AdvancedIncident Response

Retain an IR firm on retainer before a breach, not after

Organisations that retain an incident response firm before a breach begin their response within hours. Organisations that call a firm for the first time during an active breach spend 24–72 hours on procurement, contract signing, and onboarding before any work begins. IR retainers are relatively inexpensive compared to the cost they save during an incident. They include pre-agreed terms, pre-positioned resources, and the ability for the firm to begin work immediately when called. Major firms (Mandiant, CrowdStrike, Palo Alto Unit 42) offer retainer arrangements at various price points. The retainer also typically includes proactive threat hunting and tabletop exercise services.

Tags

IR retainerincident response firmpreparationMandiantresponse time

More in Incident Response

All guides
beginnerfeatured

Write and test an incident response runbook before you need it

Organisations that handle breaches well have one thing in common: they had a plan before the attack. Target had a $1.6 million FireEye security system that detected the breach — and ignored the alerts because there was no clear runbook specifying what to do when the alert fired. An IR runbook documents: who is notified (internal and external), who has authority to make decisions, what systems are isolated first, how communications are handled publicly and with regulators, and what evidence is preserved. The runbook must be tested through tabletop exercises at least annually and updated after every significant incident.

See: Target IR FailureIncident Response
intermediate

Establish a breach notification timeline before a breach occurs — not during one

GDPR requires notification to the supervisory authority within 72 hours of becoming aware of a breach. US state breach notification laws require notification within 30–72 hours in many states. Equifax waited 40 days after confirming their breach before public disclosure. Uber concealed their breach for 13 months. Both paid enormous financial and reputational penalties for the delay. Know your notification obligations before an incident: which regulators must be notified, within what timeframe, what information must be included, and who in your legal team has authority to approve the notification. Draft template notifications in advance.

See: Equifax Breach ResponseIncident Response
advanced

Maintain an offline, isolated backup of Active Directory

Active Directory is the single most critical system in most Windows enterprise environments — it controls authentication for every user, every server, and every service. NotPetya encrypted every domain controller at Maersk simultaneously, making recovery impossible without an offline backup. Maersk found one domain controller in Ghana that had been powered off during a power cut — it was flown to the UK and used to rebuild the entire domain. You should not rely on a power cut in Ghana. Maintain at least one offline, network-isolated backup of Active Directory that is physically separate from your main environment and restored to a known-good state at least monthly.

See: Maersk NotPetya RecoveryIncident Response