Partner Perspectives  Connecting marketers to our tech communities.
6/23/2015
12:35 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Breach Defense Playbook: Incident Response Readiness (Part 1)

Will your incident response plan work when a real-world situation occurs?

Cyberattacks can strike at any time, without warning, and when they do, time is of the essence. Organizations need to be prepared to respond quickly when their defenses are breached. During an attack, it is critical to have a plan in place so that your security team can spring into action, contain the situation, and minimize the damage. In order to create an effective plan, organizations should first perform an incident response readiness assessment, or IRRA.

The goal of an IRRA is to dig deep into your attack response policies, plans, and procedures so that you can ensure a sound IR capability. This will help avoid costly remediation in the event of a breach by proactively strengthening your defense posture in advance; minimizing the risk of business disruption and damage to your brand; reducing costs through streamlined preparations for IR events; and ensuring compliance with governmental and non-governmental regulations.

Your assessment should have three primary goals:

  1. Assess your organization’s capabilities to detect, respond to, and contain external and internal attacks.
  2. Identify potential gaps in your company’s security controls.
  3. Provide guidance on improving your organization’s ability to identify and stop attackers more efficiently and effectively.

To accomplish these three goals, you should scope your assessment to review your existing event monitoring, threat intelligence, and IR capabilities, focusing on documentation, network security, your incident response team, internal response capabilities, and external response capabilities. From a high level, you should begin by assessing your current capabilities, then identify gaps, and lastly put together a plan for remediation of these gaps.

Generally, it will require anywhere from three to four weeks to fully assess your IR capability and develop a set of comprehensive recommendations. Your assessment process should be divided into two primary workstreams: data gathering and analysis, and then further analysis and report writing. Analysis bridges both data gathering and report writing because you will continuously be analyzing the data from the first moment you begin the assessment until the report is finalized.

Detect And Respond

At its core, the purpose of incident response is to detect and respond to any cybersecurity event. The goal of your assessment is to identify potential gaps in your implementation and provide guidance to stakeholders in filling those gaps so that your organization as a whole is better prepared to successfully address cybersecurity incidents. The scope of your assessment should cover monitoring, staffing, non-personnel resources, previous incidents, and documentation that you have implemented to detect and respond to breaches and/or any other cybersecurity incidents.

As with most assessments, you should have an understanding of your organization’s cyber infrastructure that includes network architecture design, systems and software used, and how and what data is stored and manipulated. While many internal assessors believe that they already know the inner workings of their cyber infrastructure, it is always recommended to take a step back and perform the exercise of obtaining this information through a questionnaire or series of interviews with your personnel as well to identify potential weaknesses you may have overlooked.

When preparing for your assessment, you should leverage guideline resources such as the National Institute of Standards and Technology’s Computer Incident Handling Guide and Carnegie Mellon University’s Handbook for Computer Security Incident Response Teams.

Once your preparations are complete, you can begin the full assessment. Stay tuned for my next post, “Breach Defense Playbook: Incident Response Readiness (Part Two)” for more specifics on how to properly assess your documentation process, network security, incident response team, and internal and external response capabilities, as well as how to implement final stages of conducting a practice exercise and providing an assessment report. 

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3906
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
CVE-2019-3907
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
CVE-2019-3908
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
CVE-2019-3909
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
CVE-2019-3910
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version 1.6.0.2 contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.