Why Incident Response Training is Our Top Cybersecurity Control for Q2 2024
In the fast-paced world of cybersecurity, first responders don’t have the luxury of flipping through a manual when an incident occurs. They need to react immediately and effectively. According to the 2023 Cost of Insider Risks Global Report by Ponemon Institute, organizations that took more than 91 days to contain an insider incident faced costs exceeding $18.33 million, underscoring the importance of rapid response. This urgency is why incident response training has been selected as our top cybersecurity control for Q2 2024. The escalating frequency and complexity of attacks, especially on cloud infrastructure, demand a well-prepared response team.
Cloud Attacks Have Risen Dramatically – and Your Responders Need to Be Prepared
Cloud attacks have nearly tripled in volume from 2021 to 2023, as highlighted in the 2024 Unit 42 Incident Response Report by Palo Alto Networks. Cybercriminals target the cloud not only for data theft but also for resource-intensive activities like cryptocurrency mining. In a cloud-based cryptojacking attack, hackers exploit vulnerabilities in cloud services to hijack computing resources. According to Microsoft, these attacks often begin with hackers gaining access through publicly available login interfaces, such as SSH or RDP, or from within the network via phishing or infected applications. Incident response teams need to be adept at identifying unusual cloud activity and taking swift action to mitigate these threats.
Responders must understand the tactics used by cybercriminals to infiltrate cloud environments. They need to know how to monitor for signs of cryptojacking, such as unusual spikes in CPU usage or unexpected costs on cloud service bills. Additionally, having automated tools in place to detect and block such activities can be a significant advantage, and it’s important for your responders to be adept at using their toolkits, which requires training and experience.
Cloud Incident Case Study
Tom Pohl, head of LMG’s penetration testing team, shared a compelling example of the importance of incident response training. During an internal penetration test, LMG’s ethical hackers accessed the admin interface of a network printer using a little-known default credential. This access allowed them to reset the administrator password and change the printer’s LDAP server to their own pentest server, capturing domain account credentials. With these credentials, they gained full administrative control over the Amazon infrastructure, revealing the dangers of poorly managed cloud credentials. “We often find that low-level users have more access than they should,” Pohl noted.
This case study highlights the importance of understanding how seemingly innocuous devices, like printers, can be leveraged in a cyber attack that ultimately impacts cloud resources. Incident response teams must be trained to think creatively and consider all potential vectors of attack. Furthermore, they should be proficient in using various tools and techniques—both cloud and on-premises—to trace the attacker’s steps and contain the breach swiftly.
Hackers Now Use Certificates to Lurk in Your Network
A growing trend is that hackers are increasingly using certificate-based authentication to maintain long-term access to compromised networks. Certificates can remain valid even after passwords are changed, making it crucial for incident responders to know how to revoke these certificates to effectively remove intruders. Pohl emphasizes, “Defenders try to lock attackers out by resetting passwords, but it doesn’t stop them at all. They actually have to revoke the certificate.”
To counter this, incident response training should include comprehensive modules on managing and revoking certificates. Responders should be well-versed in identifying suspicious certificate usage and taking steps to invalidate them promptly. This will ensure that even if attackers manage to gain initial access, they cannot maintain a foothold in the network.
Zero-Day Vulnerabilities Need to Be Part of Your Response Training
The epidemic of software vulnerabilities, including the recent MoveIt data breach, highlights the critical need for rapid incident response. The 2024 Data Breach Investigations Report by Verizon notes a significant increase in zero-day vulnerabilities. Incident response training must include scenarios for zero-day exploits, ensuring that teams are prepared to handle these unexpected threats swiftly and efficiently.
Zero-day vulnerabilities are particularly challenging because there is no prior knowledge or patches available when they are first exploited. Incident responders need to be trained to recognize the signs of a zero-day attack quickly, isolate affected systems, and work closely with vendors to mitigate the threat. Continuous updates to incident response plans to include potential zero-day scenarios are vital. For more advice, read our Zero-Day Prevention and Response Checklist.
