Incident Detection and Response Basics Greatly MatterAdd bookmark
Cyber security professionals know there are two types of organizations: those that have been breached and those that will be breached. The question isn't whether organizations will be attacked. The question is when a cyber security incident occurs, will they be able to respond appropriately and quickly enough?
Roles and responsibilities
Reactive mode is the worst possible state an organization can be in, particularly when they're wholly unprepared for the scenario. Since hackers are constantly evolving their tactics and cyberwarfare has become commonplace, it isn't possible to know what's coming when.
However, there are things companies can do to minimize the impact of a breach on business continuity and stakeholder anxiety. First and foremost, companies should have an incident response plan that enables their organization to handle cyberattacks more effectively.
In addition, cybersecurity teams should embrace a trend that took the C-suite by storm amid the COVID-19 pandemic: scenario planning. Security teams should have playbooks which describe the actions that must be taken if a particular scenario unfolds, such as a ransomware attack. That way, when disaster strikes, the next steps are clear.
Incident category response type
First.org, a global forum for incident response and security professionals, published a draft Computer Security Incident Response Team guide which provides a well-organized approach to thinking through and managing incidents. It begins with a statement of scope, followed by incident categories, criticality classification and sensitivity classification.
The Incident Categories table includes the names of various incident types, a description of each and the associated sensitivity rating(s) which may be one value or a range of values. The categories included in the document include:
- Compromised information
- Compromised assets
- Unlawful activity
- Internal hacking
- External hacking
- Policy violations
The Criticality Classification table ranks incidents by their typical severity level. The severity level impacts the initial response time target which ranges from 1 hour for high severity incidents compared to 48 hours for low severity incidents. The table also describes the ongoing response, who's responsible and who must receive ongoing communications, by when.
The Sensitivity Classification table describes communication "on a need-to-know basis" as appropriate to the level of severity.
The format of incident-related communications tends to vary depending on the audience and the communication medium. For example, as soon as a DoS attack hits, a typical practice is to post a notice on the company website which acknowledges the problem and states that the team is working to bring the site back up. These days, the website status page is often supplemented with social media posts, not only to inform customers but to get ahead of any potential negative postings about the outage.
On the other hand, if hackers just downloaded the PII of your customers, employees and/or partners, then public and personal forms of notice should be provided. The incident response plan should state generally what those communications vehicles are and what should be covered. In fact, some vendors and some companies have created incident response templates so they don't have to "reinvent the wheel" every time their site experiences an outage, for example.
Tabletop exercises are a type of scenario planning exercise. They bring stakeholders together to work through a scenario for the purposes of testing incident response effectiveness, gaps and areas needing improvement.
The Center for Internet Security (CIS) published a guide that includes six scenarios organizations can use for exercise purposes which include:
- A quick fix (patch) that wasn't tested and failed
- A malware infection
- An unplanned attack
- A cloud storage exploit
- A compromised payroll system that includes fake (fraudulent) "employees"
- A natural disaster (flood) coupled with a ransomware attack
Continuous monitoring is absolutely critical to incident response and management.
Security Information and Event Management (SIEM) analyzes the security alerts generated by applications and network hardware and provides an automatic analysis of correlated events. The data can be used to identify attackers and victims and to pinpoint various types of activity including brute force, denial of service and zero-day attacks.
Security Orchestration, Automation and Response (SOAR) integrates various tools such as behavioral analytics, endpoint security, firewalls, intrusion detection and prevention systems (IDSs and IPSs), SIEM and more to enable continuous monitoring, automatic threat remediation and handoffs to security professionals as needed.
Other Incident Response Tool Options
Different types of cyber security tooling often have overlapping capabilities with other tools. Some of the tools include:
- Incident response platforms that may automatically respond to threats in a pre-defined way, hunt for threats and detect anomalies.
- End-point threat detection and response (EDR)
- Advanced cyber security analytics platforms
There are also an array of services and managed cyber security services available which can help improve the timeliness and effectiveness of incident response, as well as forensic services that pinpoint the scope and path of the attack. Forensic consultants can also confirm whether the incident has been remediated or not. For example, in the recent Accellion breach, forensic cyber security firm FireEye Mandiant discovered two vulnerabilities in addition to the four Accellion had discovered.