This page is a practical guide to handling cyber security incidents effectively, and to achieving a higher level of readiness in responding to cyber security incidents. It has been designed as a practical manual based on our experience of handling hundreds of cyber security incidents of various levels of complexity. Being practical means something that is proven and actually works, high fidelity actions and steps, rather than on plans, methodologies and frameworks. Our team has responded to hundreds of incidents over the years, and we know what works and what does not. Read this guide if you want to learn more, or contact us for immediate assistance.

Dealing with a cyber security breach can be overwhelmingly stressful. This is when the limitations of your cyber security incident response plan come into focus. You come face-to-face with the harsh reality that your technology was not impenetrable. Your SIEM and XDR provide fragments of data about the breach but lack the comprehensive details needed to trace back to the initial point of compromise. You cannot determine, in a practical amount of time, what damage has been done, if the attacker has been fully contained, and if it is safe for you to recover. In short, it is a complete disaster. Too often, we witness organizations struggling during the aftermath of such breaches. While internal teams may be adept at mitigating common threats, like opportunistic attacks or business email compromises, they might falter when facing a major cyber crisis. Sure, you may have an incident response plan in place, but does it truly provide practical solutions to the questions that arise during a major cyber security incident? The stark reality is that most cyber security defenders never faced a sophisticated threat actor, or a large-scale ransomware event. On average, only 5% of in-house cyber security team members had experience handling complex response scenarios. The reality is, most cyber defenders are learning on the job. To make it even worse, there are many unknowns that arise during a cyber security incident response. These uncertainties can quickly thrust the response team into unfamiliar terrain, extending beyond the boundaries of their Incident Response Plan. We often see IR efforts not progressing and businesses being stuck, especially when:

1. Multiple groups become caught up in conflicting directions, leading to decision paralysis.
2. The team faces unclear priorities, resulting in a never-ending cycle of investigation without reaching a resolution.
3. Critical decisions are overlooked or postponed in the initial stages of the response process.

This kind of uncertainty during an incident response can be detrimental to many organizations. It's this very uncertainty that plays a significant role in the escalating costs associated with managing data breaches. Consider the following statistics:

• In 2023, the global average cost of a data breach soared to USD 4.45 million, marking a 15% increase over a span of three years.
• In Australia alone, the average cost of a data breach surged by 32% in just five years, touching AUD $4.03 million, as cited in the 2023 Cost of a Data Breach Report.
• Drilling down further, the top 3 industries with the highest average breach costs in Australia were Financial Services (AUD $5.56 million), Technology (AUD $5.06 million), and Education (AUD $4.61 million).
• Notably, escalation and investigation expenses peaked at AUD $1.68 million, representing the largest chunk of breach-associated costs.

How can incident response teams effectively address the uncertainty that surrounds a cyber security breach and ensure an effective response?

Your ability to successfully respond to a cyber security incident will be determined by your ability to answer critical questions around simple facts concerning the breach. Here are the five most important business questions:

• What (or who) is the patient zero?
• For how long had the attacker dwelled on our system?
• Are there any other systems which are breached?
• Has our data been exfiltrated? If yes, what exactly?
• How can we be 100% confident that the attacker has not left any backdoors there, and will not come again?

These questions will come up naturally during the response process - normally your business stakeholders will start asking these questions on the 2nd or 3rd day, after the initial shock reaction passes.

If you can confidently answer these questions, you will be able to move on and recover. If you can’t answer these questions, you are in murky waters, often making guesses rather than informed decisions. In such scenarios, there's a risk of making statements like, "We likely covered all bases," "We've done as much as possible," or "We haven’t found any evidence of further intrusion." In Australia, we had many examples when it was evident that the company could not answer these questions, and had to guess:

---

Service NSW data breach, April 2020, Service NSW official statements: 28 May 2020:

“There is no evidence that Service NSW databases were compromised and the network and systems of record that store licence information are not affected by this breach.”

30 October 2020:

“…The investigation into the specifics has taken 4 months because of its complexity. There were 3.8 million documents stolen.”

---

Medibank data breach, October 2022, Medibank official statements: 14 October 2022

"...We have still found no evidence that customer data has been accessed."

17 October 2022

"Our ongoing investigation continues to show no evidence that any customer data has been removed from our IT environment."

