“I am always a big proponent of automation in those security systems as a first line of defense, particularly if it’s not going to be an overly damaging action,” Immler says. “Automations are really helpful as first lines of defense when you see something happen and you need a chance to triage it, where that can get problematic if you go overboard.”
He adds, “I think it’s good to be very nimble and selective and recognize this account just tried to do something that it should never be doing and disable that account for a little while or issue a logout for a universal logout, something like that to remove their access to what they’re doing until somebody’s had a chance to go, ‘Hey, is this what you should have been doing? Or did you mean to do this? Was it an accident?’”
Moreover, having an incident response plan beforehand and then following it is a must when containing a threat actor, Cisco Talos’ Cadieux emphasizes. “It goes back to the IR plan that they should have developed. There should be a basis for how to do containment, the options based on our people and technology, and how to execute those. And then, of course, the plan should be tested.”
