The Necessary Nine: Incident Response

Continuous Incident Detection and Response

What Is It? Far too much attention and resources are focused on the “Before” of a Cyber Security incident, but precious little on the “During” and “After”. Being able to detect WHEN (not if) something has happened (or more critically IS happening) and then recover afterwards is where many of us come unstuck. History is rife with examples back to ancient times of civilisations and empires being breached and ceasing to exist because the enemy was at the gate….and eventually got through. Your Cyber Security defences should never be like a gumball with a hard shell and a soft centre, but rather like a jawbreaker with layer after layer of hardened defences.

Continuous incident detection and response systems are like the heavily armed sentries on top of the castle walls, able to monitor, react, and respond when an incident occurs. These take on many forms depending on your objectives, assets, and budget. Modern systems, including Artificial Intelligence driven solutions, rely on several sources such as leveraging threat intelligence from multiple, reputable sources, big data analytics, heuristics, machine learning, statistical data, or user and system behaviour.

Automation can be a saviour in many ways because many organisations lack the skills and resources to manage the data they’re presented with. Managed Security Services that specialise in incident detection and response range from local specialists to global service providers with hundreds or thousands of staff operating 24/7/365. Detecting is one part of the battle, and often the most minor items are overlooked and quickly escalate into major incidents. Responding to halt the damage or at least minimise it is a crucial point of execution many find daunting, and unless a solid recovery plan is in place, we end up being spectators as our world crumbles around us.

Where Do I Start? The first question you need to ask is “what is our incident response plan?” If the answer is that you don’t have one, you need one. If you do have one, then I must ask, “When is the last time you tested it in anger?” Desktop or paperwork tests are fine to hash out the high-level details, but a full-scale test should be performed annually at a minimum, reviewed quarterly, and refined every time there is a change to personnel, systems, services, or infrastructure. With the plan sorted out, you need to figure out how you will detect incidents. Quite often this is budgetary-driven, but serious consideration must be given to the assets you are protecting and balanced against your investment.

Do you want to monitor in real-time or do you want to just do past-tense analysis, only looking at incidents that have already happened in the last hour, day, week, or month? If you choose to monitor in real time, what is your response plan when something is detected? Panic can quickly set in to even the sturdiest leaders when they realise they’re being compromised RIGHT NOW! The feeling of dread is no less when an incident is only discovered after it has already occurred, but to some degree, the earlier you find it, the sooner you can shut it down and limit the damage. Imagine the third, scenario, if you will (and one that is far more likely) that there may be something happening you have no idea is occurring and you carry on oblivious.

Let’s say you have a plan in place and can detect an incident either as it’s occurring or not long after it has happened. How will you recover? Recovery is a vital part of the response, and it can range from closing an open port, shutting down a compromised system, all the way through to rebuilding from scratch and restoring your data. Part of the Essential Eight is daily backup of important data, so that needs to be considered here as well.

I know I say it over and over, but please…. get the right people involved and put your hand up if you need help. I’ve spoken with many organisations over the years that have incident detection and response on their radars, but it’s a long way down the road, misunderstood, or considered to be too difficult. If nothing else, start asking the questions and start putting together a plan to address this vital area. It costs nothing to ask a question.

How do I make It Work? Unless you have the in-house skills and experience, I would highly recommend a managed services provider. It may not must be 24/7, but at least consider an 8x5 or similar plan if you can. For those of you with the resources and an incident response plan, and perhaps even some of the pieces you need, it’s time to start building. What hardware and software do you need, if any? Do you already have something you can re-use or perhaps something that was installed but isn’t doing what you need? Start from the ground up and build your incident detection capability. There are a lot of great vendors and products out there to get you the information you need.

Now that you can detect, what do you do with the information? Do you have a SIEM or some sort of logging platform? Do you filter and prioritise events and alerts? How do you get the alerts to the people that can act? Will you use automation or manual processes? How will you know what incidents must be addressed right now, which ones can wait, and which ones you can ignore? It’s quickly apparent how important specialists in this area are, so as part of your incident response plan, you will already have a good idea.

With detection capabilities and the ability to collect, correlate, triage, prioritise, and allocate incidents, how will you act? What can be done immediately and what can wait based on your change management process? What is your framework? We’ve all seen the funny picture of a server cabinet with a sign something like “In case of cyber incident, pull the cables”. Sadly, this is how some will respond. What you do can be as critical as detecting the incident in the first place.

Let’s say you now have a clearly defined action plan during a detection and response event. You manage to weather the storm and emerge mostly intact. It’s time to pick up the pieces and assess the incident. You may need to have some forensic experts at your disposal. You may need to work with regulators and authorities, especially where mandatory breach notification laws are concerned. You may need to replace equipment and software. You may need to restore data, but you can never cease operations.

I just cannot emphasise enough to test, re-test, and test again, and test regularly. There are many highly skilled professionals out there than can help you verify your solution will work under pressure and help you refine your systems, so you can rest a little easier.

Pitfalls? The biggest pitfall I have seen so far is how low on the priority list incident detection and response is in comparison to prevention. Firewalls fail. Systems crash. Software gets corrupt. Holes are found. Exploitation happens, and one could say it’s inevitable and always think improbable rather than impossible. When designing your defence in depth strategy, always make a provision at every layer for incident detection and response, and be prepared to recover. Proper resourcing of the “during” and “after” of an incident is not optional.

Ghosts in the Machine? Single points of failure in the form of over-reliance on individuals rather than teams is common, and sometime people freeze or panic under pressure and make mistakes. Be sure that you have a lot of this sorted out lest you will be let down by those you entrust to be there when it all goes off the rails.

Anything Missing? If I didn’t say it before, testing. Always test your incident and response plan in anger at least annually. Remember than these incidents don’t even must be perpetrated by people; living on this earth means we must deal with nature and the brute force attacks it can assail your infrastructure with.

Disclaimer: The thoughts and opinions presented on this blog are my own and not those of any associated third party.  The content is provided for general information, educational, and entertainment purposes and does not constitute legal advice or recommendations; it must not be relied upon as such.  Appropriate legal advice should be obtained in actual situations.  All images, unless otherwise credited, are licensed through ShutterStock

Views: 8

Join the Discussion ...

You need to be a member of CISO Platform to join the discussion!

Join CISO Platform

© 2020   Created by CISO Platform.   Powered by

Badges  |  Report an Issue  |  Privacy Policy  |  Terms of Service