Incident Response Management: Do You Have a Plan?
Cyber -related incidents can wreak havoc on systems and information. From data breaches and security vulnerabilities to financial and reputational damage, it is vital to remain diligent by staying ahead of threat possibilities and enlisting the right tools for detection and protection.
Incident Response Management is the process of responding to, assessing, and mitigating the impact of a cyber threat or attack. It involves a well-defined and regularly tested plan. It also requires a team spanning several areas of the business, that is trained on the incident response plan overall, as well as prepared to act upon their role and responsibility within the protocol.
It is essential that business security initiatives involve an Incident Response Plan (IRP) to provide the necessary guidance when most needed.
Plan Basics
An incident response plan outlines the various steps involved in identifying, responding to, and recovering from a damaging cybercrime. It helps finesse a faster recovery, de-escalate the incident appropriately, and analyze the attack afterwards. It guarantees that processes are in place to handle future breaches or concerns.
Addressing and protecting against cybercrime involves the creation of an overall incident response initiative. Doing so prompts and encourages:
- The identification of common attack vectors. These may include malware, phishing, and other malicious activity.
- The creation of policies and procedures to address the identified threats. These policies are tailored to the organization's specific needs and must be updated regularly.
- Establishment of a team that is responsible for managing the incident response process. This team includes individuals from various departments within the organization and is led by a security expert. The team must be trained on the organization's incident response plan and given a clear understanding of the roles and responsibilities of each team member.
- The development of an incident response plan. The plan includes procedures for detecting and responding to security incidents, as well as steps for mitigating future threats. The plan also includes a detailed process for communicating with stakeholders, including customers, vendors, and law enforcement.
- The organization of regular, continued testing and updating. These processes keep the incident response plan current and effective.
Once an incident occurs, it is imperative that the incident response team responds quickly and effectively. This involves:
- Assessing the logical threats or vulnerabilities.
- Containing the spread of the incident.
- Mitigating the impact of the malicious attack vectors.
- Investigating incidents for identification and conducting root cause analysis. Doing so involves:
- Collecting and analyzing data
- Identifying malicious activity
- Making recommendations for remediation
- Incident Reporting, which provides detailed notes of the analysts’ pathology, investigative techniques, security solutions, and timelines. These reports can be used to:
- Assist management and stakeholders in making better strategic decisions on how to handle risk impact of the incident.
- Provide further recommendations for preventing threat exposures and similar incidents in the future.
Playbooks can also assist in the IR planning process because they outline the required steps that analysts must take in the event of an actual security incident, in addition to following the National Institute of Standards and Technology (NIST) IR Life Cycle. NIST 800-61 R2 outlines the IR Life Cycle process through the following steps: Preparation, Detection and Analysis, Containment Eradication and Recovery, and Post-Incident. As a brief overview:
- Preparation requires that analysts have the tools accessible to respond to an event.
- Detection and Analysis triggers the triage of the Indicator of Compromise (IoC) events to find malicious activity.
- Containment Eradication and Recovery steps in to stop the spread of the attack outbreak.
- Post-Incident involves system recovery activities and reporting for lessons learned.
By having an effective incident response plan and a well-trained incident response team, organizations are arming themselves with the ability to respond quickly and productively to threatening cyber events. Being prepared in this way gives businesses a leg-up on minimizing the impact of an incident while offering guidance to allow the organization to resume normal operations as soon as possible.
Tools for Detection
There are several tools used for detection of cyber incidents.
- Network scanning and monitoring tools are used to identify potential threats and vulnerabilities. These tools can detect malicious activity, such as unauthorized access to a system, or attempts to access sensitive data. Examples of such tools include Suricata and Snort.
- Intrusion Detection Systems (IDS) are used to detect unauthorized access to a network or system and have the ability to alert administrators to suspicious activity.
- Anti-Malware software detects and removes malicious software, making it more difficult for an attacker to gain access to a system.
- Security Information Event Management (SIEM) is used for event correlation and aggregation for investigative reporting and monitoring alerts generated by applications and network hardware using Real-time syslog analysis with predefined reports and alerts. Examples include ArcSight or Splunk.
- Cyber Chef is used with data to: encode, decode, format, parse, encrypt, decrypt, compress, extract, perform arithmetic functions, and defang, as well as many other functions.
- Deep Pack Inspection FW is an advanced method of examining and managing network traffic packets through filtering and rerouting.
- Recorded Future uses machine learning techniques to structure data into categories and to analyze text across multiple languages This provides risk scores and generates predictive models.
- Endpoint Detection and Response (EDR) technology platforms alert security teams of malicious activity and enable fast investigation and containment of attacks on endpoints.
- Host Based Security System (HBSS) is a proprietary tool of the Department of Defense. It offers a Security Suite of software applications used to monitor, detect, and defend the DoD computer networks and systems from external internet threat within the public facing network.
- Cisco Firepower is an integrated suite of network security and traffic management products, deployed either on purpose-built platforms or as a software solution.
- Protocol Analyzers capture network traffic packets over the ethernet wire. Examples include Ettercap, Tcpdump, and Wireshark.
- Sandboxing is a segmented virtual network area used to test and contain malware.
Options are available for implementing detection tools.
Security Orchestration, Automation and Response (SOAR) is a framework used to automate and support incident response efforts. An integrated system, it automates the incident response process from beginning to end, enabling security teams to respond quickly and effectively to a breach or threat. Built on a simple concept, SOAR streamlines and integrates the incident response process into a single platform.
Through SOAR, users define their own incident response framework, making it completely automated and trackable. This system identifies potential threats, investigates the incident, remediates the issue, and communicates the results. SOAR is flexible, and can be used in real-time or proactively, to identify and mitigate potential threats. It produces analytics and reports which can be used to review the effectiveness of a business security plan Through the use of SOAR, the incident response process is simplified, allowing businesses to respond quickly and effectively at times of security concerns.
The Network Intrusion Detection System (NIDS) is designed to identify malicious and suspicious patterns of behavior on a network. From simple to sophisticated, NIDSs monitor network traffic, watching for anomalies and suspicious patterns. Once detected, they alert the security team of the potential threat. NIDSs can also detect and respond to malicious code, such as viruses and malware. Once identified, the NIDS prompts the security team to take appropriate action, whether blocking the IP address or the user from accessing the network. NIDSs can detect encapsulation activities and analyze encrypted packets. They provide a quick and effective approach to identifying and responding to threats, reducing the risk of a security breach, and protecting data and networks.
A Demilitarized Zone (DMZ) is the area between a private network and a public one, that acts as a buffer of protection within the network architecture. It protects the private network from attack and the public network from unauthorized access. Used as a barrier, it protects the servers that hold public services like databases and web servers. In addition to their extra layer of security, a DMZ can also be used to create a segmented, screened, subnet. Each subnet can be used to host a specific type of service. Through DMZs a network administrator can easily control access to different services within a network, while still allowing appropriate traffic to access those services.
‘Choose your own advice’ is a device deployment model that allows workers to pick what device they want to use for business purposes, in accordance with the organization’s approved list.
Team Approach
The Incident Response Team (IRT) is responsible for reacting to and managing security incidents. Their job is to prevent the worst-case scenario - an unauthorized user accessing proprietary information. An IRT is typically comprised of security professionals spanning the IT sector, to include digital forensics, malware analysis, network security, and incident handling.
The various types of IRTs include:
- Central IRT - Handles incidents for the organization and is normally a team that is smaller in size or one that is centrally located.
- Distributed IRT - Responsible for a logical or physical segment of the infrastructure, this team usually consists of a large organization or one that is geographically dispersed.
- Coordinating IRT - A combination of a Central IRT and a Distributed IRT, the central team provides guidance to the distributed team in developing policies and standards for overall response methodology. The distributed team manages and implements the incident response activities within their designated area of responsibility.
- Outsourced IRT - A type of IRT that may be fully or partially outsourced, this is typically utilized in situations where technical resources aren’t available locally.
In addition to the above nomenclature, when it comes to incident response plans, Blue Teams and Red Teams also play a vital role in the overall effectiveness of the plan.
The Blue Team identifies as the defense. They are responsible for implementing and maintaining security within an organization. From initiating preventative measures (firewalls, antivirus software, etc.) to network monitoring, their primary role is to detect and prevent attacks. The Red Team acts as the offense, or the criminals trying to break through. They simulate attack scenarios in an attempt to identify vulnerabilities and weaknesses. The two teams work together and discuss their feedback on effectiveness of the plans in place, to identify areas that require heightened attention.
The Purple Team is normally comprised of senior analysts and acts as an in between for the blue and red teams, switching between offensive and defensive operations. Finally, the White Team oversees the course of events that occur during the cyber exercise by helping to supervise and participate in evaluation and planning.
Loss Prevention Techniques
Loss prevention is the part of an incident response plan that identifies and mitigates the impact of data loss, including potential impact to finances, legalities, and reputation. There are tools that can be used to aid in loss prevention.
A Data Loss Prevention (DLP) server detects classified labels and applies appropriate protection mechanisms to prevent data from being moved. When a DLP solution detects the extraction of sensitive data, it will automatically stop the transmission before it is released.
An example of a DLP server at work might involve an email message labeled as unclassified, that contains sequential numbers with two dashes within the verbiage. The DLP solution interprets this as a Social Security number and will flag it as private (PII). Once this happens, the IRT will be alerted, and a cyber investigation will be launched because their security systems will label this as an IoC. There are a few cons to DLP including its inability to decrypt or examine encrypted data.
Identity and Object Protection (IDOP) uses several methods of defense. Useful in detecting and blocking data exfiltration attempts, it has the capacity to scan encrypted data by finding keywords in data patterns. IDOP enlists a variety of methods such as password protection, encryption, and access control systems to limit who can access data, in order to protect physical and digital assets. IDOP also monitors and audits information to identify suspicious activity quickly.
Data Encryption Protocol (DEP) is a loss prevention technique that encrypts data, assures proper data storage, and utilizes two-factor authentication to prevent unauthorized access. There are also other network security devices that prevent files from being executed, including Data Protection Impact Assessment (DPIA) which is used to identify the potential risks to data security that might result from a particular project or activity. It uses advanced tools such as artificial intelligence analytics and machine learning algorithms and is considered an instrument for analysis when making decisions on how best to protect data and minimize potential risks.
Protect Your Business
By outlining the steps that an organization needs to take to manage a security breach or attack, an incident response plan is a critical component of cybersecurity. It includes guidance on how to identify, contain, and remediate an attack, along with communication measures for meeting compliance and regulatory requirements. Network monitoring and other tools create a partnership in defense that helps to minimize and potentially protect from the impact of a security breach.
Partners in cybersecurity also provide an additional approach in safeguarding your business. Aligning your protective measures with a team who can seamlessly deliver them allows your business to focus on what it does best while knowing that your hard work is being well protected.
Enlisting protective measures today will secure your business for tomorrow.
Unlock the latest industry insights and discover the rich heritage of our Native American owned company by subscribing to our quarterly eNewsletter! Join our community today and connect with our legacy while empowering your future.
Sign up now and be a part of our journey!