Cyber Insurance Needs to Be Aligned with Your Incident Response Training
Aligning your cyber insurance policy with incident response training is essential to maximize coverage. For example, LMG recently conducted a cyber insurance policy review. The policy had coverage for cyber extortion—but there was a requirement that the policyholder cannot tell the criminals that they have cyber insurance coverage. LMG’s client was not aware of this clause, and so it wasn’t included in the IR plan or training. This oversight could have jeopardized their coverage for ransom payments. Ensuring that policy requirements are integrated into incident response plans and training can prevent costly mistakes.
Understanding the nuances of your cyber insurance policy can make a significant difference during an incident. Incident response teams should be familiar with the policy’s terms and conditions, ensuring compliance to avoid any potential issues with claims. Regular reviews of the policy, aligned with updates in training, can ensure seamless integration during an incident.
The Importance of Tabletop Exercises
Tabletop exercises are a critical component of effective incident response training. These exercises simulate real-world scenarios in a controlled environment, allowing teams to practice their responses and identify potential weaknesses in their plans. According to the Cloud Incident Response Framework, incorporating tabletop exercises into your training regimen helps ensure that all team members are familiar with their roles and responsibilities during an actual incident.
Tabletop exercises provide several benefits:
- Enhanced Preparedness: By simulating incidents, teams can rehearse their responses and improve their readiness for actual events.
- Identification of Gaps: These exercises help uncover gaps in incident response plans and procedures, allowing organizations to address them proactively.
- Improved Communication: Practicing incident scenarios enhances communication and coordination among team members, which is crucial during a real incident.
Regular tabletop exercises should be a standard part of your incident response training program. They help ensure that your team is always prepared to handle any threat that arises.
LMG Security’s Tips for Cybersecurity Incident Response Training
- Regular Drills and Simulations: Conduct frequent incident response drills and tabletop exercises, including high-risk scenarios such as cloud compromise and zero-day software exploits. For ideas on tabletop exercise scenarios, check out our blogs on the best tabletop scenarios for 2024 and evergreen tabletop exercise topics.
- Update Response Plans: Continuously update your incident response plans to incorporate new threats and policy requirements, as well as lessons learned from tabletop exercises.
- Cross-Training: Ensure that all team members understand the full spectrum of potential incidents and responses and know their roles and responsibilities. Training your team to quickly identify and respond to attacks can dramatically reduce your financial and reputational damage. Our Cyber First Responder and Ransomware Response technical training classes are student favorites and prepare your team to face today’s latest attack techniques.
- Leverage Technology: Utilize modern tools such as EDR/XDR, as well as automation whenever possible, to enhance detection and response capabilities.
- Integrate with Insurance Policies: Align your incident response plans with your cyber insurance policy requirements.
Conclusion
Incident response training is not just a defensive measure; it’s a critical component of a proactive cybersecurity strategy. By ensuring that your response team is well-trained and your plans are up-to-date, you can significantly reduce the impact of cyber incidents. The faster and more effectively you can respond, the lower the damage and costs associated with a breach. Investing in comprehensive incident response training now will pay dividends in safeguarding your organization against the evolving threat landscape.
If you need help with IR training, updating your incident response plan, or a host of other technical testing, advisory services, training, or cybersecurity solutions, contact our LMG Security team. We’re ready to help!
About the Author
Sherri Davidoff
Sherri Davidoff is the CEO of LMG Security and the author of three books, including “Ransomware and Cyber Extortion” and “Data Breaches: Crisis and Opportunity.” As a recognized expert in cybersecurity, she has been called a “security badass” by the New York Times. Sherri is a regular instructor at the renowned Black Hat trainings and a faculty member at the Pacific Coast Banking School. She is also the co-author of Network Forensics: Tracking Hackers Through Cyberspace (Prentice Hall, 2012), and has been featured as the protagonist in the book, Breaking and Entering: The Extraordinary Story of a Hacker Called “Alien.” Sherri is a GIAC-certified forensic examiner (GCFA) and penetration tester (GPEN) and received her degree in Computer Science and Electrical Engineering from MIT.
