Selecting and Testing an Incident Response Service Provider

What is an Incident Response Provider?

Incident response service providers help organizations detect, respond to and mitigate cyber threats. Beyond their classic role in responding to high-profile security breaches and providing a Service Level Agreement (SLA) for response time in an emergency, incident response providers can help with:

• Building an incident response plan and integrating it with an existing infosec program
• Threat hunting to actively discover existing threats or vulnerabilities
• Post-breach investigations
• Ransomware and malware removal
• Ongoing response to minor security incidents

Learn more about incident response services in our in-depth guide: Incident Response Retainer: Getting Your Money’s Worth.

Top Questions to Ask When Selecting an Incident Response Service Provider

An incident response service provider provides critical assistance to a company in times of crisis. It’s essential to ensure that your provider is qualified to provide the services, and that they have the specific capabilities your organization needs.

Experience and expertise

Check how long the provider has been in business or how long they have been providing IR services. Check how many incident response analysts they employ, at what level (L1, L2, L3), their certifications, and what level of analysts will work on your account. Also enquire about the technology and security tools used by the IR provider.

Number of incidents per year

A key measurement of an IR provider’s size and capabilities is the number of major incidents they handle each year. If the provider handles less than 25 incidents per year, it can be considered a smaller player with limited staff and capabilities. Over 50 incidents indicates a medium-size provider with a well-organized team and rich organizational knowledge. Over 100 incidents is a large provider with multiple IR teams that should be capable of dealing with any scale of emergency across multiple clients.

Specific experience in your industry

Check if the incident response provider has worked in your industry, and with which companies. Of the major threat verticals facing companies like your own, what tactics, techniques and procedures (TTP) is the provider familiar with? Do they understand your compliance situation, customers, and the technologies at play, such as cloud systems, legacy servers, industrial control systems, etc.

Scope of services

Check if the provider supports the entire incident response process or only parts of it. Can they help you create an incident response plan? Do they handle proactive threat hunting? What level of support do they provide for incidents, and are they responsible for lessons learned, root cause analysis and remediation after an incident? Do they provide automated incident response playbooks to enable an immediate response to common attack scenarios?

Support for litigation

In many cases, severe security incidents develop into a lawsuit—an attacked organization may sue other responsible parties, or may itself get sued by customers or partners. In other cases, authorities may press legal charges. Check if the incident response provider is prepared to support such situations, by providing forensic evidence that can be submitted to a court of law, and by testifying as an expert witness if necessary.

Putting Your Incident Response Processes to the Test

When evaluating whether to use incident response services, or testing a new incident response service provider, you should conduct a test of your ability to face real cyber threats.

Incident response testing can help you identify whether your current process or outsourced IR service is effective, and identify gaps or missing points of integration, which can be catastrophic in case of a real attack.

There are three common ways to test an incident response platform:

• Paper tests—a theoretical exercise to test a difficult “what if” scenario, for example an Advanced Persistent Threat (APT) leveraging multiple threat vectors. Paper tests are limited in their effectiveness, but can still uncover obvious gaps or missing processes in your incident response setup. Conduct a paper test together with your incident response provider.

• Tabletop exercises—a scheduled event in which all key stakeholders, both from the company and the incident response provider, are present around a table, and play-act their response to a severe security incident. Plan the activity well in advance, including moves and counter-moves by the threat actors. If you have a large team, you can split it into two to create a “blue team” representing your response and “red team” representing the attackers.

• Simulated attacks—you can contract an external penetration tester, or use an expert security testers from your own security team, to conduct a realistic simulated attack against your network. An attack can be pre-coordinated with your team and incident response provider or a “blind” attack in which your team and the incident response provider have no advanced notice. A realistic attack simulation can be extremely helpful in showing what can go wrong in a real attack, and where the gaps lie—with your internal security systems, your team, your IR provider, or, as is commonly the case, the integration points between these components.

Cynet: Respond in Minutes to a Critical Cyber Attacks

Cynet provides a security platform that can be deployed in minutes across hundreds to thousands of endpoints to scan, identify and remediate threats. CyOps, Cynet’s Cyber SWAT team, is on call 24/7/365, allowing enterprises of all sizes to get access to the same expert security staff that protect the largest enterprises.

Cynet’s CyOps provides always-on incident response services, threat hunting, forensic investigations for breaches, and malware analysis to automatically prevent threats like malware, fileless attacks, Macros and LOLBins.

Contact Cynet for immediate help

For emergency assistance from Cynet’s security experts, call them at US 1-(347)-474-0048, International +44-203-290-9051, or complete the form below.

Most households have an unsolved Rubiks Cube but you can easily solve it learning a few algorithms.