Timing in incident remediation: the forgotten factor

It’s a knife-edge decision for security teams the world over: remediate a cyber incident right away, or investigate further.

Getting the timing right is critical. It’s no surprise, perhaps, that some giants of the sector have identified this golden moment. Mandiant described a ‘Containment Strike Zone’ in its 2010 M-Trends report. Jason T. Luttgens, Matthew Pepe, and Kevin Mandia then expanded on this concept in the third edition of Incident Response and Computer Forensics in 2012.

Bear in mind the dates: more than a decade on, the threats encountered are more regularly professionalised cyber criminals than nation state actors. The way that incidents are remediated has undergone natural evolution and the technology has changed, too. For a start, there’s now widespread use of endpoint, identity and cloud detection and response technology.

These changes, and the realisation that remediation timing is often a mystery to newcomers and outsiders, were two reasons I wanted to get some of WithSecure’s own hard-won experience down on paper. As seasoned incident response professionals, we almost have an internal clock that influences when we act. But this skill is rare and difficult to teach to new responders. 

So: I set out to write a paper that brought some of the concepts set out so well more than a decade ago up to date, and identify key remediation timing factors for a new generation of responders. I’ve not gone into detail on remediation planning and investigation – this is just about finding the golden moment in any incident response when the bad guys can be shown the door and the damage repaired.