* This webinar was recorded live on November 7, 2023. Please note since this recording, Covalence has been renamed to Field Effect MDR.
Many small and mid-sized enterprises (SMEs) cite cybersecurity as their number one priority in 2023, yet attacks continue to increase and ransoms continue to be paid. What is it that makes so many companies vulnerable?
Watch on-demand to hear from Field Effect's Head of Strategic and Response Services, Monique Bardawil as she discusses:
So to start off with, just a brief intro of incident. This is a bit funny that an incident—a cyber incident—needs a bit of description. But people do take different assumptions about this.
The NIST definition is an incident that targets the enterprise use of cyberspace. So that is basically your cyber landscape, your network, your devices. And there are lots of different ranges of incidents too. I think a lot of us tend to think of an incident being a full successful break-and-enter sort of thing. But an incident can be an attempt at one of these things, or a first landing, if you will, if someone is trying to land and expand.
Essentially it is to disrupt, disable, destroy, or maliciously control an environment. So the definition being that it is an attempt to do one of these things, often by an external party, but it can be internal as well, to either destroy data integrity or to steal controlled information.
The other thing is it used to be more big nation-state attacks, or it was large organizations and companies going after IP. A lot of it is now financially motivated as well, it’s become easier for attackers to get access to money.
Getting into what we see when companies think that they are being attacked or confirm that they’re being attacked, it’s worth pointing out that these really are best intentions. People are kind of running in panic. They are trying to stop it as quickly as possible. They’re trying to prevent any further damage. People aren’t trying to make things worse, but oftentimes, unfortunately, when you don’t really know what to do and you don’t have a good plan in place, some of the things that administrators do—the actions they take—can actually make things harder from an incident response perspective.
The biggest one is that they wait a little bit too long. They think or suspect that something is going on, and they think, "We can stop this" or "We can control it." But it turns out they really can’t. And they’re doing this because they are trying to keep the business up and running. They don’t want to shut anything down. They don’t want to prevent business from continuing. So they just think, it’s not so bad or that they can stop it.
When we talk about some of the trends that we see, this is why we get a lot of incident responses or incident response projects coming in on Friday—because they realize they’re getting towards the weekend and they probably can’t go on the weekend with this activity happening.
Sometimes they focus just on the restoration. Getting back into business makes it really hard from a forensics perspective to decipher and figure out what actually happened, and where the vulnerabilities and gaps were that allowed this to happen in the first place. So basically, it’s trying to get back up without taking the time to preserve the information that allows us to understand the nature of the attack and make sure it doesn’t happen again in the future.
Cyber incidents are not something most companies want to think about, so it sometimes doesn’t become a priority to get a good response plan in place. Or they don’t have cyber insurance or legal counsel. Or even if they do, they don’t know who should be called right off the bat, who needs to be part of this, and who are the internal stakeholders that need to be part of the response plan.
As you can see, a lot of these mistakes are very preventable.
The reality is that cyber incidents can occur any time, but more often towards the end of the week, weekends, and holidays. This happens in two ways. First, the attackers are often trying to choose times where they think there are fewer people watching. But we also find that a lot of the time, by the time a company calls us, it’s towards the end of the week because they have been trying to battle it internally during the week and realize that they’re coming up on a weekend and they really need to act on it.
Another reality is that it's no longer reserved, for lack of a better word, for the very large or very wealthy organizations. With the technology and tactics attackers have, if you, as an organization, have $5,000 in your bank account, they’ll take that $5,000. So it really can happen to anybody.
We do see a range in sophistication. There is a lot of conversation about AI and what that’s going to do to the nature of attacks in the future, and it’s something we absolutely need to keep our eye on. But there are still tried and true attacks that have been happening since the dawn of cyber attacks—vulnerabilities and issues that we really should be getting better at protecting ourselves from. I say that not for doom and gloom, but to emphasize that yes, there’s the future of cybersecurity, but there are absolutely things you can be doing today to best protect yourself from any kind or range of attack.
