remote incident response services

Partner Best Practices for Remote Incident Response and Assessment Service Delivery

In the past, Incident Responders and Security Analysts had to fly out to a network to help contain and investigate an incident on-site, or complete a Threat and Compromise Assessment. Even without coronavirus fears, this practice is becoming less and less popular. With COVID-19 (Coronavirus) being declared a pandemic by the World Health Organization, many organizations have asked employees to work remotely and/or restrict travel. In addition, hackers are using this opportunity to step up their activity

Given this situation, we thought it might be helpful to share some of the best practices for delivering Incident Response and Assessments remotely that we see across our partner community.

Situation

  • Today, public and private cloud-based services drive almost all aspects of business.
    • This means most compromises do not result in the network being cut off from the internet.
  • Remote workers at home will need to be considered. They are usually found in one of these configurations:
    • Company issued with Mandatory VPN to corporate network — should just be considered part of the centrally managed network
    • Company issued without Mandatory VPN — technically “off network” but likely to still have access and manageability. 
    • Bring Your Own Device (BYOD) — Off network but can still access your cloud services so should be monitored/inspected, if possible. Some businesses offer and require corporate security software/policies be installed on BYOD devices.

Considerations for Remote IR and Threat Assessment Support

  • Send customers a pre-flight checklist for preparing your remote access, it should include: 
  1. How you’re going to access logs and security data on the central network
  2. How you will get remote access to the corporate network (i.e. VPN, HTTPS RDP gateway, Infocyte, etc.)
  3. How you will get access to home office laptops and/or BYOD assets (if necessary) 
  4. Any required admin credentials like a service account, sudo linux accounts, ssh keys (as necessary)
  5. AV whitelisting instructions for of any forensic/IR tools you might deploy
  • Remote Access has several options:
    • VPN or RDP Gateway (over HTTPS) to the corporate network; or 
    • Deploy an agentless cloud-based tool like Infocyte. 
      • A small package called a Controller can be sent to the client which establishes a secure session to the Infocyte cloud console enabling you to scan the internal network and pull forensic data.
    • Agents can be provided for distributed using established software distribution mechanisms (this is often complex and takes a long time for many orgs)
  • Network Access Best Practices of Infocyte partners:
    • Agentless deployment w/ an Infocyte Controller for the Corporate network is done in 95% of cases.
      • Infocyte is currently averaging 80-90% endpoint coverage using agentless protocols
      • With extensions, Infocyte can also deploy agents and other forensic tools at scale
    • Agents on off-network or unmanaged devices like BYOD is mandatory (provide link to download from Amazon AWS S3)
  • Offline assets may also be encountered:
    • Infocyte’s Offline Surveys can also be run manually with results transferred for upload via USB
  • Elite Infocyte partners have access to our 24X7 support and SOC to augment your team if it is stretched or members are out sick.
    • Be sure to leverage our in-app chat (click “help”) and partner portal if you ever have deployment/access challenges, we’ve seen it all.

Remote IR and Assessments are becoming the standard. They are highly encouraged to the Infocyte partner community. Remote IR and Assessments are more cost-effective, faster, and enable teams to navigate situations like the current pandemic response.

Feel free to contact us for more information. Channel partners can join the discussion around other remote IR and Assessment best practices on our Partner Portal.

Posted in ,