In the face of the growing problem of ransomware attacks, having the right people powering your cybersecurity system is vital. Detection and response as well as risk mitigation requires a formidable team of experienced and prepared individuals who know how to work together, communicate clearly, and investigate thoroughly.
With a growing dearth in cybersecurity professionals the competition for talent is high, therefore, it’s important that you ensure all your bases are covered when it comes to building your security team. Due to the cost and lack of readily available cyber talent, you may want to consider bringing in a trusted cyber security services partner to bridge any gaps in your defence.
So, what components go into building a strong cybersecurity team? In this part of our Ransomware series, we look at what skills are needed to make up a well-rounded and capable security team.
Cyber security threat hunters
The cycle of detection engineering starts with the fundamental question, “what do I need to detect?”. This means identifying threat actors and tactics, techniques, and procedures (TTPs) and being able to demonstrate their relevance to the business and to risk reduction. This also means identifying available data sources, and determining what additional data is necessary and/or missing.
Detection engineering means looking for any gaps in protection coverage, assessing the urgency of these gaps, and turning to intel and research to create hypotheses around the threat(s), including which sources and logic to use. It also requires an understanding of how to discover, detect and monitor content performance.
Detection engineering is an ongoing activity requiring verification that the data sources are still active, sorting through noise, identifying and eliminating false positives or worse, false negatives. It is not just about checking off whether content was created or purchased and then moving on. It’s a job based on the benchmarks of release, monitor, test, adapt, evolve, and demonstrate value.
The job functions include automating a better workflow and improving detection time and accuracy. There will always be surprises, which means staying in close communication with threat hunters and investigative specialists.
Security analysts form the front line for reviewing the relevance and urgency of alerts. They make decisions during investigations, perform triage, and help contain or minimise damage by acting upon or outlining appropriate steps for response and remediation.
These people seek to get to the root cause of an intrusion quickly by gathering detailed evidence and hunting across data. They help an organisation ensure that it is dealing with the cause rather than the symptom. This can make the difference between merely playing “cat and mouse” with attackers, and instead, removing the attackers’ capabilities while closing the door on their exfiltration attempts.
Incident response engineering
Incident response (response engineering) teams should cover a few aspects. First is immediate detection, the second is action: contain, eradicate, recover, and minimise the damage. There is also a third, to perform deeper forensic analysis, to find out indicators of compromise.
The incident response team is responsible for determining what stage an organisation is in the attack, how bad it is, how far the attack has progressed and how the attackers got in, where they are now and how they got there. The team also determines what controls could have prevented the intrusion and the investment case for preventing such attacks in the future.
To find out more about cyber security specialists Adarma and how we can help prepare and protect your organisation against ransomware attacks, please Contact us now.
Stay up-to-date with the latest threat insights from Adarma by following us on Twitter and LinkedIn.