Often, what attackers are looking to do is take advantage of the weakest link. They get in there and look for the weakest link so they can escalate, expand, move around, and find the privileges they need to ultimately reach their goals. It’s often a multi-pronged attack, and they’re just looking for that one way in. That’s all they need.
Incident response, just like anything else in cybersecurity, is a continuous, infinite game. While we’re going to talk about this, just keep in mind that this is always evolving, and we encourage your organizations to be prepared to review their preparation annually.
Incident response, as we define it, is usually when the incident or the security compromise is discovered by the organization and hopefully, in an organization that is ready, they've started executing their own incident response plan. Having that in place usually helps organizations by having a logical, methodological response framework that allows them to act effectively.
But we see it all. Even with prepared organizations, what you face is never what you expect or what’s on paper.
Our involvement begins when we get contacted by a prospect. Typically, we get a call and arrange a scoping call to better understand what happened. It’s really about allowing the victim to tell us the story—what did you detect, how did you find it, what actions have you taken, what do you care about?
In many cases, as alluded to earlier, every organization wants to get back to business because that’s the biggest impact on any organization. And rightfully so. But there could be other concerns—reputational damage, client information, or leaked data. All of that matters.
But during that process, what we do is listen, provide advice and guidance in terms of what has been done. Have you contained it properly? Do you want to take more aggressive containment, such as disconnecting from the internet, to ensure the threat actor is not maintaining access? That varies depending on when the incident is discovered.
Another critical step is data preservation. Incident response really needs data to be able to forensically investigate what happened, to better tell the story of what the threat actor did, what they accessed, and how they accessed it.
Finally, many organizations overlook the role of insurance and legal counsel. Regulations at the federal, provincial, or state level often require specific steps when a compromise occurs, and those must be addressed as part of the response. Based on that, we present different approaches, which vary depending on the situation.
At Field Effect, there are two things that we want to do and ensure we can provide to the victim.
One is to tell what happened—what do we know based on historical data? How did the threat actor get in? How do we investigate? We need to identify the gaps to help mitigate and block those gaps in the future. So we look at the history to tell the story, but also to build that timeline of how long the threat actor was in there, what they accessed, and how they accessed the data.
We also want to ensure that the victim is secure moving forward. We need to contain the threat, prevent it from occurring again, and provide continuous monitoring. At Field Effect, we use our MDR platform to do that. We deploy Field Effect MDR across the environment to ensure that we have good insight into what is happening on the network as the network recovers.
One of the key elements of our incident response service is case management. We provide that as part of our incident response packages, and that is really someone to guide the client through the process.
A client is typically panicked and may or may not be prepared, may or may not have the right coordination resources. We can provide that coordination, giving them updates on the investigations and updates on the monitoring. In that way, we become an extension of the client’s incident response team. That’s how we view it—providing advice on containment, remediation, and recovery.
We also need to present considerations on legal engagements, cyber insurance, and negotiations. A lot of questions we receive are things like: Do we pay? Do we not pay? Should we contact the threat actor? Many clients do not think about those aspects, and if you haven’t had to prepare for it or didn’t prepare for it, those are not questions that come to mind as part of your regular cybersecurity preparation.
Alongside case management, the investigative lens is central to our work. We have a group of investigators who look at data collected from the impacted environment, and we have a number of questions we’re trying to answer:
That’s really important for us—we want to define those parameters and also define safe recovery points for the network. We need to determine which systems were compromised. Am I rebuilding my entire network or just my servers? How do we ensure we understand the impact?
The “how” is the part that takes the longest. We really try to focus initially on root cause identification because we want to make sure to mitigate the initial access factor and block it as soon as possible. Following that, we look at the threat actor’s techniques and procedures to better understand how they moved laterally, how they escalated privileges, and what they were able to misuse to gain access to the environment.
Then there are indicators of compromise. Those are important for us because if we identify a malicious IP address, we need to ensure our monitoring service is aware of those indicators of compromise so that we can block them.
