You practice good cyberhygiene. You put preventive measures on endpoints. You’ve set up the network to prevent intruders. Yet, sometimes bad things happen. And when they do, your customers will look to you to handle the incident. If you’re not prepared, you could land in a heap of trouble.
Full-blown incident response (IR) is a subject unto itself, typically requiring a dedicated team of practitioners. If you’re a small MSP, you likely won’t want to get into the business of intricate computer forensics.
What should you do to prepare if you don’t already have the skillset and tools in place? For starters, partnerships matter here. But partners can’t handle everything for you. You still play a role and bear some responsibility as a trusted advisor for your customers. Today, we’ll cover some steps in incident response and talk about where you may fit.
Incident response steps
For the purposes of this blog, we’ll use the NIST incident response framework. They break the IR process down into four phases:
- Detection and analysis
- Containment, eradication, and recovery
- Post-event activity
Working with a security provider partner is highly recommended. But let’s cover each phase you so know where you fit in and where you can offload.
Preparation is crucial for your IR process. Even if you’re a small shop, you can make a world of difference by preparing upfront. Here are some tips:
- Know your customers: For starters, know your customers and their environments. From there, you can implement preventive technology and segment your networks to protect mission-critical systems and data. Also, knowing your customers helps you prepare for the most likely attacks. For example, if you have a city government contract, you may want to prep for ransomware attacks as attackers have recently focused their efforts there. Additionally, you should make sure your security partners have experience working with the technology or systems you support.
- Assign team members: Make sure you’ve assigned roles for your team members and everyone knows the parts they must play. For example, someone should handle threat discovery like manning a SIEM tool, another person should call the IR team (if deemed necessary), another should contact customers, and another person should coordinate the efforts. Of course, someone might wear multiple hats—the MSP owner might manage the team, contact the security specialist, and keep clients informed. Regardless, it’s important everyone knows their role once a crisis hits.
- Put the plan to paper: Write the plan down, circulate it through the team, and train them on it. Once you’ve done this, train the team and rehearse potential incidents. When an attack occurs, even seasoned veterans can panic. Rehearsing beforehand can reduce that “freak out” moment.
2. Detection and analysis
The second phase of the NIST IR cycle is to detect issues, then analyze the event. Depending on the severity of the event, you may need to call in a specialist. However, let’s take both steps and map out where your role is.
Detection involves having the right tools and knowing what to look for. For starters, a good endpoint protection solution can help you detect threats (and in many cases remediate them) on devices. Additionally, you can set up your RMM solution to check for common attack indicators like multiple failed login attempts, new user creation on machines, or attempts to change the system registry. For network-level threats, you’ll want a security information and event management (SIEM) tool. These allow you to analyze logs for potential indicators of compromise. However, be aware you may need to outsource the SIEM work—a security specialist will see network traffic and logs differently (and catch more) than a regular technician might.
For the analysis phase, you’ll need to go over any data from your monitoring tools. If you detect a simple threat, you may be able to deal with it yourself. However, for thornier issues, try offloading this to a security specialist. They often have tools, expertise, and experience you won’t have in house.
3. Containment, eradication, and recovery
The third step involves dealing with the threat after it’s been discovered. Your security partner should offer advice on the next two parts of this step. First, you’ll need to contain the threat—whether it’s quarantining files or blocking off portions of the network. Think damage control here—you want to minimize any affects.
Next, “eradication” means removing the threat as best you can. This could involve removing files or finding a way to kick intruders out of the corporate network. You may not be able to fully remove them, but you should be able to minimize their access. Again, your security partner should be able to provide guidance on how best to remove any problems.
Finally, you need to restore full business functionality. Before you do, make sure you’ve removed the threat as best you can before you turn the lights back on. This could involve restoring data from backups or just getting the network up again if you had to take it partly offline during containment. However, your team should be able to handle this part since they already know your customers’ systems intimately.
Also, while you should communicate with customers throughout the process, don’t forget to communicate any pertinent details after systems are back up and running.
4. Post-event activity
Once you’ve finished dealing with the security incident, do a post-mortem. Discuss any lessons learned and figure out how best to strengthen your customers’ security postures.
Additionally, it may be worth sending an update to your customers as well after the post-mortem. Knowing you’re committed to continuous improvement could help restore any trust that may have been eroded. You’re their business partner, so keep them in the loop.
Are you ready for an incident?
Every business can get hit by a cybersecurity incident. Even if you have the best defenses in place, cybercriminals can often find at least some angle into the business. Service providers need to prepare as best they can. So build a plan, follow your process when needed, and find a good partner to help.
Where to Find Help: A good portion of this process may be out of reach for many traditional MSPs. Partnering may be your best bet—whether it’s for incident analysis or even detecting threats in the first place. The SolarWinds® Threat Monitoring Service Provider (TMSP) program lets you work with one of our pre-approved security providers who run SolarWinds Threat Monitor, our SIEM tool, on your behalf and enable you to provide more advanced security to customers. Learn more here.