20 October 2022

"The criminal also claims to have stolen other information... This has not yet been verified by our investigations."

25 October 2022

"It has become clear that the criminal has taken data that now includes Medibank customer data."

---

Latitude Financial, March 2023, Latitude Financial official statements: 16 March 2023:

“...approximately 330,000 customers and applicants have had their personal information stolen…”

27 March 2020:

“...our review has uncovered further evidence of large-scale information theft…”, ”...we have identified that approximately 7.9 million Australian and New Zealand driver licence numbers were stolen.”

As you respond to a cybersecurity incident, you will come across few challenges:

• How certain can I be when addressing critical business questions (outlined above)?
• How deep should I delve, and how much time can I allocate to answer these pivotal questions?
• How do I seamlessly shift from investigation and fact-finding to the recovery phase?

A practical Incident Response (IR) capability possesses the ability to effectively address these questions. Within practical IR, responders prioritize rapid fact-finding over conjecture and future projections. They adopt a holistic approach, examining the entire environment, and initiate responses at scale rather than focusing solely on individual systems. In contrast, Superficial IR represents a situation where responders neglect evidential aspects and overly emphasize outcomes and projections. Signs that Your IR Efforts May Not Be Practical:

1. Excessive Focus on Top-Level Aspects: When your response team excessively dwells on high-level aspects, such as notifiable data breaches and broader impact-focused concepts. While these are vital considerations, data is the linchpin for informed decisions. Absent sufficient data, making sound judgments becomes nearly impossible.
2. Overreliance on Generic Security Events: Relying predominantly on generic security events without gathering situational evidence can hinder effective incident response.
3. Tool-Centric Recovery: Placing excessive reliance on the outputs of security tools, such as EDR, to recover compromised systems without a clear recovery plan in mind.
4. Directionless Approach: Proceeding without a clear endpoint in sight, starting with the compromised host and progressing without immediate recovery strategies in mind.
5. "I Think We Should" Language: Employing language that is tentative, such as "I think we should," rather than adopting a decisive and data-driven approach to incident resolution.

Practical IR empowers responders to swiftly and confidently address critical business inquiries, focusing on factual evidence and a comprehensive understanding of the incident's scope. This approach stands in stark contrast to Superficial IR, where outcomes and projections often overshadow the pursuit of concrete evidence and effective resolution.

Just to mention few implications of major cyber security incidents: Business Leadership: A significant breach is a critical test for corporate leadership. Executives face the daunting task of communicating with the public and stakeholders. Instead of relaying concrete answers based on technical evidence, they often lean on optimistic projections, which can erode trust. IT Leadership: The saying goes: cybersecurity isn't a priority until it's the only priority. When the storm hits, business stakeholders will seek clarity. Some will see this as a chance to invest further in security, approving additional budget and new controls. Yet, not all reactions are constructive. There's a recurring trend where IT leaders, under immense pressure and scrutiny post-breach, transition to different roles or exit the organization altogether. Managed Service Providers (MSPs): Significant breaches, especially those resulting in material or reputational damage, are really bad for MSPs. If they can't leverage their Security Operations (SecOps) effectively during a crisis, their credibility is at stake. Statistics show that businesses tend to switch IT providers within six months post a major incident. Cyber security Product Vendors: Vendors with limited coverage face challenges when major breaches occur. Their go-to response often suggests upgrading to a pricier product tier, an approach that's not always well-received. It's not uncommon for businesses to replace such vendors with alternative solutions within 6 to 12 months post-incident.