We're really just trying to get a sense of full situational awareness before taking action. A lot of it sheds light on some of the gaps, but also on things you can’t always mitigate because a threat actor just needs one thing. It also highlights to a client what their security monitoring solution should look for. If a threat actor was able to do this, then the security monitoring solution in the future should be able to look for those aspects, those techniques, and ways to prevent them.
There’s a lot of educational value in incident response.
The security monitoring is what gives a victim the assurance that they are secure moving forward. So how do we do that? How do we ensure that they’re protected against this attack and potentially future attacks? No matter what, we can’t stop attacks—we can detect them and react to them—but threat actors are going to continue trying to attack networks.
As mentioned earlier, we use Field Effect MDR. We deploy a network sensor, endpoint agents, and we do cloud integrations with certain services that allow us to provide holistic monitoring.
We want to ensure that there’s no pivoting from one IT system to another or from one service to another. We want to ensure that we’re providing that visibility that allows us to detect and respond effectively.
We use detection policies to react to threat actor activities. They can be general—covering normal, well-known TTPs and IOCs—but also tailored. For example, if we know a threat actor used a specific remote management tool during the compromise, and they often use legitimate tools during compromises, then we can create specific policies against that tool used by the threat actor.
It’s a cycle: what we identify from the investigation feeds into monitoring, and vice versa. That also helps us in investigating the incident itself.
But we can’t forget about security intelligence and threat monitoring. If a threat actor has compromised a system, deployed ransomware, encrypted data, or exfiltrated information, a main concern for victims is:
That’s where our security intelligence team comes in—to help us, based on what we know from the investigation and monitoring, determine whether we can attribute it to a specific threat actor, what ransomware family it is, and what the known TTPs and IOCs are.
We can look at attribution, and in some cases, we do see threat actors publish data if a client or victim does not pay the ransom. Sometimes they do publish that information, and there’s also the threat of reselling the data.
The dark web monitoring and checking if data is being put up for sale is a fairly obvious one—but there's other value in security intelligence research. In general, for cybersecurity, you want to see what’s being published and what new threats are being identified so that we can enhance cybersecurity monitoring for our regular clients who we monitor on a day-to-day basis.
For example, if there’s a new vulnerability in Chrome of a certain version, we want to identify it and ensure: one, where it exists in our fleet and two, that we have the right policies in place to react to it. We also inform clients that they have certain software that is currently vulnerable and should be updated, or if there’s a new zero-day attack targeting specific software, that it should be addressed right away.
That’s key for regular cybersecurity practices and reducing the threat surface.
All of this happens, and the goal is to restore the environment. It is not a linear process—all of these actions can be happening and intermingled. As we’re doing the investigation, we’re also talking about restoration—when it’s safe to repair or restore systems.
The key thing for us here is to ensure we know what systems and data were impacted before we start restoration. Another important aspect is knowing what to restore first. This is where preparation comes in for a client or organization. Do we know, as an organization, which systems are critical for our business functions? Many organizations, if asked, might say email—but that’s not necessarily what runs the business. It could be your CRM or other key systems.
Knowing which systems to recover first gives investigators and incident responders clear priorities: these are the critical systems to look at and recover first.
In most cases, if a victim has good backups and has followed proper practices for restoration and backup management, then we use those backups to restore the environment. What we’re seeing less of now is backups being encrypted, as backups are often domain-connected. The key, in preparation, is to have backups separate from the main network, which allows for restoration. This is critical because what we find in the investigation gives us a safe point of recovery for backups—it tells us which backup to use.
During restoration, negotiations may also come into play. Negotiations have legal implications because, federally, there are laws that could put the victim at risk if they pay a ransomware actor. A ransomware actor may be classified as a terrorist organization or similar, which means there are serious legal consequences. All of that should be done with legal advice.
In certain cases, negotiations may seem like the only choice—especially if backups are gone and critical data for business operations is lost. We do see it rarely, but sometimes a victim ends up paying. It's a process, and the role of the negotiator in this context is to facilitate the restoration of your data.
