Partner Perspectives  Connecting marketers to our tech communities.
6/23/2015
12:35 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Breach Defense Playbook: Incident Response Readiness (Part 1)

Will your incident response plan work when a real-world situation occurs?

Cyberattacks can strike at any time, without warning, and when they do, time is of the essence. Organizations need to be prepared to respond quickly when their defenses are breached. During an attack, it is critical to have a plan in place so that your security team can spring into action, contain the situation, and minimize the damage. In order to create an effective plan, organizations should first perform an incident response readiness assessment, or IRRA.

The goal of an IRRA is to dig deep into your attack response policies, plans, and procedures so that you can ensure a sound IR capability. This will help avoid costly remediation in the event of a breach by proactively strengthening your defense posture in advance; minimizing the risk of business disruption and damage to your brand; reducing costs through streamlined preparations for IR events; and ensuring compliance with governmental and non-governmental regulations.

Your assessment should have three primary goals:

  1. Assess your organization’s capabilities to detect, respond to, and contain external and internal attacks.
  2. Identify potential gaps in your company’s security controls.
  3. Provide guidance on improving your organization’s ability to identify and stop attackers more efficiently and effectively.

To accomplish these three goals, you should scope your assessment to review your existing event monitoring, threat intelligence, and IR capabilities, focusing on documentation, network security, your incident response team, internal response capabilities, and external response capabilities. From a high level, you should begin by assessing your current capabilities, then identify gaps, and lastly put together a plan for remediation of these gaps.

Generally, it will require anywhere from three to four weeks to fully assess your IR capability and develop a set of comprehensive recommendations. Your assessment process should be divided into two primary workstreams: data gathering and analysis, and then further analysis and report writing. Analysis bridges both data gathering and report writing because you will continuously be analyzing the data from the first moment you begin the assessment until the report is finalized.

Detect And Respond

At its core, the purpose of incident response is to detect and respond to any cybersecurity event. The goal of your assessment is to identify potential gaps in your implementation and provide guidance to stakeholders in filling those gaps so that your organization as a whole is better prepared to successfully address cybersecurity incidents. The scope of your assessment should cover monitoring, staffing, non-personnel resources, previous incidents, and documentation that you have implemented to detect and respond to breaches and/or any other cybersecurity incidents.

As with most assessments, you should have an understanding of your organization’s cyber infrastructure that includes network architecture design, systems and software used, and how and what data is stored and manipulated. While many internal assessors believe that they already know the inner workings of their cyber infrastructure, it is always recommended to take a step back and perform the exercise of obtaining this information through a questionnaire or series of interviews with your personnel as well to identify potential weaknesses you may have overlooked.

When preparing for your assessment, you should leverage guideline resources such as the National Institute of Standards and Technology’s Computer Incident Handling Guide and Carnegie Mellon University’s Handbook for Computer Security Incident Response Teams.

Once your preparations are complete, you can begin the full assessment. Stay tuned for my next post, “Breach Defense Playbook: Incident Response Readiness (Part Two)” for more specifics on how to properly assess your documentation process, network security, incident response team, and internal and external response capabilities, as well as how to implement final stages of conducting a practice exercise and providing an assessment report. 

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
New Cold Boot Attack Gives Hackers the Keys to PCs, Macs
Kelly Sheridan, Staff Editor, Dark Reading,  9/13/2018
Yahoo Class-Action Suits Set for Settlement
Dark Reading Staff 9/17/2018
RDP Ports Prove Hot Commodities on the Dark Web
Kelly Sheridan, Staff Editor, Dark Reading,  9/17/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Video
Cartoon Contest
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-17182
PUBLISHED: 2018-09-19
An issue was discovered in the Linux kernel through 4.18.8. The vmacache_flush_all function in mm/vmacache.c mishandles sequence number overflows. An attacker can trigger a use-after-free (and possibly gain privileges) via certain thread creation, map, unmap, invalidation, and dereference operations...
CVE-2018-17144
PUBLISHED: 2018-09-19
Bitcoin Core 0.14.x before 0.14.3, 0.15.x before 0.15.2, and 0.16.x before 0.16.3 and Bitcoin Knots 0.14.x through 0.16.x before 0.16.3 allow a remote denial of service (application crash) exploitable by miners via duplicate input. An attacker can make bitcoind or Bitcoin-Qt crash.
CVE-2017-3912
PUBLISHED: 2018-09-18
Bypassing password security vulnerability in McAfee Application and Change Control (MACC) 7.0.1 and 6.2.0 allows authenticated users to perform arbitrary command execution via a command-line utility.
CVE-2018-6690
PUBLISHED: 2018-09-18
Accessing, modifying, or executing executable files vulnerability in Microsoft Windows client in McAfee Application and Change Control (MACC) 8.0.0 Hotfix 4 and earlier allows authenticated users to execute arbitrary code via file transfer from external system.
CVE-2018-6693
PUBLISHED: 2018-09-18
An unprivileged user can delete arbitrary files on a Linux system running ENSLTP 10.5.1, 10.5.0, and 10.2.3 Hotfix 1246778 and earlier. By exploiting a time of check to time of use (TOCTOU) race condition during a specific scanning sequence, the unprivileged user is able to perform a privilege escal...