Answers to these critical questions are not easily available. You will need to dig deep, collecting and then analyzing data from your systems. In general terms, addressing a cybersecurity incident response is akin to dealing with an incomplete information problem, as described by game theory. This means you're required to respond based on your current understanding of the attack, all while continuing to gather more details about the attacker's actions. The situation is inherently unbalanced, given the incomplete nature of your information at the outset. It becomes even worse if you have not invested in the cyber security IT readiness, you are introducing an additional unknown here: your weaknesses and vulnerabilities. For you to win the game, you must first narrow the knowledge (incompletion) gap and eliminate uncertainty. Imagine if, immediately post-attack, you knew exactly what the attacker did. Say the threat actor compromised 3 user accounts, escalated privileges to the domain controller, installed a backdoor there, exfiltrated your customer information database, deleted on-site backups and deployed ransomware to most of your systems. Sure, it does not sound great at all. The recovery princess will be painful and long (hopefully your cloud backups are there), but there will not be much uncertainty in the process. With this clarity, your team can take a methodical and focused approach to recovery. In reality, you might not be certain whether 3 or 20 users were compromised. In fact, you might not even know if any users were compromised at all. You will not know what data was exfiltrated, if there were any backdoors deployed, new users created, and so on.. A lot of uncertainty will be there. The objective in this 'game' is to make moves that advance you towards recovery, closing the incident, and transitioning back to normal business operations. All the while, you'll be working to level the playing field by gathering more information through the investigation, thus reducing the 'incomplete information' aspect of the situation. The adversary’s objective is to amplify the uncertainty. Typically, attackers take their time getting to know your environment. They often select tactics that generate minimal traceable data to hinder your investigation. To make the situation even worse, threat actors often attempt to obscure this essential information. They might delete system event logs or alter file timestamps to deceive you. Their ultimate goal is to ensure you can't find answers to the crucial questions. Here's a summary of steps you can take to to transition from a state of uncertainty to a path of recovery:

• Talk to individuals who have direct access to the cyber security data and can interpret the ongoing situation. Include cyber practitioners in your response team who can clearly articulate what happened, what data they checked, and present tangible evidence to support their findings.
• Always ask for evidence to back up any statements made.
• Be careful and skeptical with any commercial product offerings arising during the response process. Every good incident response knows that effective Digital Forensics and Incident Response (DFIR) tools are either free or already in a responder's possession. Typically, your primary cost is time. Implement 24x7 security monitoring as early as possible in the response process.
• Always keep the bigger picture in mind. Prioritize obtaining answers to the critical questions that will guide you from uncertainty to assurance.

To effectively address a cybersecurity incident and assure the business that the threat is contained, you must be able to answer these 5 questions (link) confidently and promptly. However, without proper evidence, achieving this confidence is virtually impossible. What constitutes evidence in cybersecurity incident response? Evidence consists of event records that conclusively answer the aforementioned questions, eliminating any need for speculation. Instead of relying on vague statements like "I think we should be okay," evidence allows for definitive remarks grounded in facts. Having evidence is invaluable. The lack of it can be immensely challenging. Without concrete evidence, discussions often hinge on projections. People express their hopes for the situation, driven by a desire for everything to be alright, rather than basing their insights on tangible, analytical data. Look at these statements again: Medibank official statement:

"...We have still found no evidence that customer data has been accessed."

Service NSW official statement:

“There is no evidence that Service NSW databases were compromised and the network and systems of record that store licence information are not affected by this breach.”

In cyber security incident response, understanding how to gather relevant, situational evidence during an incident can make all the difference. In practice, most Managed Detection and Response (MDR) or internal Security Operations Center (SOC) teams predominantly concentrate on aggregating logs to support their detection-oriented use cases. Regrettably, these teams often lack the capability to collect additional situational evidence during the incident response process itself. Instead, they are constrained to rely on the pre-existing data within their Security Information and Event Management (SIEM) system. This reliance necessitates a manual, time-consuming process to initiate a response.

These days, numerous organizations have established reasonably efficient Security Operations capabilities. They collect security events from their systems, profile user and machine behavior, and run investigative searches to support their incident response efforts. A major cybersecurity incident typically necessitates the involvement of digital forensics experts. These experts often spend a significant amount of time analyzing a specific system and presenting their findings in the form of a timeline (when it happened), forensic artifacts (what happened), and, if available, details about attacker tools, techniques, and procedures (how it happened). Traditionally, digital forensics operates under the paradigm of a 'crime scene' that requires investigation, involving a 'post-mortem' analysis of previous events to reconstruct how an endpoint or user account was compromised. It is usually conducted with the presumption that the threat has been contained, and the affected endpoint is isolated from the network. However, forensic examination of a single endpoint can take hours or even days, and it does not scale well as the number of affected or suspected endpoints increases. Moreover, these days, affected endpoints can be located anywhere, from physical PCs to virtual containers in a multi-cloud environment. Consider a scenario where you have 200 compromised endpoints out of a fleet of 10,000 endpoints, and you lack knowledge of what other measures the threat actor might have deployed in your environment for persistence. Many organizations simply lack the capabilities, including the necessary tools and resources, to conduct security incident investigations at a deeper, forensic level. They often have to accept the paradigm of an opportunistic attack and assume that the problem is entirely resolved if they can remotely wipe the affected endpoint. Meanwhile, in today's landscape, many threat actors actively seek long-term persistence. Can you ever be confident that the threat has not propagated to other parts of your network in a completely different form? If you've been involved in incident response, you're likely aware of the difficulty in ruling out all possibilities and the amount of guesswork often involved as everyone rushes to declare that everything is back to normal. How many times have you wondered if other endpoints and users might also be affected and whether there's a practical way to ascertain it?

