How To Build an Incident Response Capability (That Doesn’t Suck)

Posted on October 4, 2017 by Admin

You’re standing on the bridge of the Starship USS Enterprise.

“Warning,” comes the voice of the computer. “Incoming attack detected.”

Immediately, your crew launch into action. Under your command, your officers identify the threat, take evasive action, and shut down the enemy using photon torpedoes.

The confrontation is intense, but within minutes your victory has been assured.

Sounds good, doesn’t it?

But here’s the thing. If you’ve ever seen Star Trek, you’ll know that all the screen time is given to the exciting, action-packed scenes, while more mundane activities are left largely in the dark.

But how well do you think our heroes would have been equipped to deal with sudden, unexpected attacks if their shields hadn’t been charged? Or if each officer didn’t know exactly what they were supposed to do without being told?

In the real world, we tend to think about incident response as the activities that occur during and after an attack. But just as Captain Jean-Luc Picard relied on his crew to maintain their equipment and follow protocol, the true nature of powerful incident response is far less reactive.


Incident Response 101

Before I get carried away with more Star Trek analogies, perhaps we should take a moment to think about what incident response actually is.

On the one hand, IR includes all of the various activities necessary to identify and block incoming attacks.  For instance, a suitable response to an incoming phishing attack might be to analyze the email lure, and attempt to identify and quarantine any further lures from the same campaign.

But it doesn’t stop there. Responding to incoming threats is important, certainly, but equally important is what comes next: Recovery.

Once a threat has been successfully identified, mitigated, and blocked, the next step is to ensure business operations can return to normal. To do that, the confidentiality, integrity, and availability of all data and services must be recovered.


Why Reacting Doesn’t Work

There's a game that athletes play to test and improve their reflexes. Somebody, usually a coach, will hold a pencil vertically by the end, instruct the athlete to hold their hand level with the bottom of the pencil, and get ready to catch it with their thumb and forefinger when it falls.

Sounds easy, doesn’t it? It’s not. Nonetheless, with practice, most can catch the pencil quite often.

But here’s the thing. If you replace the coach with a computerized release mechanism, almost everybody fails the test.

Why? Because they didn’t get better at reacting to the falling pencil, they just got better at identifying the “tells” that meant their coach was about to drop it. And when their coach was replaced with a cold, unthinking machine, there were no more tells to spot.

Responding to cyber attacks is very much like the second test. Threat actors almost never telegraph their attacks, and they certainly don’t wait for you to be ready before they attack. As a result, when a threat arises, there’s no time to start thinking about how you should respond.

If you don’t already have a clear set of protocols to follow, and an incident response team who know precisely how to shut down the threat, you’re in for a rough ride.


Predicting the Future

So if reacting doesn’t work, what does? That’s easy: Simply identify all of the possible attack scenarios ahead of time, and work out how to respond to each one.

Yes, of course, new attack vectors do arise occasionally, but for the most part threat actors stick with what already works. Even when new threats do arise they normally slot into a pre-existing attack scenario.

For example, a new strain of malware might circumvent your technical controls, but it will still target the same valuable assets.

To get you started, here are some of the threats you’re most likely to face:

  • Phishing/spear phishing and other social engineering attempts
  • Distributed denial of service (DDoS)
  • Credential theft/password reuse
  • Attacks targeting known vulnerabilities (malware, etc)
  • Loss or theft of physical devices

Think about each of these threats, and how you might respond to them. For instance, once a vulnerability in your network environment has been exploited, is there much you can do to protect your data?

Perhaps. Perhaps not.

What you can do, however, is maintain a rigorous penetration testing program to help identify (and remediate) vulnerabilities before they are exploited.

Similarly, if you wait until after one of your users is tricked by a social engineering attack to decide you need to invest more in training, it’s already too late. Much better to identify the threat posed by attack vectors such as phishing ahead of time, and ensure you have a powerful training program in place.

When you work through this exercise, you’ll find in many cases the solution isn’t actually to develop a response plan, but to invest your resources in preventative measures.

After all, while password reuse attacks can be devastating, they can be almost entirely prevented by implementing a sensible authentication protocol. Depending on the size and function of your organization, this could mean implementing a state-of-the-art multi-factor authentication solution, or it could simply be a case of setting more stringent password requirements.

Either way, in the long run, preventative measures almost always more cost-effective than damage control.


When Prevention Isn’t Possible

No matter how good you are identifying threats ahead of time, it will never be possible to prevent every incoming attack. In the end, you do need some genuine response capabilities to ensure the long-term security of your organization.

Still, though, it pays huge dividends to be able to design and practice your response capabilities ahead of time.

For instance, how would your organization respond to a ransomware attack? Having a solid off-site backup plan in place is a huge advantage, certainly, but without a well-oiled response plan even very basic ransomware trojans can cause significant disruption.

For this reason, clearly defining roles and responsibilities ahead of time is a huge part of effective incident response. If each member of your team knows precisely how to respond to each of your top 10 most significant threats, the chances of your organization being seriously compromised by an attack will be dramatically reduced.

Similarly, you’ll need to have cover arrangements in place to ensure all duties can be fulfilled irrespective of individual members of your team being on leave or off sick. Your organization may not be large enough to warrant a 24/7/365 security operations center (SOC) but you will still need to determine your active hours, and ensure full cover during this period.


The Incident Response Feedback Loop

Another aspect of incident response that is commonly neglected is the potential for informing other areas of security practice. Incident response professionals learn a great deal from each attack, and those lessons can be priceless if used to systematically enhance the security profile of your organization.

For instance, how did an attack happen? If any level of compromise was realized, how was it achieved? Where are the weak links that allowed the attack to gain a foothold inside your network?

Once these types of questions have been answered, you’ll quickly find opportunities to foil similar attacks in future by tightening technical controls, or improving employee security training.

And to achieve this, all you have to do is listen to your incident response team. Set up a formal channel for them to communicate the lessons they learn, and ensure the information is used proactively to enhance your organization’s security profile.


Build From the Ground Up

Perhaps the single most common issue with cyber security is the tendency for organizations to run before they can walk. There is, after all, very little point in putting together a cutting-edge incident response team if you still have hundreds of unpatched vulnerabilities.

In an ideal world, then, you should approach incident response planning in precisely the same way you would respond to any other risk assessment: Mitigate the most likely threats first, and then work backwards.

But, naturally, identifying a full list of possible threats in advance is easier said than done, and determining which threats are most pressing can be difficult too. As a result, every year a huge proportion of organizations of all sizes suffer breaches that could have easily been avoided

To get a head start identifying the most pressing threats to your organization, and get a grip on your organizations security profile, check out our free cyber security assessment tools.

There’s a separate tool for each of the most common compliance frameworks, so you can identify your organization’s main weaknesses in under an hour no matter what industry you’re in.

Posted in Cybersecurity, Information Security, Security Awareness Training, Social Engineering

Test de Penetrare, Scanare de Vulnerabilitati, MoldovaTeste de Penetrare, Scanari de Vulnerabilitati, MoldovaPenetration Testing Moldova, Penetration Test Moldova, LogicalPoint