Effective Incident Response: The Ins and Outs
It is rare in today’s world to find someone who is untouched by daily cybersecurity threats; most understand or have experience with the disruptive outcome of malware, DDoS attacks, data breaches and or a ransomware attack. These attacks create loss of business continuity through decreased revenue, eroded customer loyalty, and possible lawsuits and fines.
This is why cybersecurity exists. Today, everyone has some kind of connection to cybersecurity, be it an individual user who is protecting a personal computer, or a business trying to protect their network. Despite security maturity levels of businesses varying, investments are being made across all levels. It is imperative to prepare and have offensive posturing in order to stay current with defense methodologies and tactics; the goal is to stay ahead of the attackers. One major layer of cyber defense is how an organization handles a cyber incident. Much like preparing for a fire breaking out in a building, planning, training and executing are the key differences in mitigating loss of life and damage of property. Nothing changes when preparing for a cyber incident.
The following is a game plan for handling a cybersecurity incident from start to finish. No matter how well the internal cyber team is prepared in theory, when a fire breaks out, the team needs to be ready with a well vetted plan that covers the most critical phases for protecting the organization, while keeping it running, no matter what cybercriminals hit with.
Phase 1: Preparation
Some of the most important incident response steps are taken well before a cyberattack is even detected. At least they should be. A step that should not be overlooked is ensuring the security operation center (SOC) is staffed with skilled and knowledgeable team members who have what it takes to battle back the most insidious and vicious cyberattacks the internet has to offer. If staffing the SOC to the highest level proves difficult, it may be time to consider a managed service provider.
Once the right team members are in place, ensure they have access to all data, including baselines and regular traffic patterns so they can spot any abnormal activity and have access to any relevant tools or resources they may need to either identify an attack or begin dealing with one. Ensuring all documents, particularly processes and procedures, are updated is also an essential step that will save time and headaches in the midst of an incident.
If possible, ensure the cybersecurity team takes an offensive-minded approach to cybersecurity, attempting to infiltrate systems and seeing what can be accomplished once the attackers would get in. This aids the SOC team with the identification of any weak points, allowing them to secure and patch, as well as closely monitor any remaining vulnerabilities. It is also necessary for the SOC team to establish a list of the most important applications, databases, networks and other assets. Prioritize this according to what is most essential to business processes, as well as what is most attractive to attackers.
It is imperative the SOC team has full cooperation from the IT teams, IS teams and all other departments across the business. An organization’s information technology needs to be designed, implemented and maintained with cybersecurity in mind. Likewise, from the C-suite to entry-level positions, an organization’s employees need to be informed of the cybersecurity threats that target human employees and what they can do to combat them.
Phase 2: Identification & Swift Analysis
A business cannot fight an attack if it does not know it is happening. The detection phase is absolutely critical, and it basically boils down to an analyst being able to recognize abnormal events.
To do this as quickly as possible, the team must lean on the monitoring capabilities they have created through the deployment of security tools that provide visibility into the network’s main crossroads. Ideally the team will include tier 1 – tier 4 analysts for multi-layer monitoring and response.
The team will also need to look into all alerts, notifications and intelligence from third parties that could indicate potentially harmful situations. This includes everything from third party security solutions like dedicated DDoS mitigation, to monitoring the dark web for chatter about upcoming attack attempts.
Once an incident has potentially been detected, analysts will quickly need to gather all relevant data and evidence to support the case and reaffirm that the proper steps are being taken. This investigation is done at a superficial level, as speed needs to be the priority in this phase.
Phase 3: Containment
To limit the damage an attack can do, it must be contained as quickly as possible to keep it from spreading. To contain the incident in the short-term and prevent any further damage, the SOC team needs to gain control over the event. This includes reviewing the relevant data to classify the incident and identify the root cause.
Once the necessary information has been gathered and analyzed, containment efforts truly begin. After completing any necessary backups, these could include null routing, applying filters to network or security equipment, changing a DNS entry or even pulling a power cord. The containment phase of course can’t be as simple as shutting down systems to keep the attack from spreading. This phase needs to allow the incident response team to actively work at shutting down the incident while also allowing the organization to continue working.
After short-term containment has been accomplished, the team will identify the initial attack vector, the attacker foothold and any compromised credentials so remediation can begin and the affected system can go back into production. During this phase, the team will also conduct a forensic investigation to determine if additional data or evidence is required to provide a full picture of what happened, how it happened, and what needs to happen next.
Phase 4: Remediation
This is a more concerted continuation of the containment phase as remediation focuses on drilling down to the root cause of the incident and eradicating any traces of the root cause. This means blocking the initial attack vector, removing the attacker’s foothold, blocking any compromised credentials, patching compromised systems, and remediating any other incident-related issue. Only with the remediation phase can the team begin to truly eliminate the possibility of repeat incidents.
Phase 5: Recovery
During this phase, the team will return any affected systems or devices to business processes, hopefully fully restored from a trusted back-up. During this phase, the security operation center team will fully test all changes and updates to make sure new cybersecurity measures are operating as they should be. Team members should also take the time to once again ensure all traces of the attacker have been eliminated so he or she has no chance of doing any more damage.
With that, the incident is officially over. But that doesn’t mean the work is.
Phase 6: Post-incident activities
This phase essentially involves a full post-mortem of the incident from start to finish that lays bare every aspect of the incident in order to improve the organization’s security. This will include an internal investigation undertaken by management, as well as any necessary tests to check that the patches applied work and see if there are any other holes that have been neglected.
This also includes exhaustive measures meant to identify any cybersecurity gaps that could have contributed to the incident. To close these gaps, the security operation center will identify any cybersecurity tools needed to better protect, detect, analyze or respond to cybersecurity incidents, as well as identify any need to improve organizational cybersecurity training and awareness. Once these gaps have been closed, it is essential that the same attack be simulated to test how effective the remediation efforts have been.
A final report also needs to be prepared with both short-term and long-term recommendations for improving the organization’s cybersecurity.
The importance of incident response cannot be overstated in this climate of near-constant cyber threats. The right team members must be in place to follow a precise and carefully crafted strategy in order to contain the threat, limit the damage, clean up the mess and make sure it cannot happen again. For many organizations, this means investing in professional services like a leading managed SOC because nothing less than the best will do when so much is at stake.