Tracing an attack path: Preparation is key, so businesses need to have dedicated tools and skills for digital forensics in place before an incident occurs through technologies such as security incident and event management (SIEM).SIEM devices are important because, for example, many gateway and VPN devices have a local storage that overwrites itself within hours.”If a cybercriminal breaks in through the VPN and dwells for a day or so before they pivot to business-critical servers, then the VPN telemetry has evaporated into the abyss,” Huntress’ Agha explains. “The centralization and retention of VPN logs, like through a SIEM, allows for reactive detections but also stores valuable data and allows for root cause analysis to figure out how the initial breach [occurred].”Statistics from Huntress show that near 70% of sophisticated cybercriminals break in through the VPN. “Where SIEM has been enabled, we are able to catch them much earlier in their attack path, but also deploy retrospective analysis to identify the exact root cause that led to the breach,” Agha says.Various services such as managed detection and response (MDR) and extended detection and response (XDR) can also include forensic capturing software, technology that enables providers to work hand in hand with forensic cyber investigators to identify the source of the breach and work to remediate it.”Without tools such as this, trying to work back retrospectively to identify the ‘how’ becomes increasingly difficult,” says Rob Derbyshire, CTO at cybersecurity firm Securus Communication. “There are companies that offer incident response services when breaches occur, but the key to sorting it quickly, and preventing it from happening again, is ensuring you already have the tooling and processes to make any response significantly slicker.”Arda Büyükkaya, senior cyber threat intelligence analyst at EclecticIQ, points out that without thorough root-cause analysis the “actual cause of the attack remains unknown and potentially still active.””Best practices should include digital forensics expertise, root cause analysis processes, and threat intelligence integration to connect incidents to broader attacker tactics and campaigns,” Büyükkaya advises. “This approach allows organizations to build resilience from every incident.”
Robust planning: An incident response team, typically led by the CISO, should be designated to take charge during an incident. The plan should also specify roles and responsibilities for each stakeholder, from IT staff to legal advisors.Experts quizzed by CSO say an incident response playbook boils down to a few key steps:
Preparation: Maintain a tested incident response plan, clear roles, and escalation paths.Detection and analysis: Centralize monitoring, leverage threat intelligence, and ensure forensic capability.Containment and recovery: Act fast but preserve evidence; validate systems before restoration.Postmortem: Conduct structured reviews, document findings, and feed them into security architecture and training.Continuous Improvement: Integrate threat modeling, automate containment, and invest in skills development.Many organizations opt to use established frameworks and ISO standards as templates for their incident response plans.”These frameworks offer a structured approach, providing sections and subsections that cover all essential areas, from governance to technical responses,” says Richard Ford, CTO at Integrity360. “By using a recognized framework, you not only ensure completeness but also facilitate easier communication with external parties who may be familiar with the framework.”
Building organizational resilience: Effective incident response should be geared toward building a structured, repeatable, and intelligence-driven process that strengthens resilience over time.Incident response plans should be regularly tested, refined, and updated, for example, through simulations or tabletop exercises, as part of a wider business continuity and organizational resilience strategy.Bharat Mistry, field CTO at cybersecurity vendor Trend Micro, says many organizations suffer from a maturity gap in their incident response, which should extend beyond simply containment and recovery to encompass forensic analysis and postmortems.”When organizations bypass root cause analysis, they are only treating symptoms,” Mistry warns. “This challenge stems from a combination of issues: fragmented visibility due to siloed tools that prevent accurate attack reconstruction, a skills gap that leaves teams short on forensics and threat hunting expertise, and process weaknesses where postmortems are often informal or simply skipped.”
Breaking the cycle of ‘breach, patch, repeat’: In many cases, evidence is inadvertently destroyed, such as when servers are wiped, logs are lost, and forensic trails disappear, because the emphasis is on restoring operations quickly.”This is compounded by pressure from the business, time constraints, as well as limited resources, which push teams to move on to the next urgent task rather than learning from the incident,” Mistry adds. “As a result, retrospective scans, root cause analysis, and updates to procedures are frequently skipped.”The initial attack vector and lateral movement often remain unknown, leaving vulnerabilities unaddressed and creating a cycle of “breach, patch, repeat.””To break this cycle, organizations must embed forensic readiness into their response strategy: preserve evidence, conduct structured postmortems, and ensure lessons learned are fed back into security architecture and training,” Mistry concludes.
Breaking the cycle of ‘breach, patch, repeat’: In many cases, evidence is inadvertently destroyed, such as when servers are wiped, logs are lost, and forensic trails disappear, because the emphasis is on restoring operations quickly.”This is compounded by pressure from the business, time constraints, as well as limited resources, which push teams to move on to the next urgent task rather than learning from the incident,” Mistry adds. “As a result, retrospective scans, root cause analysis, and updates to procedures are frequently skipped.”The initial attack vector and lateral movement often remain unknown, leaving vulnerabilities unaddressed and creating a cycle of “breach, patch, repeat.””To break this cycle, organizations must embed forensic readiness into their response strategy: preserve evidence, conduct structured postmortems, and ensure lessons learned are fed back into security architecture and training,” Mistry concludes.
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4093403/root-causes-of-security-breaches-remain-elusive-jeopardizing-resilience.html
