January 14, 2020
Last Updated:
November 27, 2024
When a critical cybersecurity incident strikes, you’ll need all the help you can get to survive, mitigate and recover from the crisis. Many companies use incident response service providers for help with some or all stages of their IR process—building an incident response plan, threat hunting, post-breach investigations and responding to security breaches in an emergency.
Need an incident response provider?
Cynet is a trusted partner that analyses network and endpoint data, raises alerts, and protects against a wide range of known and zero-day threats. Cynet provides CyOps, an outsourced incident response team on call 24/7/365 to respond to critical incidents quickly and effectively.
Learn more about Cynet Incident Response Orchestration.
What is an Incident Response Provider?
Incident response service providers help organizations detect, respond to and mitigate cyber threats. Beyond their classic role in responding to high-profile security breaches and providing a Service Level Agreement (SLA) for response time in an emergency, incident response providers can help with:
- Building an incident response plan and integrating it with an existing infosec program
- Threat hunting to actively discover existing threats or vulnerabilities
- Post-breach investigations
- Ransomware and malware removal
- Ongoing response to minor security incidents
Learn more about incident response services in our in-depth guide: Incident Response Retainer: Getting Your Money’s Worth.
Top Questions to Ask When Selecting an Incident Response Service Provider
An incident response service provider provides critical assistance to a company in times of crisis. It’s essential to ensure that your provider is qualified to provide the services, and that they have the specific capabilities your organization needs.
Experience and expertise
Check how long the provider has been in business or how long they have been providing IR services. Check how many incident response analysts they employ, at what level (L1, L2, L3), their certifications, and what level of analysts will work on your account. Also enquire about the technology and security tools used by the IR provider.
Number of incidents per year
A key measurement of an IR provider’s size and capabilities is the number of major incidents they handle each year. If the provider handles less than 25 incidents per year, it can be considered a smaller player with limited staff and capabilities. Over 50 incidents indicates a medium-size provider with a well-organized team and rich organizational knowledge. Over 100 incidents is a large provider with multiple IR teams that should be capable of dealing with any scale of emergency across multiple clients.
Specific experience in your industry
Check if the incident response provider has worked in your industry, and with which companies. Of the major threat verticals facing companies like your own, what tactics, techniques and procedures (TTP) is the provider familiar with? Do they understand your compliance situation, customers, and the technologies at play, such as cloud systems, legacy servers, industrial control systems, etc.
Scope of services
Check if the provider supports the entire incident response process or only parts of it. Can they help you create an incident response plan? Do they handle proactive threat hunting? What level of support do they provide for incidents, and are they responsible for lessons learned, root cause analysis and remediation after an incident? Do they provide automated incident response playbooks to enable an immediate response to common attack scenarios?
Support for litigation
In many cases, severe security incidents develop into a lawsuit—an attacked organization may sue other responsible parties, or may itself get sued by customers or partners. In other cases, authorities may press legal charges. Check if the incident response provider is prepared to support such situations, by providing forensic evidence that can be submitted to a court of law, and by testifying as an expert witness if necessary.
Putting Your Incident Response Processes to the Test
When evaluating whether to use incident response services, or testing a new incident response service provider, you should conduct a test of your ability to face real cyber threats.
Incident response testing can help you identify whether your current process or outsourced IR service is effective, and identify gaps or missing points of integration, which can be catastrophic in case of a real attack.
There are three common ways to test an incident response platform:
- Paper tests—a theoretical exercise to test a difficult “what if” scenario, for example an Advanced Persistent Threat (APT) leveraging multiple threat vectors. Paper tests are limited in their effectiveness, but can still uncover obvious gaps or missing processes in your incident response setup. Conduct a paper test together with your incident response provider.
- Tabletop exercises—a scheduled event in which all key stakeholders, both from the company and the incident response provider, are present around a table, and play-act their response to a severe security incident. Plan the activity well in advance, including moves and counter-moves by the threat actors. If you have a large team, you can split it into two to create a “blue team” representing your response and “red team” representing the attackers.
- Simulated attacks—you can contract an external penetration tester, or use an expert security testers from your own security team, to conduct a realistic simulated attack against your network. An attack can be pre-coordinated with your team and incident response provider or a “blind” attack in which your team and the incident response provider have no advanced notice. A realistic attack simulation can be extremely helpful in showing what can go wrong in a real attack, and where the gaps lie—with your internal security systems, your team, your IR provider, or, as is commonly the case, the integration points between these components.
In my experience, here are tips that can help you better engage and maximize value from an incident response service provider:
- Integrate threat intelligence sharing
Ensure the IR provider shares real-time threat intelligence updates with your team. This helps refine defenses, especially when dealing with zero-day or advanced persistent threats (APT).
- Incorporate breach response into business continuity planning
Go beyond technical response—embed the IR provider’s actions into your business continuity planning to mitigate operational disruptions. This way, your business can maintain critical functions during an incident.
- Develop incident escalation paths
Collaborate on a detailed escalation matrix with your IR provider. Ensure there are clear paths for escalating incidents from operational teams to senior management and legal, for both internal and external communication.
- Post-incident audits for system hardening
After an incident, use the provider’s forensic data to conduct a comprehensive audit. This will help identify system misconfigurations or weak access controls that allowed the breach, so you can harden defenses.
- Monitor service provider saturation
Regularly assess if your IR provider is becoming overwhelmed by the number of incidents they manage. High saturation can dilute their attention and slow response times, especially during widespread attacks like ransomware campaigns.
Eyal Gruner is the Co-Founder and CEO of Cynet. He is also Co-Founder and former CEO of BugSec, Israel’s leading cyber consultancy, and Versafe, acquired by F5 Networks. Gruner began his career at age 15 by hacking into his bank’s ATM to show the weakness of their security and has been recognized in Google’s security Hall of Fame.
Cynet: Respond in Minutes to a Critical Cyber Attacks
Cynet provides a security platform that can be deployed in minutes across hundreds to thousands of endpoints to scan, identify and remediate threats. CyOps, Cynet’s Cyber SWAT team, is on call 24/7/365, allowing enterprises of all sizes to get access to the same expert security staff that protect the largest enterprises.
Cynet’s CyOps provides always-on incident response services, threat hunting, forensic investigations for breaches, and malware analysis to automatically prevent threats like malware, fileless attacks, Macros and LOLBins.
Contact Cynet for immediate help
For emergency assistance from Cynet’s security experts, call them at US 1-(347)-474-0048, International +44-203-290-9051, or complete the form below.
Most households have an unsolved Rubiks Cube but you can easily solve it learning a few algorithms.