Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Operations

10/23/2014
11:00 AM
Kerstyn Clover
Kerstyn Clover
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

Incident Response: Is Your IR Plan A Glorified Phone Tree?

Training internal security teams to be first responders can drastically improve an organization's effectiveness in the wake of a data breach. Here's why.

I've looked at incident response both as an investigator and a program builder preparing businesses before a breach occurs. This led to enthusiastic head nodding at articles by Kelly Jackson Higgins on incident response fails and preparedness. My major issue lately is this: I have seen one too many incident response plans that are really glorified phone trees.

The most common analogy to discuss a data breach is a fire. If your incident response plan is really just a directive to contact HR, legal, and an investigation team, you're skipping to the part where you call the fire department. You're missing the parts where you check doors for heat, use an extinguisher on small blazes, and grab your pets on your way out. Preparing for only the all-engulfing fire (something like credit card data theft) means you are missing opportunities to put out the little ones before they bring the whole building up in flames (network intrusions, unauthorized data access, and misconfigurations).

(Image: Sylvain Pedneault, CC-BY-SA-3.0, via Wikimedia Commons)
(Image: Sylvain Pedneault, CC-BY-SA-3.0, via Wikimedia Commons)

Where many companies miss out is on adequately training and utilizing the staff they already have. Who is most familiar with your network layout and where important data is stored? Is it a third party after the fact or the people who monitor and maintain it every day? Giving these people the resources to become first responders themselves can drastically improve an organization's ability to detect and react to intrusions. In fact, I'm sure many already feel that breaches have been a "not if, but when" risk for their company for some time.

Training and practice are crucial. Your SOC team cannot respond to an incident if they don't know what to do. Worse, they can make a responder's job far more difficult if they accidentally alter or destroy evidence. Training and education need to come first, followed by regular testing from a tabletop level to the hands-on with fabricated incidents.

The second half of the battle is to use this knowledge to build your documentation so that you stop leaping between either doing nothing or calling in the entire fire department. This benefits those of us who show up to help out, as well, because we have updated information on your network and daily activities.

Now that you have trained security firefighters, you need to give them the proper equipment. Tools can range from freeware to enterprise suites with on-call support. All that matters is that they enable monitoring, alerting, and response. A SIEM system is particularly valuable, because system and network logs are difficult to monitor and correlate manually; I frequently see one or two people tasked with reviewing logs for an entire company. Just think -- the more you can supplement your team with useful software, the less you'll have to spend on energy drinks to sustain their work.

Do you feel that your company is currently capable of handling intrusions without immediately calling for the sirens, ladders, and fire hoses? If so, please feel free to share your successes (or failures) in the comments.

As a staff consultant on the SecureState Attack and Defense Team, Kerstyn works with a broad range of organizations across a variety of industries on security assessments including incident response, forensic analysis, and social engineering. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
ODA155
50%
50%
ODA155,
User Rank: Ninja
10/27/2014 | 5:50:32 PM
Re: Simulations to improve IT Security
@Marilyn Cohodas, "I'm surprised that security teams doesn't do fire drills or war games to find holes in breach response strategies."

Yes we do, it's called PENTESTING. But in reality, the sort of thing you're talking about costs money, also right of the top of my (bald) head;
  1. skilled & experienced people in-house
  2. time
  3. available manpower
  4. expense
  5. buy-in/support from business units and management
  6. commitment from management to fix\address what you find
  7. PERMISSION to conduct these "wargames"
  8. how will this affect production systems
  9. who develops the goals of the simulation
  10. what are the ROE
  • what types of testing
  • specific target systems\individuals

Then there's always the question, what if you break something during the process (which is why you outsource your PENTEST in the first place) who owns it?

I think most security pro's can tell you exactly where the biggest security concerns are for their environments, now that doesn't mean they know everything, but I truly believe this is why security\audit\infrastructure\management and administration need to partner up instead of falling back into their respective bunkers and fixing bayonets against the other.

But that's just me.


 

 
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/27/2014 | 4:45:37 PM
Re: Simulations to improve IT Security
I'm surprised that security teams doesn't do fire drills or war games to find holes in breach response strategies. It would probably be a good learning exercise for users in the company as well...
BruceHarpham
50%
50%
BruceHarpham,
User Rank: Apprentice
10/24/2014 | 2:01:05 PM
Simulations to improve IT Security
"Training and education need to come first, followed by regular testing from a tabletop level to the hands-on with fabricated incidents."

The military constantly uses "war games" for training - why not IT security too?
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/24/2014 | 8:28:01 AM
first responders
Kerstyn, I love your analogy about first responders but I must confess how surprised I am about how few companies are utlizing their internal assets -- the security team .  

For what it's worth, we have a new poll up asking What's missing from your incident response plan? In hindsight, I would have included a response about direct involvement of the InfoSec staff! But people can still write that response in in the poll comments. I hope you all will! Poll link is here.
News
Inside the Ransomware Campaigns Targeting Exchange Servers
Kelly Sheridan, Staff Editor, Dark Reading,  4/2/2021
Commentary
Beyond MITRE ATT&CK: The Case for a New Cyber Kill Chain
Rik Turner, Principal Analyst, Infrastructure Solutions, Omdia,  3/30/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
How Enterprises are Developing Secure Applications
How Enterprises are Developing Secure Applications
Recent breaches of third-party apps are driving many organizations to think harder about the security of their off-the-shelf software as they continue to move left in secure software development practices.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-28048
PUBLISHED: 2021-04-14
An overly permissive CORS policy in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows a remote attacker to leak cross-origin data via a crafted HTML page.
CVE-2021-28157
PUBLISHED: 2021-04-14
An SQL Injection issue in Devolutions Server before 2021.1 and Devolutions Server LTS before 2020.3.18 allows an administrative user to execute arbitrary SQL commands via a username in api/security/userinfo/delete.
CVE-2021-26030
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate escaping allowed XSS attacks using the logo parameter of the default templates on error page
CVE-2021-26031
PUBLISHED: 2021-04-14
An issue was discovered in Joomla! 3.0.0 through 3.9.25. Inadequate filters on module layout settings could lead to an LFI.
CVE-2021-27710
PUBLISHED: 2021-04-14
Command Injection in TOTOLINK X5000R router with firmware v9.1.0u.6118_B20201102, and TOTOLINK A720R router with firmware v4.1.5cu.470_B20200911 allows remote attackers to execute arbitrary OS commands by sending a modified HTTP request. This occurs because the function executes glibc's system funct...