And then what's often forget is communications. What we find is that organizations don’t know what to do—like, do I tell my staff? What do I tell my staff? What directions do we give them about what they can and can’t do, or can and can’t say? For example, if you’re a salesperson in an organization and currently you can’t process any sales, what do you tell your clients? You need to have that in mind and practice it in advance. That’s one aspect.
Then there’s external communications: partners, stakeholders, media. Depending on the type of organization you are and where you sit within the economy, there may be different pressures on you from the media and the public. People may be asking, “Why don’t I have access to that service?” Those are key points that aren’t technical in nature but are absolutely related to the response.
So response is not just technology, it's about the processes and the people that are involved in these processes as well.
After restoring the environment and monitoring in place, we get to the point where we deescalate the incident response case and move into reporting.
In reporting, our approach at Field Effect is to be objective and unbiased. We focus on the evidence. We try not to give opinions or speculate about what we think happened or what might have happened. That’s really important—first for the organization itself, but also because the report needs to address the questions that the organization may get from insurance or legal representatives. Like any other investigative process, you want to stick to the facts, and that’s what we do here.
When it comes to timelines, every incident is different. On the low end, a case might conclude in about three weeks, though restoration can begin as early as day two. On the high end, incidents can take months to resolve. And in many cases, the size of the environment matters. We’ve seen a lot this year where virtualized environments were compromised—the hosts themselves, like VMware ESXi, were affected. That’s paralyzing because you have to rebuild everything, and sometimes we can’t even get data to do the investigation.
So as the complexity of the attack increases, it naturally becomes harder and takes longer.
Once the incident is closed and the report is delivered, this is where data notifications and victim notifications matter. Each of us has probably received an email from an account we once had that was compromised, informing us that we need to protect that account or that our information has been added to a notification list.
All of this depends on what data was compromised and what data can be assessed. We need to determine whether personally identifiable information (PII) was part of that data.
This is where legal obligations and having a lawyer or breach counsel is critical. They guide organizations through the legal framework and, based on what we know from the incident, advise what should and should not be done.
Post-incident is also a good opportunity for any organization to review its security control plan:
In many cases, we see organizations re-engineering and redesigning their networks following an incident. It often triggers them to ask, “Where else can I add more security controls? How do I do that?”
Another important aspect is educating employees. All of us, as humans, have a role in cybersecurity—whether it’s about which passwords we use, which sites we visit, or understanding what happened during the incident and its impact on the organization’s reputation.
I’ll also mention informing authorities. Reporting incidents to policing organizations doesn’t happen very often in Canada or the U.S., but doing so allows law enforcement to conduct further research on threat actors, take down malicious infrastructure, and improve collective defense.
This process doesn’t require sharing every detail of the incident, but rather the indicators of compromise that can help investigations. Again, these are organizational choices that vary from one organization to another, but they’re an important part of the broader cybersecurity ecosystem.
The key aspect I would encourage is: be prepared.
Be prepared by having the right security monitoring in place to avoid incidents. Many organizations ask, “Why am I spending all this money on something that may or may not happen?” It’s kind of like regular home insurance—it’s no different. It allows you to have someone helping you watch over things.
Establish an incident response plan. Who’s who on your team? Who is your external support team? What are your high-value assets? Which systems do you recover first? Do your backups work? Does your recovery process work? Which systems do you restore first? And what is your communication plan?
Everything we’ve talked about should be part of your incident response plan. It doesn’t have to be highly detailed, but you should have one—and then practice it. A tabletop exercise is a really safe way to be presented with a simulated incident that allows you to discuss what would happen if something occurred. What do we do next? Who do we call? Who do we inform?
All of that helps you build resilience so you’re not panicked. The key point is: you don’t want to panic—you want to know what to watch for. Not all incidents are the same, and your practice scenario won’t be identical to what you eventually face. But having that general knowledge and comfort is exactly what a tabletop exercise provides.