While SIEM platforms typically offer extensive coverage in terms of visibility, many security events often go unnoticed. How many organizations do you know that monitor all east-west network traffic, track every user's browser history, perform thorough PowerShell payload analysis, record every file accessed by each user on the network, and keep tabs on all software running on remote workers' laptops? Building an efficient Security Operations and Detection & Response capability is a significant challenge in itself. Regardless of your efficiency criteria, it's likely that your SecOps operates in a delicate balance between the volume of available information (security events data) and its practical utility (the organization's ability to derive value through high-fidelity detections). Expanding your data sources can increase visibility, generally enhancing your chances of detecting malicious activities across your attack surface. However, a critical challenge emerges as SOC operators strive to identify anomalies (the fish) in an ocean of data (the big ocean), where more data also means more noise in the form of false positives. In practice, the utility of information depends on the available human resources, processes, and technologies. Unable to process all available data, day-to-day SecOps typically aims to cover as much of the attack surface as possible by incorporating additional log sources, while in-depth, forensic-like investigation capabilities rely on deeper visibility. In the event of a sophisticated attack, a well-designed SecOps capability should offer initial insights that indicate deviations from the norm. These initial insights are incredibly valuable as they can guide forensic searches and data collection efforts. In simple terms, if you trust your SIEM, you have a starting point. But what should your next course of action be? Consider the case of the SolarWinds hack, which began with the leakage of FireEye's red team tools. FireEye had threat actors operating within their systems for some time, but they remained unaware until the hackers publicly revealed it by sharing the red team tools. However, with the right data, tools, and skilled personnel, FireEye swiftly uncovered the breach details within a few days. The crucial leap occurred when they realized that a presumably trusted software package from SolarWinds was the culprit. This discovery happened promptly once they understood that adversaries had breached their environment. This process mirrors how the human brain operates. Discovering something truly unknown is challenging until you know what to search for. Once you understand what to look for, it becomes essential to have access to extensive data, coupled with the necessary tools and processes, to conduct a deep investigation on a large scale rapidly.

In a world where cybersecurity attacks become more and more sophisticated, enterprises and MSSP’s need new capabilities to conduct in-depth investigations with much greater scale, speed and efficiency. To respond effectively to incidents and gather evidence, you must have a robust SecOps toolkit, which includes:

1. Live DFIR (Digital Forensics and Incident Response) on Endpoints: This allows you to collect forensic data across your organization, search for signs of compromise, and perform forensic searches at scale.
2. NDR (Network Detection and Response): NDR provides essential visibility into network traffic, creating continuous evidence records that you can always depend on. It's a tool that attackers can't ever bypass.
3. Multi-Cloud Visibility: You need the ability to acquire and analyze log data at scale across multiple cloud instances and service providers.
4. SIEM Capability: Your SIEM should be integrated with log sources from all your critical security systems.
5. Unified Data Model: This enables you to work within the same context for all your data, whether it comes from your SIEM, EDR, DFIR, or other tools.
6. Attack Surface Awareness: While responding, it's crucial to know what your attack surface looks like at any given moment and react swiftly to any changes.
7. Dark Web Visibility: Proactively monitoring the dark web for any adversary activities related to your organization is of paramount importance. It provides early warnings of potential threats, such as mentions of your organization, compromised credentials, or leaked data.
8. Threat Intelligence: Integrating threat intelligence feeds into your SecOps toolkit enhances your ability to detect and respond effectively to emerging threats.
9. Retrospective Investigations: This critical ability allows you to search all your systems retrospectively for detected signs of compromise, without the need for manual forensic tools.
10. Continuous Monitoring: Your toolkit should support 24x7 monitoring of the environment from the moment your incident response begins, ensuring ongoing vigilance.

