Tim Bandos explains how a thorough incident response plan can be one of the most effective means to protect a business against the growing threat of cyber attack and outlines the essential characteristics of such a plan.
Cybercrime is an ever-growing epidemic, a fact highlighted by PricewaterhouseCoopers’ Global Economic Crime Survey, which found that cybercrime had jumped from the fourth to the second most-reported type of fraud affecting organizations in 2016. Predictions from the survey suggest that cybercrime will take the top spot by 2018, by which time more than half of British businesses will have experienced some form of cyber attack.
Despite this bleak outlook, a staggering one in three UK organizations admit to having no response plan in place, leaving them extremely vulnerable to data breaches. Clearly, something needs to change. This article will lay down the foundations of an effective incident response plan for any business unsure of where to start, whilst giving those with a plan already in place some key considerations to help maximise its effectiveness.
First and foremost, it’s important to think of incident response as a carefully considered process, not an isolated event. In order for it to be successful, teams must take a coordinated and organized approach to any security incident. Then, there are important stages that the response program should cover in order to effectively address the wide range of security incidents that a company could experience.
Plan and prepare
As with so much in life, preparation is the key to effective incident response. Even the best incident response teams cannot operate effectively without predetermined guidelines and a strong plan in place. In order to successfully address potential security events, the following four features should be included in the plan:
Well-developed and documented policies: establish policies detailing the protocols to follow in the event of a cyber attack, along with agreements for how any incident response will be managed.
Clearly defined communication guidelines: create communication standards and guidelines to enable seamless communication between all affected parties during and after any incident.
Regular input from threat intelligence feeds: perform ongoing collection, analysis, and synchronization of all available threat intelligence feeds that could help the organization get ahead of the attackers.
Ongoing cyber hunting exercises: conduct regular operational threat hunting exercises to find incidents occurring in real time. This allows for a more proactive incident response programme. As part of this, look at the existing threat detection capability and update or augment as required.
Detect and report
The focus of this phase is to effectively monitor security events in order to quickly detect, alert, and report on potential security incidents as they unfold. Events are best monitored within the organizational environment, using security technologies such as firewalls, intrusion prevention systems, and data loss prevention. Potential security incidents should be detected by correlating alerts within a SIEM solution.
If the detection of a security incident occurs, an incident ticket needs to be created, initial findings documented and an initial incident classification assigned. Finally, the incident should be reported internally, as necessary, using pre-defined channels. It is important that the reporting process include accommodation for regulatory reporting escalations if required.
Scope and analyse
The bulk of the effort in properly scoping and understanding the security incident takes place during the analysis phase. Resources should be utilised to collect data from tools and systems for further analysis, in order to identify indicators of compromise. Individuals involved should have in-depth skills and a detailed understanding of live system responses, digital forensics, memory analysis, and malware analysis.
As evidence is collected, analysts should focus on three primary areas:
Endpoint analysis: this will help to determine what tracks may have been left behind by the threat actor. Analysts should review a bit-for-bit copy of systems from a forensic perspective and capture RAM to parse through and determine what occurred on a device.
Binary analysis: investigating malicious binaries or tools leveraged by attackers and documenting the functionalities of those programs. This analysis is performed in two ways. The first is behavioural, which involves executing the malicious program in a controlled environment to monitor its exact behaviours. The second is static analysis, which involves reverse engineering the malicious program to scope out its entire functionality.
Enterprise hunting: analysing existing systems and event log technologies to determine the scope of compromise. As part of this, analysts should document all compromised accounts, machines, etc. so that effective containment and neutralization can be performed.
Contain and neutralize
Perhaps the most critical stage of any incident response, the exact strategy for containment and neutralization is based on the intelligence gathered during the triage and analysis phase, but typically consists of three main phases. The first is a coordinated shutdown, once all systems within the environment that have been compromised by a threat actor have been identified, a coordinated shutdown of these devices is performed to prevent further infection. A wipe and rebuild is then executed. The infected devices are then wiped and the operating system is rebuilt from the ground up.
The final phase consists of threat mitigation requests. If any domains or IP addresses known to be used by threat actors were identified, threat mitigation requests to block the communication from all channels connected to these domains are issued.
Only after the system is restored and security is verified can normal operations resume.
After the incident is resolved, any information that can be used to prevent similar occurrences from happening again in the future should be thoroughly documented in the following four ways:
Log an incident report: documenting the incident will help to improve the incident response plan and implement additional security measures to avoid similar security incidents in the future.
Post-incident monitoring: closely monitoring for activities post-incident since threat actors will likely re-appear again.
Updating threat intelligence: updating the organization’s threat intelligence feeds accordingly will ensure vigilance against similar attacks in future.
Identifying preventative measures: creating new security initiatives to prevent future incidents of a similar nature from occurring will make it far harder for threat actors using the same tactics.
With cyber crime currently on a relentless rise, any business or organization that isn’t adequately prepared and protected is making itself an unnecessarily easy target. Putting an effective incident response plan in place may not prevent attacks from occurring, but it will help to greatly minimise damage done in the event of an incident or even stop an attacker in their tracks. Much of incident response planning is simply common sense, aided by effective security technology, so there really is no excuse not to act now.