When it comes to incident response, every second counts. The severity of breaches varies, but since damage done directly correlates to the time a malicious actor has access to your systems, it’s paramount that all threats are discovered and remediated as quickly as possible. The difference between a breach being detected and remediated in two hours versus two days could be the difference between a quick laptop reimaging or six-digit revenue loss.
Imagine if a virus makes it past your firewall and, instead of noticing and sandboxing the point of entry, you miss the threat. Pretty soon, maybe the entire sales team is affected. The damage compounds; not only are you losing money by taking the sales team out of commission, you’re also losing money with wasted man hours trying to mitigate damage that could have been avoided altogether if properly prepared for.
So how can you properly prepare? Here are a few places you can start when looking to reduce response time:
An adequate IT staff line-up is an investment in the future of the entire company. In order to get the job done, and done well, your IT team needs not just the right kind of people, but the right number of people.
The threat environment changes quickly, and in order to keep pace IT professionals need time set aside to audit their response processes and get training on the latest tools available. Unfortunately, when the team is understaffed, employees will find it difficult to get ahead, let alone get up to speed. An understaffed team is a sure-fire path to a lack of oversight.
Even if the IT team is scrappy and surefooted enough to tackle new trainings in incident response while keeping up-to-date with their various other responsibilities, a lack of staffing presents another issue: for a small team, incident response will often involve the entire staff, meaning there may not be any man-power left to tackle other problems that arise.
Pushing for more hires, especially those with the proper skill set, can be a difficult task, and many organizations will need to work with the resources they already have. Luckily, with proper procedure and the right tools, a lack of staffing doesn’t have to stand in the way of adequate response time.
All security teams should have an incident response process to guide remediation efforts. When was the last time you took a look at yours?
In order to understand incident response processes and procedures, a proper review is required. We have broken down incident response into what is most commonly seen as the seven stages:
It’s essential that every organization is prepared for the worst, meaning preparation is vital to any security incident response plan. It involves the identification of an incident, recovery, resumption of normal business activity, and creating established security policies including the following:
- Warning banners.
- User privacy expectations.
- Established incident notification processes.
- Development of an incident containment policy.
- Creation of incident handling checklists.
- Ensuring the corporate disaster recovery plan is up to date.
- Making sure the security risk assessment process is functioning and active.
When looking at your pre-deployed incident handling assets, you want to make sure you have certain tools in place in case of a system breach. This includes examining your own sensors, probes and monitors on critical systems, tracking databases in core systems and completing active audit logs for all network aspects and components.
The next stage of incident response is identifying the actual incident. The first item that needs to be identified is what the actual incident was and what the full scope of the incident is. You are going to want to investigate suspicious entries, excessive login attempts, unexplained user accounts, unexpected new files, etc.
After you have assessed the situation there are six levels of classification when it comes to incidents. You’ll need to determine which one the incident falls under.
- Level 1 – Unauthorized access
- Level 2 – Denial of services
- Level 3 – Malicious code
- Level 4 – Improper Usage
- Level 5 – Scans/probes/attempted access
- Level 6 – Investigation incident
Once the full scope of the incident has been identified and at which level you are dealing with, the next move is to contain the problem. This will limit its increasing in scope and magnitude. While containing an incident, there are two essential areas of coverage: maintaining uptime and protecting critical systems.
In order to determine the operational status of your infected system and or network, you have three options:
- Disconnect the system from the network and allow it to continue stand-alone operations.
- Shut down everything immediately.
- Continue to allow the system to run on the network and monitor activities.
All three are viable solutions to contain the issue at the beginning of the incident response and should be determined as quickly as possible so that you can move onto the next stage.
Forensic investigation is the first step in determining what actually happened to your environment. A methodical review needs to take place on all the systems or networks determined to be in scope of the incident first, then moving to other systems outside the containment area. For this investigation, hard drives, memory, device logs, and other supporting data must be analyzed. It is very important to keep well-written documentation of everything you do during the investigation, especially since external threats may require law enforcement involvement.
Remediation is the process of actually getting rid of the issue on your computer, system or network. This step should only take place after all external and internal actions are completed. There are two important aspects of eradication which you should keep in mind. The first is cleanup. Cleanup usually consists of running your antivirus software, uninstalling the infected software, rebuilding the OS or replacing the entire hard drive and reconstructing the network. In most cases reimaging the machines is going to be the recommended remediation tactic.
The second step is notification. Notification always includes relevant personnel and all stakeholders both above and below the incident response team manager in the reporting chain.
This is when your company or organization returns to normalcy. There are two steps to recovery:
- Service restoration, which is based on implementing corporate contingency plans
- System and/or network validation, testing, and certifying the system as operational
Any component that was compromised must become recertified as both operational and secure.
After everything has been returned to standard operations there are a few follow-up questions that should be answered to ensure the process is sufficient and effective.
- Was there sufficient prep?
- Did detection occur in a timely manner?
- Were communications conducted clearly?
- What was the cost of the incident? Did you have a business continuity plan in place?
- How can we prevent it from happening again?
Once these questions are answered and improvements are made where necessary, your company and incident response team should be ready to repeat the process. This process can help your organization keep its valuable, personal information secure.
The right tools
In a perfect world, there would be no need for incident response because there would be no incidents. While we may always have to adapt to new and emerging attacks, there are ways to greatly reduce the number of threats that make it onto the system and to mitigate the potential risk of those threats should they appear.
As always, defense in depth is the most important asset. When you layer solutions from multiple providers, you make it so that even if one doesn’t recognize the signature of a particular virus, the others may. Since different systems use different processes, layering these solutions will give you protection at many different entry points while minimizing the loopholes that attacks can exploit.
It’s also paramount that organizations have tools that provide visibility of their networks. Without visibility, threat detection will only ever be responsive, and often that response will come far too late. Organizations need to be collecting information on network traffic in one place so they can properly correlate it, and establishing behavioral baselines so they can detect anomalies and automate responses such as sandboxing the suspicious user.
With proper staffing, a streamlined procedure and the right tools in place, organizations can greatly limit the damage they may face when problems arise, which will make responding to threats a far less daunting task.