Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
6/23/2015
12:35 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Breach Defense Playbook: Incident Response Readiness (Part 1)

Will your incident response plan work when a real-world situation occurs?

Cyberattacks can strike at any time, without warning, and when they do, time is of the essence. Organizations need to be prepared to respond quickly when their defenses are breached. During an attack, it is critical to have a plan in place so that your security team can spring into action, contain the situation, and minimize the damage. In order to create an effective plan, organizations should first perform an incident response readiness assessment, or IRRA.

The goal of an IRRA is to dig deep into your attack response policies, plans, and procedures so that you can ensure a sound IR capability. This will help avoid costly remediation in the event of a breach by proactively strengthening your defense posture in advance; minimizing the risk of business disruption and damage to your brand; reducing costs through streamlined preparations for IR events; and ensuring compliance with governmental and non-governmental regulations.

Your assessment should have three primary goals:

  1. Assess your organization’s capabilities to detect, respond to, and contain external and internal attacks.
  2. Identify potential gaps in your company’s security controls.
  3. Provide guidance on improving your organization’s ability to identify and stop attackers more efficiently and effectively.

To accomplish these three goals, you should scope your assessment to review your existing event monitoring, threat intelligence, and IR capabilities, focusing on documentation, network security, your incident response team, internal response capabilities, and external response capabilities. From a high level, you should begin by assessing your current capabilities, then identify gaps, and lastly put together a plan for remediation of these gaps.

Generally, it will require anywhere from three to four weeks to fully assess your IR capability and develop a set of comprehensive recommendations. Your assessment process should be divided into two primary workstreams: data gathering and analysis, and then further analysis and report writing. Analysis bridges both data gathering and report writing because you will continuously be analyzing the data from the first moment you begin the assessment until the report is finalized.

Detect And Respond

At its core, the purpose of incident response is to detect and respond to any cybersecurity event. The goal of your assessment is to identify potential gaps in your implementation and provide guidance to stakeholders in filling those gaps so that your organization as a whole is better prepared to successfully address cybersecurity incidents. The scope of your assessment should cover monitoring, staffing, non-personnel resources, previous incidents, and documentation that you have implemented to detect and respond to breaches and/or any other cybersecurity incidents.

As with most assessments, you should have an understanding of your organization’s cyber infrastructure that includes network architecture design, systems and software used, and how and what data is stored and manipulated. While many internal assessors believe that they already know the inner workings of their cyber infrastructure, it is always recommended to take a step back and perform the exercise of obtaining this information through a questionnaire or series of interviews with your personnel as well to identify potential weaknesses you may have overlooked.

When preparing for your assessment, you should leverage guideline resources such as the National Institute of Standards and Technology’s Computer Incident Handling Guide and Carnegie Mellon University’s Handbook for Computer Security Incident Response Teams.

Once your preparations are complete, you can begin the full assessment. Stay tuned for my next post, “Breach Defense Playbook: Incident Response Readiness (Part Two)” for more specifics on how to properly assess your documentation process, network security, incident response team, and internal and external response capabilities, as well as how to implement final stages of conducting a practice exercise and providing an assessment report. 

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .