What 2024 Taught Us About Incident Response
Our incident response team was busy in 2024. From nation-state intrusions at critical infrastructure firms to ransomware hitting mid-market companies with immature security programs, we saw it all. Here are the five most important lessons.
Lesson 1: Logging Is Your Most Valuable Asset
In case after case, the organizations that contained incidents fastest were those with comprehensive logging in place before the attack. If you're not logging endpoint activity, network flows, authentication events, and DNS queries — and retaining those logs for at least 12 months — you're flying blind during investigations.
Lesson 2: MFA Alone Isn't Enough
We responded to multiple incidents where attackers successfully bypassed multi-factor authentication through MFA fatigue attacks and SIM swapping. Phishing-resistant MFA (FIDO2/WebAuthn) is the answer. The era of SMS and push-notification MFA as a security control is ending.
Lesson 3: Incident Response Plans Fail in Practice
Every client claimed to have an incident response plan. Very few had tested it under realistic conditions. A plan that exists only in a PDF isn't a plan — it's a document. Regular tabletop exercises and simulated incidents are essential.
Lesson 4: The First 4 Hours Define the Outcome
Organizations that called us within the first four hours of detecting an incident consistently achieved better outcomes than those who waited. Early engagement allows for containment before attackers achieve their full objectives. Don't hesitate to call for help.
Lesson 5: Recovery Takes Longer Than You Think
The average ransomware recovery — from initial containment through full restoration of normal operations — took our clients 23 days in 2024. Plan for extended disruption, invest in resilience, and don't assume your backups are good until you've tested them.