Blog post

What Is Different About Security Incident Response Today?

By Anton Chuvakin | February 23, 2016 | 11 Comments

securityincident response

When I started our security IR research in 2013, one of the questions I sought to answer was “how is IR today different from the old days, when most of the security incident response guidance [example, another one] was written?” Resulting research provides some examples, but here is one example that really, really did it for me:

Remember the classic DoE/NIST/SANS [whatever is its “original origin”] 6-step IR process (“Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned”)? Imagine you are following the steps and then just FAIL at Eradication stage. You try harder – and still FAIL. And then FAIL again. You the try new things – and it still does not work.

In the past, after you patched and cleaned, the 2003 threat [say Blaster worm] was truly gone, it was Eradicated and you get to progress to Recovery and then brew coffee and Learn Lessons. However, in 2016 there are cases where you never get to progress since Eradication just fails. The incident is still ongoing because the threat is still there. And you can do nothing about it! That’s 2016 for you – you can’t assume you will be allowed to proceeed to Steps 5 and 6 by the attacker….. and so you need to learn to live in that reality.

Any other striking examples on how today’s IR differs from, say, 2005?

Posts related to this research project:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed


  • Anthony Di Bello says:

    While there are many ways IR differs from 10 years ago from a standard practice perspective, a profound difference is in the acceptance of the reality that there is no 100% secure from an organizational point of view (which is having many effects). Thinking about a few known private sector hacks from ’05, like Scottrade, response was handled not dissimilar from how mature organizations cross-vertical on average handle (or at least view) IR today. Another striking difference between ’05 and ’16 is the use (and acceptance) of IR techniques in an attempt to find potential compromises before a breach occurs. Interesting times in our field.

    • Thanks for the comment!

      Agreed re: “proactive IR” [hunting, for some]. Definitely didn’t exist at 99.9999% of places in 2005.

      Acceptance of ‘no 100% secure’ is definitely much more common now, but sadly not common enough 🙂

  • Another thing that has changed in the past decade is the complexity of the attack/breach. As you already point out that eradication might not be possible… similarly with complex attacks, the investigation is not a series of steps – it is a very adhoc process requiring plethora of tools and techniques. This makes analyst job tougher. So the way analysts deal with is to create their own environment and over time have their own ways to investigate.

    • Thanks for the comment as well. Indeed, ‘find virus – remove virus” times seem long gone. Now, it is find 324 machines that the attacker touched, then find how, then decide what to do, then figure where the attacker is now, etc, etc, etc

  • Ashish Thapar says:

    Interesting point Anton! I agree and sometimes while investigating data breaches we see unknown splinters left from an incident that lead to further damage at a later time and/or in a different context (polymorphism).

  • Dori Fisher says:

    I think we have just improved in detection so we know 300 machines were touched. In the old days, we closed cases without really understanding the true compromise. Btw, when you buy an IR engagement, i guess someone has to say “done”.

    • Dori, let’s change it to: somebody INTELLIGENT has to say “done” – otherwise, it will be back to ‘wipe one machine – hope for the best” model 🙁

      • Dori Fisher says:

        Anton agreed but sadly most clients aren’t able to differendiate intelligent IR vs non intelligent so we have to trust our responders and “hope for the best” 🙂

  • Anton, thank you for posing this question. Attackers are much more sophisticated than they were 10 years ago, and the data they’re after is much more prolific. Today, simply detecting the breach has become more difficult, as attackers are able to masquerade as legitimate users and use tools and techniques common to system administrators. When an intrusion occurs, organizations need the right combination of people, processes and technology. The challenge is that the individuals who have the advanced skillsets needed are expensive and hard to come by, and the old model of containment and recovery when dealing with motivated threat actors isn’t effective. No longer can you simply pave and re-image affected machines as you identify them, because attackers have adapted and often afford themselves redundant methods of access into your environment. Finally, where anti-virus technology was a requirement in 2005, today it’s all about securing endpoint-to-cloud to uncover and scope indicators of compromise across ALL assets. The new world requires coordinated “sting” operations to make sure that you cut all of their methods of ingress. Yet, the battle isn’t over when you kick them out. If the attacker didn’t succeed this time, they’ll be back; it’s a 100% guarantee.