Standardizing Your Incident Response

By Alex MacLachlan October 11, 2016 incident-response, security-orchestration-automation-response

A cyber threat infiltrates your organization and a breach occurs. You and your team go into reactive fire-fighting mode. You isolate the threat and put it down. Crisis averted right? Well what if the attack was an APT (Advanced Persistent Threat)? Just because you pulled the thread and took care of one specific threat how do you know you’re not dealing with something more insidious and sophisticated? Perhaps you’re dealing with a threat that will continue attacking systems well after you think you’ve solved the problem. You’re then dealing with a breach that could be far more dangerous while lying dormant and undetected for a very long time and have an even greater impact on your business. The only way to truly address a breach is to follow a well laid out plan that properly triages the threat so you can determine the nature, impact, breadth, and persistence. Identifying trends, isolating the location of where attacks originated and fully understanding the type of attacks can only be done when response teams are equipped with the proper tools to gather and analyze information and respond quickly and effectively.

Intake

When a breach occurs, proper Intake is the first step that should be taken. Intake is the information gathering and triage stage of assessing a threat. When an incident report is made due to a data breach, lost or stolen device, or a malware infection your cyber security team or IT staff should know:

  • IP address, host name, physical location of breached system.
  • Types of data that may have been compromised. Was PII (Personally Identifiable Information) stored on that system stolen? This would include full names, addresses, phone numbers, banking pins, social security numbers, health information.
  • What was the specific timeline of events? When was the attack noticed and when was any stolen information first noticed as compromised?
  • Which compliancy requirements may be under duress as a result of the breach? HIPAA, FERPA, FCRA, HSA, PCI? Knowing this will guide prioritization and guide resources to quickly addressing key data points and reducing or eliminating regulatory fines.
  • Was the data encrypted and if so by what method?
  • What was the impact and breadth of the breach? This should include a number of data records or affected systems.
  • What type of attack was perpetrated? Malware, ransomware, DDoS, Virus, Trojan, Phishing, POS Intrusion?

Properly documented intake will allow your team the basis it needs for running down the threat, discovering what damage has been done and remediating quickly. A good intake process will utilize tools that make it easy to quickly escalate tasks to the proper team members. It’s also important that custom incident types and advanced persistent threats be identified within minutes and reported on rapidly before moving on to further identifying the breach.

Incident Identification

After the intake of the incident, identification steps are taken to drill down deeper into the effect of the attack, generate tasks, and alert proper management teams. Notification should take place first so that respective forensic and security teams are alerted and begin doing their work to gather more evidence and respond properly. Mapping IP addresses and then identifying and plotting suspect IP addresses is a workflow that should be kicked off immediately by your incident response unit so that a list of potential perpetrators based on those suspect IPs is generated to work from. While system files and registries are also checked, tasks must be automatically created and assigned to continue the process of locating the source and nature of the breach.

Evidence Collection

Now that you have full documentation of the attack through a proper intake procedure and you have identified the nature of an attack and alerted proper teams, you can continue to deploy incident response protocols by collecting evidence. During the evidence collection phase, you are looking for specific attributes of the attack that occur during an unauthorized access incident. Proper fact finding and documentation is important not only for remediation and the prevention of future attacks but also for presenting hard evidence during any compliancy audits your organization may face. Be sure your response team is documenting evidence along with a description of any loaded drivers, indicate which live response tools are deployed, describe in detail which user accounts are effected, and list where all installed software resides. While collecting evidence and deploying your teams into the “battlefield” robust collaboration tools and time lines are a must. You need to ensure findings during your evidence collection phase that are effective and cogent to resolving the damage an attack has done. Proper collaboration will also give your team the advantage of accountability as to when tasks are assigned and completed. Furthermore, possessing information access controls that can segment systems while collecting evidence are important to ensure compliant investigative practices, impartial findings and managerial oversight.

Analysis

As you move into the data analysis phase of addressing a data breach your goals should be to properly investigate the information gathered, apply a well laid response plan for specific events, and report on the threats. When investigating threats, link analysis should employed to find matches in data for known patterns, discover anomalies where patterns are violated, and discover new patterns of interest. Correlations can then be identified to uncover further useful information to understand the nature and impact of a breach. By analyzing data sources, encrypted disks, network anomalies, and operating systems for unauthorized access, you can learn a lot about the type of infection and where it originated. With trend reporting you can begin to analyze vulnerabilities to head off future attacks and sure up defenses against previously undetected threats. Lastly, it’s important to equip your Forensics and Security teams with tools that can allow them to further analyze the relationships between triage information, identified infections, and past incidents against IP addresses. For example, executive style dashboards that employ scheduled updates as well as high powered data-visualization tools can allow for analysis to be done efficiently in order for you to quickly move on to remediation.

Remediation

By the time you move into the remediation phase, you are ready to identify the root cause and apply practices that will resolve the threat and engage directly with the breach. Reporting continues to be critical at this phase because your security teams must be enabled to use reporting tools to firmly confirm the source, present evidence, detail event response stage, indicate severity, and document incidents within a time and location. Even though you’ve remediated the threat at this stage the work is still far from over. Countermeasures must still be employed and proper reporting helps you do that. Since followed your Incident Response Playbook to properly intake the threat and documented your findings through identification, evidence gathering, analysis and remediation you should have arrived to some conclusions (some perhaps startling) that will guide the counter measures you take. As you aim to reduce susceptibility you can tighten up security around known endpoints where breaches occur, beef up policies where needed, and employ better preventative tools to get in front of attacks based on trends and tactics you discovered along the way.

Click the button below to schedule your one-on-one demo of the D3 Incident Management Platform.

Alex MacLachlan

Alex MacLachlan

Alex is the Director of Marketing at D3. He oversees D3's marketing, communications, and digital programs. He enjoys fishing, "checking the analytics", playing golf and watching hockey - in that order.


Comments

Add a comment:

email

username

url

your comment

Your comment will be revised by the site if needed.