RS.AN-08.328

When responding to a security incident, does your organization have a process to identify and examine other potential targets for indicators of compromise and evidence of attacker persistence?

Explanation

During a security incident, attackers often compromise multiple systems or accounts to maintain access even if the initial entry point is discovered. This question assesses whether your organization conducts lateral investigation beyond the initially identified compromised system to detect the full scope of the breach. For example, if a server is compromised, your team should examine other servers in the same network segment, systems that share credentials, or systems that communicate with the compromised host. Evidence could include an incident response playbook that documents the process for lateral investigation, logs showing examination of related systems during past incidents, or reports from previous incident investigations that demonstrate how other potential targets were identified and examined.

Implementation Example

Review other potential targets of the incident to search for indicators of compromise and evidence of persistence

ID: RS.AN-08.328

Context

Function: RS: RESPOND
Category: RS.AN: Incident Analysis
Sub-Category: An incident's magnitude is estimated and validated

ResponseHub is the product I wish I had when I was a CTO

Previously I was co-founder and CTO of Progression, a VC backed HR-tech startup used by some of the biggest names in tech.

As our sales grew, security questionnaires quickly became one of my biggest pain-points. They were confusing, hard to delegate and arrived like London busses - 3 at a time!

I'm building ResponseHub so that other teams don't have to go through this. Leave the security questionnaires to us so you can get back to closing deals, shipping product and building your team.

Neil Cameron

Founder, ResponseHub