Dark Readings identifies 3 Big Mistakes in Incident Response, May 13, 2013.

By recognizing and avoiding these common mistakes, Kelly Jackson Higgins provides a quick set of best practices backed by interviews with security experts. The article should be in every Response Teams must-read library. A response plan should identify the practices to avoid these mistakes:

1. Assuming It’s an APT; don’t confuse expectations with facts.
2. Not Monitoring Traffic; beyond detection, supports investigation.
3. Focusing Only on the Malware; eradication is important, but so investigation.

Assuming It’s an APT

Not all attacks start with an Advanced Persistent Threat. Apply an objective lens to the data. Look for a 2 stage attack: (1) Phishing, (2) Command and Control.

Not Monitoring Traffic

The article makes a good point. Monitoring is not just for protection and detection. When a breach or intrusion is discovered, audit records provide clues as to what happened, when, and what may be ex-filtrated. Not monitoring, even insufficient monitoring increases potential impact.

Focusing Only on the Malware

Containment and eradication are important, but determining outcomes – data theft, sabotage, other long-term damage – may be more important.

Avoid Tunnel Vision

This was not called out as a 4th mistake, but the article led with an example of a team that was focused on the malware and missed a shift to control of an administrative tool. The admonition to “avoid tunnel vision” applies more broadly than just “focusing on malware”.
The example also identified a good practice. An outside firm reviewed the outcome of the incident and discovered the control shift – the true intent of the attack.

Coordinated Response

Coordinated Response can help to broaden your view and t0 improve your incident response plan.