Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
6/23/2015
12:35 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly
Twitter
RSS
50%
50%

Breach Defense Playbook: Incident Response Readiness (Part 1)

Will your incident response plan work when a real-world situation occurs?

Cyberattacks can strike at any time, without warning, and when they do, time is of the essence. Organizations need to be prepared to respond quickly when their defenses are breached. During an attack, it is critical to have a plan in place so that your security team can spring into action, contain the situation, and minimize the damage. In order to create an effective plan, organizations should first perform an incident response readiness assessment, or IRRA.

The goal of an IRRA is to dig deep into your attack response policies, plans, and procedures so that you can ensure a sound IR capability. This will help avoid costly remediation in the event of a breach by proactively strengthening your defense posture in advance; minimizing the risk of business disruption and damage to your brand; reducing costs through streamlined preparations for IR events; and ensuring compliance with governmental and non-governmental regulations.

Your assessment should have three primary goals:

  1. Assess your organization’s capabilities to detect, respond to, and contain external and internal attacks.
  2. Identify potential gaps in your company’s security controls.
  3. Provide guidance on improving your organization’s ability to identify and stop attackers more efficiently and effectively.

To accomplish these three goals, you should scope your assessment to review your existing event monitoring, threat intelligence, and IR capabilities, focusing on documentation, network security, your incident response team, internal response capabilities, and external response capabilities. From a high level, you should begin by assessing your current capabilities, then identify gaps, and lastly put together a plan for remediation of these gaps.

Generally, it will require anywhere from three to four weeks to fully assess your IR capability and develop a set of comprehensive recommendations. Your assessment process should be divided into two primary workstreams: data gathering and analysis, and then further analysis and report writing. Analysis bridges both data gathering and report writing because you will continuously be analyzing the data from the first moment you begin the assessment until the report is finalized.

Detect And Respond

At its core, the purpose of incident response is to detect and respond to any cybersecurity event. The goal of your assessment is to identify potential gaps in your implementation and provide guidance to stakeholders in filling those gaps so that your organization as a whole is better prepared to successfully address cybersecurity incidents. The scope of your assessment should cover monitoring, staffing, non-personnel resources, previous incidents, and documentation that you have implemented to detect and respond to breaches and/or any other cybersecurity incidents.

As with most assessments, you should have an understanding of your organization’s cyber infrastructure that includes network architecture design, systems and software used, and how and what data is stored and manipulated. While many internal assessors believe that they already know the inner workings of their cyber infrastructure, it is always recommended to take a step back and perform the exercise of obtaining this information through a questionnaire or series of interviews with your personnel as well to identify potential weaknesses you may have overlooked.

When preparing for your assessment, you should leverage guideline resources such as the National Institute of Standards and Technology’s Computer Incident Handling Guide and Carnegie Mellon University’s Handbook for Computer Security Incident Response Teams.

Once your preparations are complete, you can begin the full assessment. Stay tuned for my next post, “Breach Defense Playbook: Incident Response Readiness (Part Two)” for more specifics on how to properly assess your documentation process, network security, incident response team, and internal and external response capabilities, as well as how to implement final stages of conducting a practice exercise and providing an assessment report. 

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 10/23/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Russian Military Officers Unmasked, Indicted for High-Profile Cyberattack Campaigns
Kelly Jackson Higgins, Executive Editor at Dark Reading,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-24847
PUBLISHED: 2020-10-23
A Cross-Site Request Forgery (CSRF) vulnerability is identified in FruityWifi through 2.4. Due to a lack of CSRF protection in page_config_adv.php, an unauthenticated attacker can lure the victim to visit his website by social engineering or another attack vector. Due to this issue, an unauthenticat...
CVE-2020-24848
PUBLISHED: 2020-10-23
FruityWifi through 2.4 has an unsafe Sudo configuration [(ALL : ALL) NOPASSWD: ALL]. This allows an attacker to perform a system-level (root) local privilege escalation, allowing an attacker to gain complete persistent access to the local system.
CVE-2020-5990
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in the ShadowPlay component which may lead to local privilege escalation, code execution, denial of service or information disclosure.
CVE-2020-25483
PUBLISHED: 2020-10-23
An arbitrary command execution vulnerability exists in the fopen() function of file writes of UCMS v1.4.8, where an attacker can gain access to the server.
CVE-2020-5977
PUBLISHED: 2020-10-23
NVIDIA GeForce Experience, all versions prior to 3.20.5.70, contains a vulnerability in NVIDIA Web Helper NodeJS Web Server in which an uncontrolled search path is used to load a node module, which may lead to code execution, denial of service, escalation of privileges, and information disclosure.