Huh Chapter 13: Incident response, a fajita fanfic

Incident Response

Preventing is best, but incidents are inevitable. We need to know how to detect and resolve.

Incident response plan content: a set of procedures, people, and information to detect, respond to, and limit consequences of a cyberattack against an organization. Will include a road map. Each IRP is unique. willl distinguish between recognizeing and responding to an event vs an cybersecurity incident.

Holds details about:

•detection

•response timeline

•incident response team members responsibilities

NIST request key elements policies contain:

•mission

•strategies and goals

•senior management approve and statement of commitment

•organizational approach to incident response purpose and objective of the policies

•scope of the policies

•metrics for measuring the IRP effectiveness

•road map for maturing the incident response capability

•definition of computer security incidents and related terms

•Organizational structure and definition of roles, responsibilities, and level of authority

•prioritization or severity rating of incidents

•internal and external communication methods

Incident Response Timeline: when an incident occurs, clearly define the point it starts, when it is detected, contained, eradicated, and normal business operations are restored. Often documented in a Gantt Chart.

Methods of detection for the Incident Response Plan:

•vulnerability scanning software

•anomaly detection software

•endpoint detection and response software

•file integrity monitoring

•log analysis

•Intrusion detection system (just lets you know doesn't help)

•intrusion prevention system

•Physical security monitoring

•Security Information and event management solutions

•user behavior analytics tools (making sure users aren't acting suspicious

Incident Response Team: human capital is the most important part to be successful. Guidance and support from senior management is also essential as they are champions for incident response management in the organization. Unique for each organization.

NIST recommends using one of these model teams:

•Centralized incident response team: (good for small org)

•Distributed incident response team: multiple teams working together in different segments for specific logical or physical segments of the company network. (Good for widespread org)

•coordinating team: a secondary function of either distributed or centralized incident report team which coordinates with other departments without having authority over these teams

NIST computer security incident handling guide recommends organizations consider 5 factors for structuring and staffing:

•do you need 24/7 availability? Then you need real time availability which minimizes time to discover and respond.

•Do you need full time vs part time? Depends on funding, staffing constraints, industry, and individual company needs. One way around it is to outsource.

•how will it effect employee morale? 24/7 is more stressful, so its good to segregate roles so it combats fatigue and is a moral booster.

•Cost? How much can you afford and how much will the employees cost.

•staff expertise? What type is required.

Intrusion detection is all throughout the cybersecurity. There are three areas which help:

•education and awareness

•advisory distribution: issues cyber briefings or newsletter to keep updated

•information sharing: groups to talk about what happened in the past/future.

Responding to a cybersecurity incident in accordance with the IRP:

Difference between cybersecurity event and incident: Will be in the incident response plan.

Cybersecurity is the safety of computer systems like technology infrastructure, and our important digital data contained within.

Events are benign/non-harmful.

Incidents are a threat to an organizations computer or network security.

NIST defines the difference as:

•event: an observable occurrence in a system or network that does not harm us. Ex. Cybersecurity change

adverse event: an event with a negative consequences intentional or unintentional by anyone or anything ex. System crashes

•computer security Incident: a threat that is caused by malicious human intent and is computer security related. Defined as any violation or imminent threat of computer security policies, acceptable use policies, or standard security practices. Ex. Hacker flooding, phising emails infecting the computer.

Steps in responding to an basic incident:

1Preparation for incidents: to be prepared.

1Example tools are vulnerability assessment software, intrusion detection and prevention applications, antimalware software, and training for both end users and specialist directly involved in response.

2detection and identify incidents: classify them and elevate if serious

3containing the incident from spreading

4eradication of threats

5reporting and communicating the status

6recovery

7learning from it

Sysadmin, Audit, Network, and Security (SANS) Institute Incident Response Plan: they want to look for and identify unusual processes, files, and registry keys. The guide also explains methods used to scan for abnormal network activity, irregularities in scheduled tasks like reboots, unexplained accounts, and suspensions user behavior.

1Preparation

2Identification

3Containment

4Eradication

5Recovery

6Lessons learned

NIST separates the incident response into: They want to provide guidance and recommendations for policies and response.

1preparation

2detection and analysis

3containment, eradication, and recovery

4Post-incident activity

International Organization for Standardization IRP:

1Evaluate event criteria and defining an incident

2Monitoring and detecting events by human of automated means

3Managing incidents to the end of their lifecycle

4coordinating with authorities and handling evidence properly

5Performing a root cause analysis

6Reporting on incident management activities

Frameworks also can depend on industry's :

•Information Technology Infrastructure Library: a library originally created by the British government but is now managed by a joint venture known as Acelos. Outlines an incident management process that is integrated with service management principles and they issue certifications that are often sought by third party IT providers, which is why incident response is tied closely to serving clients.

•United States Computer Emergency Readiness Team: collagerates with the government entities, academia, and the private sector to issue guidance related to cybersecurity incidents related to payments and transactions.

•IBM has identified attacks with most often aligned with IRP like DDoS attacks, mobile code (such as malware, spyware, viruses, Trojans, and worms), phishing, insider incident, business email compromise, disaster recovery, supply chain attachment advanced persistent threats,

Procedures to test whether a company follows its incident response plan of hypothetical and actual cybersecurity incident:

•simulations/tabletop exercises

•penetration test/fire drills

•IRP metrics/benchmarks

mean time to detect

mean time to acknowledge (as an incident)

mean time to contain

Mean time to repair

Mean time between failures

system availability or downtime (amount of time system is completely or partially unusable)

service level agreement compliance

•Post incident review

analyze logbooks, evaluate system configurations, interviewing employees involved, performing further vulnerability testing

•Periodic audits

•continuous monitoring

Should be tested at minimum annually to make sure it is up to date and accurate

Cyber Insurance, mitigation strategy for a security incident

Money can help with the cost of restoring data or systems, lost revenue, Cyber extortion losses from ransom ware, incident response cost, litigation/attorney fees, and reputational damages (PR in short term, not to be mixed up with company brand name).

Requirements to get cyber insurance:

•Have controls to mitigate likelihood and severity of events.

•Have background checks of employees.

•Is in compliance with regulations.

•Have a robust disaster recovery system in place

•Have employee training

•Have company policies that they approve of

•Have Independent risk assessment

•Have an Incident Response plan (and if its not robust they might see it as higher risk and charge more)

•have IT controls

•Mandatory penetration testing (high perimeter if don't)

•Loss history to see if there is a repeating pattern.