Part 1: Bridging the Gap for More Effective Incident Response
When a security breach occurs, time is of the essence. You find yourself anxiously awaiting the arrival of the cavalry, but the clock keeps ticking. In these critical moments, you need an incident response team that is fast, precise, and can seamlessly utilise your existing tools.
You require specialists who can swiftly respond to the situation and are backed by a multidisciplinary Security Operations Centre (SOC) team comprising threat analysts and hunters. What you truly need is a team that knows you, cares about your organisation, is prepared to act immediately, and is fully committed to fighting alongside you.
Incident response services usually fall within one of two camps, a limited or basic containment offering from most Managed Detection and Response (MDR) providers or expensive specialist incident response consultancies. Unfortunately, even having both can leave gaps in capability and speed of response.
For years, large digital forensics and incident response (DFIR) consultancies have accumulated real-world expertise in dealing with highly targeted and sophisticated attacks. Should you find yourself targeted by such threats, these providers are ready to assist you, albeit after a 12–24-hour delay as they arrange contracts and familiarise themselves with your environment.
But how many of the incidents that organisations typically encounter are highly sophisticated advanced persistent threat (APT)-style attacks? What about the broader range of more common cyberattacks?
We believe there is a need to address moderate incidents, those that don’t require parashooting in the troops, but which also require more than automated containment.
And we’re not alone, the National Cyber Security Centre (NCSC) and CREST have also recognised this issue and, as a result, have launched Cyber Incident Response (Level 2), known as CIR L2, to address this gap.
It’s important to note that not everyone falls under the category of “regulated industries, central government, or critical national infrastructure with large cross border networks, or who have been targeted by a sophisticated attack.”
In a statement1, the NCSC emphasised the importance of Cyber Incident Response (Level 2) services, highlighting the need to increase the availability and awareness of top-tier incident response providers. On its website, the NCSC states, “We know a broad range of victims suffer cyber-attacks every day across the UK. These organisations may not always be of national significance, but they often need external help and advice to manage and recover from the incident.”
Adarma fully supports NCSC’s perspective. We welcome the acknowledgement of this gap and the adoption of a “horses for courses” approach, which is now backed by the technical validation and rigorous standards set by the NCSC and their delivery partner, CREST.
At Adarma, we believe effective incident response should not be limited to a privileged few; it should be accessible to organisations of varied sizes and across various industries. By embracing the principles of Cyber Incident Response (Level 2), we can bridge the existing gap and ensure that a broader range of organisations receives the essential assistance and guidance needed to efficiently handle and recover from cyber incidents. To find out how we do this check out our Digital Forensics Incident Response datasheet.
Adarma stands ready to support organisations in overcoming these challenges and providing the necessary expertise needed to respond quickly and efficiently. Together, we can strengthen our collective cyber defences and safeguard our digital environments.