Your SecOps toolkit should offer extensive visibility across the entire attack surface, facilitating the examination of initial anomalies and discrepancies identified by your SOC team. While traditional digital forensics is often viewed as a reactive and time-consuming process, recent advancements enable organizations to investigate incidents on a broad scale, promptly uncovering the true nature of events and identifying potential occurrences elsewhere. This investigation occurs in real time, seamlessly following threat detection and incident response, tightly integrated with your SecOps SIEM/SOAR/hunting toolkit. Immediate forensic data acquisition has become a pivotal element of incident response, and now it can be executed remotely and at a significant scale. This approach allows for the profiling not only of specific endpoints but of entire environments, including users, machines, and software. Threat Hunting involves working with real-time data and employing a set of standard threat hunter tactics, such as alerting, traps, deception, and hunting queries, to pinpoint potential threats. In contrast, Enterprise Forensics is akin to casting an exceedingly fine net across the entire ocean. An effective SecOps capability, when applied to incident response, should possess the following characteristics: Profound: It should offer deep, real-time visibility and the extraction of forensic artifacts, including registry keys, file system objects, deleted data, and unallocated disk space. Additionally, it should intelligently analyze user, machine, and software behavior. Scalable: The capability should operate across the entirety of an organization's attack surface and function at an enterprise-wide scale. Remote: It should reach all assets and networks throughout the entire enterprise, ensuring comprehensive coverage. Integrated: The capability can be activated on-demand and should seamlessly integrate with existing SIEM, EDR, and XDR capabilities. SecOps enhances analyst investigations by swiftly aggregating, analyzing, and visualizing substantial volumes of data, providing valuable insights that guide investigations in the right direction. It should support any hypotheses that investigators wish to test, offering real-time data collection and rapid outlier detection to inform subsequent actions.

Many DFIR (Digital Forensics and Incident Response) teams concentrate solely on their immediate tasks: incident investigation, root cause analysis, and situational incident response. But how can you help the business to recover from the breach, stop losing money, and get back to normal operations, while also providing assurance that the situation is under control and threat actors are not coming back into the environment? Complementing any DFIR engagement with ongoing security monitoring is crucial, ideally conducted by the same team. Practically speaking, it's challenging to manage it any other way. Ask your response team if they do the following:

• Utilization of an Appropriate SecOps Toolset: Is the team using a suitable SecOps toolkit that covers all relevant data sources?
• Real-Time Monitoring of the Environment: Is real-time monitoring based on discovered indicators of compromise being conducted? Ideally, this monitoring should be handled by the same team responsible for the investigation, offering flexibility in data ingestion and indexing.
• Maintaining Situational Awareness: Does the team sustain situational awareness within the affected environment, comprehending traffic flows, external systems, applications, and the entire attack surface?
• Ongoing Threat Hunting: Is continuous threat hunting being performed in the environment? Distinct from DFIR investigations, threat hunting is crucial for establishing confidence that threat actors have not maintained a presence.
• Retrospective Searches: Are regular retrospective searches conducted across the entire organization, spanning weeks or even months into the past, for all identified indicators of compromise? This practice ensures that the scope of the investigation remains comprehensive, encompassing the entire enterprise.

By integrating these practices into your incident response strategy and maintaining continuous security monitoring, you can not only address immediate concerns but also proactively safeguard your organization against future threats and breaches.

