In the first post for our Understanding the Costs of Incident Response series, we shared a comparison of incident response costs between two peers: a typical ransomware victim where security controls are absent or misconfigured and a well-prepared peer. Now we'll start looking at each of the major cost buckets across the incident response process.
The first costs that any victim will incur will be for the investigation – which in our example, accounts for ~$150k of the estimated $2.875 million claim arising from a typical ransomware event. These costs are what a lot of people think of when they think of cyber incident response but are just the tip of the iceberg.
Just think about it: Your infrastructure has been crippled, your network and storage have been ravaged by the attacker. And now, with limited IT resources, you're tasked with collecting artifacts and evidence from potentially thousands of endpoints spread across multiple sites. It's an arduous undertaking that requires speed, precision, and resourcefulness.
The scope of the attack needs to be determined: Is the adversary still present within the network? If so, how can we remove them effectively? Assessing the extent of compromised data and implementing containment measures that minimize further compromise are vital objectives. It's at this point that many organizations begin engaging external specialists across multiple disciplines – forensics, recovery, data mining, legal counsel – to start answering key questions and building a plan for getting back to operational.
Now, it can be tempting for organizations to take a DIY-approach due to the costs associated with outside help. The harsh reality is that this process can be far more intricate and time-consuming than many initially realize and without the right support can become the biggest bottleneck in the entire incident response process. We see it everyday.
The investigation stage will set the foundation for the rest of the incident response process. Getting the actionable information you need to understand the scope of the incident is critical to building a game plan for how you can recover safely, but also as quickly as possible.
MOXFIVE provides the clarity and peace of mind needed for attack victims during the incident response process. Our platform approach enables victims of attacks to work with a Technical Advisor who provides the expertise and guidance needed in a time of crisis, and facilitates the delivery of all technical needs required, consistently and efficiently.Learn More
With experience on the front lines responding to incidents daily, MOXFIVE Technical Advisors have the unique ability to connect the dots between business, information technology, and security objectives to help you quickly identify the gaps and build a more resilient environment.