Partner Perspectives  Connecting marketers to our tech communities.
6/24/2015
04:20 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Breach Defense Playbook: Incident Response Readiness (Part 2)

Will your incident response plan work when a real-world situation occurs?

As I discussed in my last post, having an incident response readiness assessment (IRRA) can be a make-it-or-break-it factor when it comes to breach response preparedness. In this post, I’ll detail what specifically you should be looking at during the evaluation, as well as how to conduct the final stages of training the team and providing a report so your findings can be put into action.

Documentation Review

Your documentation review should begin with your incident response (IR) plan, security operations plans, escalation plans, security baseline documents, and corporate policies such as:

  • Safeguarding sensitive information, intellectual property (IP), trademarks, copyrights, and trade secrets
  • Privacy of personally identifiable information (PII) and HIPAA information
  • Protection of client, customer, and business partner information

In addition, you should review regulatory compliance and response strategies that are written to support audits, compliance, and legal requirements. Lastly, you should perform a gap analysis of your existing security control documentation and supporting policies and procedures.

Network Security Review

When assessing network security with respect to IR, you should focus on the implementation of your organization’s defense-in-depth strategy, including:

  • Perimeter defense
  • Network segmentation and enclaves
  • Data visibility and security controls
  • Network visibility and security controls
  • Access controls and management
  • Enterprise logging
  • Remote access

In addition, you should look at your security operations center (SOC), focusing on the people, processes, and accessible technologies. At a minimum you should:

  • Identify and evaluate key personnel, processes, technologies, and training/exercises
  • Review tool reporting and alerting to support IR capabilities
  • Evaluate the SOC operations, including daily operations, hours of operation, monitoring, alerting, and reporting
  • Review incident detection, escalation procedures, and mechanisms in place for automation

Incident Response Team Review

Next, you should review the IR team under the lens of determining whether appropriate stakeholders are included and if they have access to IR plans and documentation; if everyone on the team is fully aware of the comprehensive team structure/goals; and if proper training and exercises are taking place. At a minimum, your IR team should include stakeholders from IT, public relations, legal, risk management, vendor management, HR, and executive leadership.

The roles and responsibilities of each stakeholder should be established and written in the IR plan, along with escalation procedures that are exercised and further evaluated. The effectiveness of your IR capability is directly related to your team being prepared and trained, and understanding their roles and responsibilities during an incident.

Internal And External Response Capabilities

When reviewing your internal response capabilities, you should begin by ensuring that there is a secure location (physical or digital) to store IR data. Ideally, there needs to be a war room for SOC and IR team personnel to work in a collaborative environment during an incident.

Additionally, your organization needs to have access to IR triage and investigation hardware and software; network, log, and system forensic software and equipment; and malware reverse engineering capabilities. Many organizations do not provide these capabilities in-house, so you can leverage a trusted partner – keeping in mind that it’s important to proactively select them before an incident occurs, not after.

Many times organizations choose to place organizations on retainer for legal, crisis management, regulator, and insurance assistance. Therefore, when reviewing your internal response capabilities, you must evaluate what areas your organization will address in-house and what areas are outsourced, which is called your external response capabilities.

For external response capabilities, you should review your organization’s process of vendor management, including documentation and contact information. During an IRRA, you should ensure that the agreements with IR providers are accessible and reviewed, as well as those with outside counsel, crisis management firms, auditors, regulators, law enforcement, information sharing associations, and insurance providers. Lastly, you should review third-party service level agreements (SLAs) that pertain to monitoring, incident response, and forensics support.

Practice Exercises

In addition to assessing your overall readiness, it’s equally important to train your team and practice your IR plan. There are two main approaches you can take. The first is a paper-based tabletop exercise in which team members get together and are presented with a security incident scenario. The team members act out their normal duties and talk through the steps they would take to address and resolve the incident, and then afterward the execution is analyzed and reported back to the team for feedback, guidance, and enhancement.

The second approach involves a live test in which a piece of benign malware is placed on an internal system. The SOC and technologies are then tested for detection, and the IR team is activated and their actions are monitored, including the process of submitting tickets to initiate an incident response, forensic imaging and analysis of a system, analysis of network logs, and preparation of documentation such as reports and internal/external communications.

This approach can be a true comprehensive test of your organization’s IR capabilities, but it is often time-consuming and may require activation of third-party agreements. That being said, the value is generally greater than that of the first approach, since it provides the team with real-life training and provides a deeper level of authenticity to the analysis.

Assessment Report

At the end of your IRRA, your final report should include what mitigation activity you recommend, as well as a roadmap that includes short-, mid-, and long-term IR capability enhancements with defined milestones to gauge progress. The enhancements must be actionable and quantifiable with measurable outcomes.

Keep in mind it’s important to present your findings in plain English for non-technical readers. Your recommendations will likely require buy-in from above, so you need to present the appropriate justifications for implementing and the measured risks for not taking action so your leaders have all the information they need to make an informed decision.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon
Current Issue
5 Security Technologies to Watch in 2017
Emerging tools and services promise to make a difference this year. Are they on your company's list?
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7445
Published: 2015-10-15
The Direct Rendering Manager (DRM) subsystem in the Linux kernel through 4.x mishandles requests for Graphics Execution Manager (GEM) objects, which allows context-dependent attackers to cause a denial of service (memory consumption) via an application that processes graphics data, as demonstrated b...

CVE-2015-4948
Published: 2015-10-15
netstat in IBM AIX 5.3, 6.1, and 7.1 and VIOS 2.2.x, when a fibre channel adapter is used, allows local users to gain privileges via unspecified vectors.

CVE-2015-5660
Published: 2015-10-15
Cross-site request forgery (CSRF) vulnerability in eXtplorer before 2.1.8 allows remote attackers to hijack the authentication of arbitrary users for requests that execute PHP code.

CVE-2015-6003
Published: 2015-10-15
Directory traversal vulnerability in QNAP QTS before 4.1.4 build 0910 and 4.2.x before 4.2.0 RC2 build 0910, when AFP is enabled, allows remote attackers to read or write to arbitrary files by leveraging access to an OS X (1) user or (2) guest account.

CVE-2015-6333
Published: 2015-10-15
Cisco Application Policy Infrastructure Controller (APIC) 1.1j allows local users to gain privileges via vectors involving addition of an SSH key, aka Bug ID CSCuw46076.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.