Your SecOps capability should not only focus on profiling individual users or endpoints but also delve into the behavior of any software within your organization's digital supply chain. According to the 2021 Supply Chain Resilience Report, 27.8% of organizations reported 20 or more supply chain disruptions in 2020. Simultaneously, it's predicted that 60% of security incidents will stem from issues involving third parties. Security analysts often grapple with a common challenge in security operations: How can you determine if rarely used software is malicious or not? Only a handful of organizations can confidently claim to know every piece of software operating within their environment, typically achieved through explicit whitelisting, despite the associated management overhead and user experience degradation. If this isn't your approach, then you must acknowledge that some lesser-known software may reside within your user environment. When you run such software in a controlled environment and closely monitor it, you'll likely observe actions that defy complete explanation. For instance, you might notice it connecting to TLS endpoints in the cloud (obscured behind a public CDN) and receiving encrypted data, or creating scheduled tasks that persist even after the software is deleted, which also establish daily connections. Even if this software isn't engaged in any malicious activity at a given moment, it should not be excluded from investigation solely based on public intelligence data, such as a VirusTotal lookup. With threat actors increasingly targeting smaller vendors and suppliers, digital supply chain compromise should always be a consideration during post-incident analysis. Often, it's challenging to continuously profile each piece of software because malicious indicators tend to be subtle. However, once you identify where to begin, you need tools that allow you to explore it. While it's usually impractical for a blue team to closely monitor every piece of software on an ongoing basis, a genuine SecOps capability offers the means to scrutinize any specific software package on-demand and assess its behavior from a threat detection perspective.

Here at ThreatDefence, we've encountered numerous significant cybersecurity incidents both in Australia and across the globe. On more than one occasion, we found ourselves in situations where multiple teams were involved in the response effort, yet progress remained elusive. The growing disconnect between the technical teams and the business added to the frustration, as critical answers remained elusive amidst a sea of uncertainties. At ThreatDefence, our IR approach is grounded in technology, experience and common sense. We firmly believe that Incident Response should never happen in isolation. Instead, we supplement it with our SecOps platform, providing deep visibility and scalable evidence records from the onset of our Incident Response engagement. We believe in practical leadership and common sense. We stand by the principle of deep visibility, enabling us to substantiate our findings with clear and compelling evidence. We advocate for ongoing monitoring, allowing us to support our efforts with ongoing assurance.

Business leaders understand (at least intuitively) that they need to take significant strides to keep pace with hackers, necessitating a shift in their approach. Simply stating the need for robust cybersecurity measures is no longer sufficient or practical advice. Do you need to go through some sort of monumental 10x cyber security transformation? You may have heard that achieving this level of cybersecurity excellence entails orchestrating people, processes, and technology. It's widely understood that this elusive 10x factor can only be attained through a combination of skilled individuals, advanced technology, and continuously improving processes. In reality, your current assets include your people, your available technology, and the processes feasible within a practical timeframe. Budget constraints often limit the acquisition of premium technology packages from vendors, making it essential to make the most of what you have. So, where does one begin? There is no one-size-fits-all answer to this question. While implementing standardized recommendations like ACSC Essentials Eight can undoubtedly enhance your cybersecurity posture and reduce your vulnerability, it may not necessarily position you to respond confidently to targeted attacks when they occur. The crucial first step is assessing your current cybersecurity standing. To do so effectively, you must pose the right questions and gain a clear understanding of your existing state before embarking on any improvement initiatives.

A traditional approach to addressing cyber risk involves asking numerous questions to gain insight into your assets, identify cybersecurity risks, enumerate exposures, and vulnerabilities. However, in practice, these inquiries often lead to a perpetual cycle of investment in an ever-evolving cybersecurity program. Older risks are gradually mitigated, while newer risks continually accumulate in your risk register. But how can you embark on a practical and accessible cybersecurity journey without the need to hire new personnel or engage costly cybersecurity firms for extensive reports? Consider posing these straightforward questions to your technical team to discern what truly matters now and assess your readiness to respond to a major cybersecurity incident:

• Can we readily determine if our systems and data are compromised at this moment? If not, what information gaps exist, and can we sustain this assurance over time?
• Can we promptly identify vulnerable systems and those that are publicly exposed right now? How would we become aware of new exposures that may arise in the future?
• What are three cybersecurity enhancements we can implement immediately without investing in commercial products?

These questions are likely to steer your focus toward practical facets of cybersecurity readiness.

