Partner Perspectives  Connecting marketers to our tech communities.
6/24/2015
04:20 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Breach Defense Playbook: Incident Response Readiness (Part 2)

Will your incident response plan work when a real-world situation occurs?

As I discussed in my last post, having an incident response readiness assessment (IRRA) can be a make-it-or-break-it factor when it comes to breach response preparedness. In this post, I’ll detail what specifically you should be looking at during the evaluation, as well as how to conduct the final stages of training the team and providing a report so your findings can be put into action.

Documentation Review

Your documentation review should begin with your incident response (IR) plan, security operations plans, escalation plans, security baseline documents, and corporate policies such as:

  • Safeguarding sensitive information, intellectual property (IP), trademarks, copyrights, and trade secrets
  • Privacy of personally identifiable information (PII) and HIPAA information
  • Protection of client, customer, and business partner information

In addition, you should review regulatory compliance and response strategies that are written to support audits, compliance, and legal requirements. Lastly, you should perform a gap analysis of your existing security control documentation and supporting policies and procedures.

Network Security Review

When assessing network security with respect to IR, you should focus on the implementation of your organization’s defense-in-depth strategy, including:

  • Perimeter defense
  • Network segmentation and enclaves
  • Data visibility and security controls
  • Network visibility and security controls
  • Access controls and management
  • Enterprise logging
  • Remote access

In addition, you should look at your security operations center (SOC), focusing on the people, processes, and accessible technologies. At a minimum you should:

  • Identify and evaluate key personnel, processes, technologies, and training/exercises
  • Review tool reporting and alerting to support IR capabilities
  • Evaluate the SOC operations, including daily operations, hours of operation, monitoring, alerting, and reporting
  • Review incident detection, escalation procedures, and mechanisms in place for automation

Incident Response Team Review

Next, you should review the IR team under the lens of determining whether appropriate stakeholders are included and if they have access to IR plans and documentation; if everyone on the team is fully aware of the comprehensive team structure/goals; and if proper training and exercises are taking place. At a minimum, your IR team should include stakeholders from IT, public relations, legal, risk management, vendor management, HR, and executive leadership.

The roles and responsibilities of each stakeholder should be established and written in the IR plan, along with escalation procedures that are exercised and further evaluated. The effectiveness of your IR capability is directly related to your team being prepared and trained, and understanding their roles and responsibilities during an incident.

Internal And External Response Capabilities

When reviewing your internal response capabilities, you should begin by ensuring that there is a secure location (physical or digital) to store IR data. Ideally, there needs to be a war room for SOC and IR team personnel to work in a collaborative environment during an incident.

Additionally, your organization needs to have access to IR triage and investigation hardware and software; network, log, and system forensic software and equipment; and malware reverse engineering capabilities. Many organizations do not provide these capabilities in-house, so you can leverage a trusted partner – keeping in mind that it’s important to proactively select them before an incident occurs, not after.

Many times organizations choose to place organizations on retainer for legal, crisis management, regulator, and insurance assistance. Therefore, when reviewing your internal response capabilities, you must evaluate what areas your organization will address in-house and what areas are outsourced, which is called your external response capabilities.

For external response capabilities, you should review your organization’s process of vendor management, including documentation and contact information. During an IRRA, you should ensure that the agreements with IR providers are accessible and reviewed, as well as those with outside counsel, crisis management firms, auditors, regulators, law enforcement, information sharing associations, and insurance providers. Lastly, you should review third-party service level agreements (SLAs) that pertain to monitoring, incident response, and forensics support.

Practice Exercises

In addition to assessing your overall readiness, it’s equally important to train your team and practice your IR plan. There are two main approaches you can take. The first is a paper-based tabletop exercise in which team members get together and are presented with a security incident scenario. The team members act out their normal duties and talk through the steps they would take to address and resolve the incident, and then afterward the execution is analyzed and reported back to the team for feedback, guidance, and enhancement.

The second approach involves a live test in which a piece of benign malware is placed on an internal system. The SOC and technologies are then tested for detection, and the IR team is activated and their actions are monitored, including the process of submitting tickets to initiate an incident response, forensic imaging and analysis of a system, analysis of network logs, and preparation of documentation such as reports and internal/external communications.

This approach can be a true comprehensive test of your organization’s IR capabilities, but it is often time-consuming and may require activation of third-party agreements. That being said, the value is generally greater than that of the first approach, since it provides the team with real-life training and provides a deeper level of authenticity to the analysis.

Assessment Report

At the end of your IRRA, your final report should include what mitigation activity you recommend, as well as a roadmap that includes short-, mid-, and long-term IR capability enhancements with defined milestones to gauge progress. The enhancements must be actionable and quantifiable with measurable outcomes.

Keep in mind it’s important to present your findings in plain English for non-technical readers. Your recommendations will likely require buy-in from above, so you need to present the appropriate justifications for implementing and the measured risks for not taking action so your leaders have all the information they need to make an informed decision.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This is a secure windows pc.
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2017-0290
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

CVE-2016-10369
Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

CVE-2016-8202
Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

CVE-2016-8209
Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

CVE-2017-0890
Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.