With the exponential rise of cybersecurity concerns in 2017, we’ve been focusing on a cybersecurity mini-series that demystifies and simplifies building an all-encompassing cybersecurity strategy.
We’ve identified prevalent threats, your organization’s vulnerability to those threats, outsourcing v. in-house security efforts, and the prevention measures your organization should employ—or at least consider—in building a comprehensive security infrastructure. Prevention is where most resources are typically allocated, as its your prevention infrastructure that mitigates 99% of your vulnerability and risk.
Yet, despite high ranked prevention methods…. intrusion attempts remain probable and breaches are certainly possible. Because there is NO infallible method of preventing a cyber breach, your organization needs a predetermined plan of action should the unthinkable become a reality… leading us to Phase 3 of building your effective cybersecurity response.
Your plan of action, commonly referred to as Incident Response (IR) is your all-too-important “go-to” guide for necessary measures when a breach takes place. While nearly every department, job function, and employee will be notified of an initiated IR, your incident response team maintains its strategy, implementation, and initiation.
Step 1: Identify Your Incident Response Team
An incident response team is a centralized team that retains the responsibility of activating your IR should your network be compromised. Overlap will likely exist between employees working on your cybersecurity strategy team—responsible for entire overall strategy—and IR team—specific roles to incident response.
Your IR team should involve three roles:
Threat Researchers: Responsible for collecting data on threats of cyber espionage, attacks, and breaches lurking in the digital realm. Researchers remain abreast on looming potentialities within the entire cyber ecosystem. This information is used to bolster your preventative measures and add context or intelligence to intrusion attempts and breaches.
Security Analysts: Responsible for identifying when and where an intrusion attempt or breach has occurred and the surrounding details. Typically, this function is divided into Triage and Forensic analysts. Triage analysts alert response managers of possible intrusions, while screening out false positives. Forensic analysts desegregate data surrounding a breach, highlight contributing factors, and preserve this as evidence for post-analysis.
Incident Response Manager: Responsible for overseeing the IR team in its entirety. Ensures detection, analysis, and containment is executed properly and swiftly. The manager coordinates with analysts and researchers to illustrate the entire scope of a breach. He or she is also responsible for engaging with other departments, such as corporate security, human resources, upper management, etc. to relay IR initiation, status, findings, and conclusions.
Depending on your organization, some, or all, of your threat researchers and/or security analysts may be outsourced. We do not recommend, however, outsourcing your organization’s incident response manager. The manager position falls into an Oversee and Govern (OV) characteristic within your overall strategy, among others. You run the risk of harmful lag time and miscommunication throughout your entire organization and IR team if the manager is not onsite immediately after a breach. Further, an internal employee is familiar with your communication methods and organizational infrastructure, which lends efficacy and promptness to a process that tremendously benefits from both.
Step 2: Develop Your Incident Management Strategy
Your protocol must identify when an IR should be initiated by your IR team.
Many automated processes will identify, flag, and alert analysts to unsuccessful intrusion attempts and false positive breaches. Your protocol should address how much manual research and probing is required after an automated detection system flags network activity.
This balance is a difficult one to strike.
Initiating an IR every time a false positive or unsuccessful attack occurs can be costly, not to mention desensitizing to the rest of your organization. Think “boy who cried wolf…” how did that turn out? Consider elements of your organization, size, and vulnerability to attacks when considering how long to research and probe before activating your IR protocol.
When a breach or attack is determined to have taken place, the most important thing for all those involved to do is remain calm and refrain from panicking. Follow your IR protocols to the letter.
Tips for Constructing your Incident Response Strategy:
Safeguard systems and other media so that forensic analysis can take place. If the extraction of data appears to be ongoing, take the affected systems offline. If data extraction is not evident, leaving systems online is advisable, as you could lose valuable evidentiary data by taking them down.
- Collect Data
Collecting data through your researchers and analysts will be crucial during and after an intrusion attempt or breach. This will tell you valuable information such as, how, where, when, and why the intrusion occurred.
Start with the time of the intrusion and work backwards in time to find relative data. Look for recent abnormalities such as changes/modifications, system failures, errors, status changes, administrative events, etc. Highlight all unusual activity and abnormalities within your network traffic, as well as the time they occurred.
Forensic tools must be used in collecting this data. Using non-forensic software on infected systems can overwrite timelines and other crucial data. Highlight abnormalities to help identify indicators of compromise.
- Collect External Intelligence
This information gathered by your researchers works in unison with data collected by your analysts to further highlight indicators of compromise. Search for abnormalities in MD5s, IP addresses, and domains that you discover as you’re collecting data. This step can be completed after the intrusion is contained.
- Collect Logs
Identify all log sources within your organization, this can include Windows events, firewalls, server and workstation operating systems, applications, security tools (anti-virus, anti-spyware, IDS, IPS, VPN, etc.), outbound proxy and end user applications, etc. Extract and combine all information associated with the intrusion attempt or breach to a single location for later review.
Your response manager should notify internal departments on a need to know basis sooner rather than later. Senior management, human resources, organization attorneys, and Marketing/PR departments are examples of who the manager should consider contacting. The key is to determine who needs to know and how quickly… then begin notifying. If your internal (or possibly third-party) is not able to identify the source or cause of the intrusion attempt or breach, audit and risk management specialists should be contacted and brought in to assess the incident.
External communication of the breach is just as important as internally notifying personnel. In fact, timing of external communications is arguably more delicate than that of internal notifications.
Your IR team should strictly adhere to your specific protocol. Deviations can increase vulnerability for subsequent attacks or improper analyses, leaving your door open for future attacks.
Your protocol should also include the three things NOT to do:
- Socialize. We mentioned above that the IR team should determine who needs to know that a breach has occurred… they should be informed, no one else. It’s important to limit information passed to other audiences until a communications plan can be implemented.
- Use Domain Admin Credentials. Do not use administrative credentials when accessing systems environments. Hacktivists often wait for this information before exiting your environment.
In addition to these recommendations, ensure you have a method of continuous data back-up. If your data is compromised or damaged during a breach or intrusion, you’ll need an untampered version of your data.
We’ve seen that cyber breaches and intrusion attempts are on the rise and virtually inevitable. Being prepared and equipped to respond immediately to a cyber incident will prevent panic and response confusion. A key factor in developing your cybersecurity strategy is ensuring your entire organization is aware of protocols and what’s expected of every department and employee.