As you pinpoint your risks, weaknesses and vulnerabilities, whether through an internal gap analysis (security review) or technical exploitation attempts (penetration testing), a natural question will arise: "Has someone already exploited these vulnerabilities?" There were numerous cases in which threat actors maintained ongoing persistence within an organization's network for a very long time, collecting information or quietly exfiltrating data to prepare for more substantial attacks. This question is not that easy to answer. There are many techniques to maintain persistence which are very hard to detect. Do you exercise control over every host in your network? Are you aware of potential compromises among your users? Do you have confidence in the trustworthiness of all the software on every host within your network? A compromise assessment involves a comprehensive, forensic-style review of your entire environment, extending beyond the current state of your systems to document any changes, beaconing attempts, and more over an extended duration. This systematic evaluation is designed to uncover vulnerabilities, potential risks, abnormal user behavior, and indicators of both existing and past compromises. Such an assessment should scrutinize even the subtlest indicators that might typically go unnoticed by your Security Operations.

• Is one of your servers, typically quiet, suddenly establishing an encrypted tunnel with an external host?
• Is a user's desktop, known for running a freeware video decoding tool, now executing unexpected PowerShell commands?
• Are your users issuing administrative commands they've never used before or connecting from different locations?

A Compromise Assessment represents a true zero-trust approach, delving into your users, machines, and software in a manner your organization may never have undertaken before. It begins with the assumption of compromise and guides you through an exhaustive, forensic-style review of your entire environment. Once you've established that your system is free from compromise, you can confidently build upon this foundation.

Given the recent public data breaches in Australia, many executives and board members are eager to explore measures that can enhance their business's security. Many official recommendations (such as the Australian Cyber Security Governance Principles) relay information from standard cyber security compliance frameworks. While these recommendations might be useful for orienting your business towards long-term security improvements, they do not provide simple and specific actions which can be taken to quickly improve your security posture. Here, we present some simple and fundamental principles that have been developed through extensive discussions with Australian business leaders. These principles are designed to offer practical steps toward enhancing your cybersecurity posture:

• Get a cyber security practitioner on your side: Bring in a security expert who comprehends technology and is well-versed in hacker tactics. Hackers operate at a highly technical level, and you immediate cyber security improvements most likely will be technical in nature.
• Get visibility within your network and systems: You need to be able to see what is happening with your data, users, systems and networks.
• Minimize sensitive data: Data is not gold anymore – data is uranium. There's no need to retain everything; selectively minimize sensitive data.
• Implement Basic Security Hygiene: Embrace essential cyber security practices. There are many high-impact controls which come at a very low-cost and, in some cases, free.
• Test Your Capability: Organize simulation drills that allow you and your team to practice responding to significant events. This exercise isn't about following an incident response plan but rather about dedicating time to collaborative problem-solving and preparedness.

There is a lot that has been said about putting a formal IR plan in place and then testing it. The main problem is that many cyber defenders do not have practical experience. On average, only 5% of in-house cybersecurity team members have experience handling complex response scenarios. The best and most detailed IR plan cannot replace practical experience. When designing your Incident Response Readiness capability, these aspects are proven to be the most important:

• Get clarity on the capabilities that you have, and understand the constraints around these capabilities (for example, your MDR provider can only do as much as they can see from their cybersecurity product, and not much more than that).
• Engineer for 'black swan' events.
• Get clarity on the capabilities that you actually need to handle a major cyber crisis.

As the cybersecurity landscape is constantly evolving and growing more complex, new threats and attack techniques emerge daily. Unfortunately, many security operations teams are not adequately prepared to handle the intricacies of modern cybersecurity incidents. Threat actors evolve quickly and use increasingly sophisticated tools, achieving their objectives in just hours and causing serious harm before the threat can be contained. Even when an intrusion is detected, security operations teams often lack the experience to act decisively, struggling to counter the tactics of experienced and sophisticated attackers. To address this challenge, it is essential to invest in real-world cybersecurity training that incorporates real data and simulations of actual attacks. This type of training provides cybersecurity professionals with hands-on experience that replicates real-world scenarios, helping them to identify and respond to cyber threats more effectively. It also allows them to develop the skills and strategies needed to protect sensitive data from being compromised. Most cybersecurity defense teams have never faced a sophisticated threat actor or a real ransomware attack. With realistic cybersecurity training, trainees can not only witness such threats but also be primed to respond effectively in real-world situations. Incorporating hands-on cybersecurity training (such as using TD Cyber Range) into your operational framework is pivotal for ensuring your SOC team's readiness against genuine cyber threats. This hands-on training method amplifies skill acquisition and promotes cohesive teamwork, preparing SOC team members to collaborate effectively with their colleagues.