First Hour Response: The Only Way to Handle an Event Prior to it Becoming an Incident
By Chris Mills
In a recent blog post around Cobalt Strike, Chris Gerritz spoke about how important it was to be prepared and have a true partner in the first hour of a security event. In speaking with our team over the last few weeks, we agreed that this really put into concise words the value we provide to customers and partners.
As seasoned incident responders, our team knows that the first hour of a security event will set the standard for the rest of an organization’s incident response plan. When time is of the utmost importance, organizations must consider two key components in a successful incident response plan:
- The technology
- The team or partner
The NIST Incident Response Process establishes that preparation, detection & analysis, containment, eradication, recovery and post-incident activity are vital to a successful incident response plan. The technology an organization invests in must be able to quickly and effectively amplify the effectiveness of their workforce so that responding to a security event keeps the event from becoming an incident. The technology must be:
- Simple and quick to deploy (or already deployed and ready for use)
- Effective at detecting malicious activity that exists in the present; as well as, from a historical perspective
- It must provide an easy method for responding and remediating security threats
- Lastly the technology must be able to conduct an efficient inspection of the impacted environment once the event is contained to ensure that the threat has truly been eradicated.
The Team or Partner
When it comes to the team or partner that has your back, the first hour should be deemed the most important hour of the incident response timeline. The first hour is critical to a successful response plan. This time should be considered as all hands-on deck, and a partner (like Infocyte) should be there guiding the way. In the first hour, experts will work to uncover the scope of the attack and any additional threats, provide real-time critical information to a customer’s team, and help secure the environment from active threats on devices from within the Infocyte platform.
Command with Active Response Guarantee
Infocyte is tremendously confident in our process, procedures, and product. When fully deployed in the environment, we will find what other products miss. Because our product is so powerful, when paired with our knowledgeable experts, we can guarantee results in the customer’s time of need. If Infocyte does not provide tangible value in the detection, response, or resolution of a security engagement on covered devices, Infocyte will happily return the prorated balance of the customer’s agreement.