Why Classic Incident Handling Fails

Every year the percentage of security breaches that take several months to be discovered and contained increases, why is this?

Every year the percentage of security breaches that take several months to be discovered and contained increases – a statistic that clearly highlights companies’ inefficiency in identifying and responding to adverse events. Why?

Being able to handle a security breach requires two main components – a well-defined attack detection capability and a structured response phase. Currently, most enterprises are failing in at least one of these components. This article will focus on issues surrounding the response phase.

As soon as an Information Security Incident is declared, a specific procedure must be followed to ensure that it is treated and mitigated in a consistent way.

What is an Information Security Incident?

In general any adverse event that affects CIA (Confidentiality, Integrity and Availability) is considered an Information Security Incident. A significant number of incidents that an IT infrastructure faces usually impact one of these three attributes therefore a consistent methodology has to be adopted to track their progression during their entire lifecycle.

If the adverse event is caused by a system outage or as a consequence of human error, IT departments are usually able to deal with the incident and recover the situation. Generally, this is achieved through the engagement of subject matter experts from the IT team. Examples of these incidents include:

  • Exposure of private keys leading to a loss of confidentiality
  • Denial of service attack against the network infrastructure leading to a loss of availability

Unwanted change on core systems leading to a loss of integrity
The tracking and classification of these incidents is conducted by either the Incident Management or the Incident Handling team, while the IT Security team usually acts as a trusted advisor to ensure that Information Security Incidents are progressed until closure.

Technical actions are generally accomplished by someone outside the Security Team, usually the technical owner of the particular platform that caused the adverse event.

This works for well-defined Information Security Incidents. But is this process applicable to adverse events caused by external attackers also known as Cyber Incidents?

Dealing with an Information Security Incident caused by an external attacker – Cyber Incident

As previously noted, Incident Management and Incident Handling teams can apply an overall framework to ensure the tracking and progression of an Information Security Incident. Technical owners of potentially compromised systems are subject matter experts from an administrative point of view, but they are not trained to deal with the unique situations caused by an intruder. IT Security team members usually act as advisors, supporting IT development and infrastructure teams through security assessments, vulnerability reporting and both high-level and technical guidelines to fix the issues.

However, identifying a Cyber Attack that leads to an unauthorised access requires specialised people who can spot anomalies across systems and implement successful containment actions. These skills are generally not covered by IT security personnel or by pure forensics people.

Intrusion Forensics – a core skill to unravel Cyber Incidents

For these scenarios, a specific set of skills is required, ranging from defensive and offensive security, mixed with forensics techniques and methodologies that can be applied to both networks and hosts. In simple terms, people designated to deal with these types of adverse events must have Intrusion Forensics skills.

Intrusion Forensics is not a new discipline but it still quite rare and definitely not a skill that is easy to develop in SOC-style environments or in internal Incident Handling teams. This is because it requires continuous exposure to a certain number of intrusions to develop the correct investigative mindset and enough experience in dealing with crisis situations.

Attackers just need to leverage a single vulnerability to gain access to a corporate environment and the footprint left behind could be pretty small. The challenge for Intrusion Forensics is to spot the single anomaly across a vast number of systems and technologies that could prove an intrusion attempt. Knowledge of what normal behaviour looks like for systems and networks helps a lot. However, the gap between knowing an IT infrastructure and being able to identify an intrusion and respond to it in a consistent way is quite substantial.

Cyber Incident Responders and Investigators

Cyber Incident Responders and Investigators are people specifically trained in Intrusion Forensics and able to apply this discipline to unauthorised access to corporate systems. These techniques can be applied to a wide range of scenarios, from non-targeted malware outbreaks to state-sponsored attacks involving lateral movements across different systems and networks.

The output from this methodology will generally help to define the number of compromised systems and the attack vector. From here, a well-defined set of containment and investigative actions can be implemented based on the type and sophistication of the attack.
It is important that the investigation activity feeds all of its findings back into the response actions as soon as they become available: this ensures that containment time falls within an acceptable window.


Classic Incident Management and Incident Handling are currently failing against Cyber Attacks as they base decisions and incident progression on feedbacks provided by IT personnel not prepared to deal with intruders. To successfully handle these kinds of adverse events, Cyber Incident Responders with Intrusion Forensics skills are required. This will help enterprises to deal with unauthorised access attempts in a consistent way with the goal of containing incidents in a timely fashion, whilst trying to avoid mistakes that could worsen the situation.

During a complex compromise, well-trained Incident Responders may be the only defense that remains, and the only personnel with the ability to contain the crisis situation.



Accreditations & Certificates

MWR is an accredited member of The Cyber Security Incident Response Scheme (CSIR) approved by CREST (Council of Registered Ethical Security Testers).
MWR is certified under the Cyber Incident Response (CIR) scheme to deal with sophisticated targeted attacks against networks of national significance.
We are certified to comply with ISO 9001 and 14001 in the UK, internationally accepted standards that outline how to put an effective quality and environmental management systems in place.
MWR is certified to comply with ISO 27001 to help ensure our client information is managed securely.
As an Approved Scanning Vendor MWR is approved by PCI SSC to conduct external vulnerability scanning services to PCI DSS Requirement 11.2.2.
We are members of the Council of Registered Ethical Security Testers (CREST), an organisation serving the needs of the information security sector.
MWR is a supplier to the Crown Commercial Service (CCS), which provides commercial and procurement services to the UK public sector.
MWR is a Qualified Security Assessor, meaning we have been qualified by PCI to validate other organisation's adherence to PCI DSS.
As members of CHECK we are measured against high standards set by NCSC for the services we provide to Her Majesty's Government.
MWR’s consultants hold Certified Simulated Attack Manager (CCSAM) and Certified Simulated Attack Specialist (CCSAS) qualifications and are authorized by CREST to perform STAR penetration testing services.