tablets, laptops, POS systems, Internet of things, printers, and smartphones, to name a few. Everyone in your company uses at least one of these, and they are often more vulnerable than you think.
Most of the time, bad actors access your entire network through endpoint devices. To enact security measures, you can decide to let employees use only company-provided devices that are already configured with the appropriate programs and security measures such as firewalls. You can also block specific websites and applications that are deemed security risks.
Additionally, implement access controls at every level and only give access to those who need specific networks to do their jobs efficiently. Two-factor or multi-factor authentication processes are best to validate users.
All endpoint devices should also be equipped with anti-ransomware and antivirus software, and intrusion prevention systems.
Containment vs. Eradication: Navigating Incident Response Priorities
For some, the idea of containment vs. eradication might cause some confusion. Both are vital to eventually rid a network or system of a threat, but they are different in one significant way.
Containment is the process of locating the threat and then cutting it off from the rest of the network and giving employees a workaround until the threat can be eradicated. This also helps prevent further data loss or damage. It doesn't actually remove the risk factor.
Eradicating a threat means completely removing it. That means getting to the root cause of the risk. For example, if someone installed malware by accident by clicking a suspicious link, containment would isolate that threat. Eradication procedures would then completely remove the malware from the network so that it can no longer do any damage at all.
The key to being successful in either of these is rapid incident response times. The quicker you identify, isolate, and eradicate the threat, the less chance the bad actors have to do damage or steal data.
Cloud Security in Incident Containment: Key Considerations
Most companies today take advantage of cloud storage options. They're cheaper in the long run and accessible from nearly anywhere with the proper credentials, which allows people to work while traveling or remotely from home.
However, there are important steps to take because cloud networks can be accessed more easily than physical networks. That means for each individual user, using multiple API keys as well as a password or employing multiple multi-factor authentication steps.
One of the main considerations to remember when responding to cloud security incidents is the default configuration of the cloud. For example, it should be a no-brainer to install alerting use cases, which let an administrator know if there have been excessive login failures or if there have been unauthorized creations of new services or servers. Staff training is critical in this regard as well. Knowing how to pinpoint risks or threats is key to stopping them before they become costly problems.
RiskRecon by Mastercard can help identify and contain risks before they become problematic for your company. They can identify and prescribe CIS security controls that will help boost cybersecurity. To get started, simply reach out today.