So a bit about what we offer here at Field Effect to help organizations. Field Effect MDR is the cybersecurity solution we offer to provide real-time protection, containment, and response. It delivers 24/7 threat monitoring and blocking. If we see a threat actor, we know they’ll try to take multiple steps to reach the data. The key point is that we want to block that threat actor at one of those steps before they reach the data. That’s the core principle of any cybersecurity solution—when we see sophisticated techniques being used, we aim to block them at step one, step two, step three, or even multiple steps along the way. And we do see that in practice.
Cybersecurity is not just about technology—it’s about building good practices and resilience within our plans, processes, and people. With that, Field Effect offers a suite of professional cybersecurity services, including incident response, that help organizations mature along their cybersecurity journey.
Q: What is the process to engage third-party incident response services if the customer has a cyber insurance policy and/or legal counsel?
This depends heavily on the terms of the cyber insurance policy. Sometimes your cyber insurance policy will dictate who you can and can’t engage as an organization. Some cyber insurance providers have their own incident response teams or preferred partners they work with, which may determine who an organization can deal with.
It’s the same for breach counsel. Sometimes they give organizations leeway in choosing, but in other cases, they specify who to contact. It’s always case by case, but it can dictate what an organization can and can’t do.
So, I would always recommend reviewing your cyber insurance policy, knowing what it covers, and knowing who to call about it. Do you call them first, or do you call a third-party incident response team first?
Q: What kind of monitoring do you leave in place post-incident?
Our Field Effect MDR platform is the primary tool our cyber analyst team uses during an incident response, and it stays in place for the duration of the incident response and a little while afterward, to make sure the threat has been eliminated. Often, our incident response customers choose to keep Field Effect MDR as a permanent fixture post-IR to continue monitoring and protection.
Q: What is a tabletop exercise example? What does that look like and how does it kick off?
A tabletop exercise is simply a simulated incident scenario. For example, you log in on Thursday morning, and someone calls IT saying, “I can’t access my files. I can’t do my work.” What do you do? We start from that initial report—something wrong happening on the network—then define that it’s not an IT issue but a cybersecurity issue. From there, we walk through investigation, monitoring, and restoration.
We do this through a series of “injects,” where we evolve the scenario step by step. All of our scenarios are designed to reflect a client’s real environment. We work with internal guidance from the client to understand where their critical information is and what their recovery objectives are.
We’re testing your incident response plan—or, if you don’t have one, we’re testing your response so you can develop a plan.
It’s a learning process. We take what we learn from real incidents and flip it into a simulated scenario.
We also add injects like someone releasing information about the compromise or learning about it through association—what do you do? This brings in communication and negotiation elements, just like a real incident would.
Q: Would you recommend notifying your general legal counsel in addition to whoever your cyber insurance directs you to?
That’s an excellent question to validate with both your general legal counsel and your cyber insurance provider. Make sure you know what they expect from you so you don’t land in hot water.
If you have internal legal counsel, they should be your first go-to. Many smaller organizations we help don’t have that, so they go to an external lawyer. But ideally, you should talk to your internal legal counsel during incident response preparation, get their opinion, and clarify their role. Even if you don’t have an external lawyer, internal counsel can still be your starting point.
Q: Have you had to support a customer with an incident response where they were already using Field Effect MDR?
Attacks happen. People get phishing emails, click links, and something gets downloaded. The key point is to be monitoring events versus incidents.
Field Effect MDR is designed to detect and respond at different stages of a potential compromise. We can take action on events before they escalate into full-scale incidents. We haven’t had a client experience a massive breach, but every day we’re preventing attacks. Field Effect MDR has active response capabilities that allow us to take action if we detect malicious activity or techniques being used on a client’s system.
Field Effect MDR is actively monitoring, blocking, isolating, and responding to threats. We haven’t seen a client experience a full enterprise-level breach—but that’s the point of having a monitoring service. You’re able to see every attempt, anomaly, unusual user behavior—and we spot those all the time. As we say, we can’t stop the threats from existing, but we can protect the environment from major breaches.