Partner Perspectives  Connecting marketers to our tech communities.
04:20 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly

Breach Defense Playbook: Incident Response Readiness (Part 2)

Will your incident response plan work when a real-world situation occurs?

As I discussed in my last post, having an incident response readiness assessment (IRRA) can be a make-it-or-break-it factor when it comes to breach response preparedness. In this post, I’ll detail what specifically you should be looking at during the evaluation, as well as how to conduct the final stages of training the team and providing a report so your findings can be put into action.

Documentation Review

Your documentation review should begin with your incident response (IR) plan, security operations plans, escalation plans, security baseline documents, and corporate policies such as:

  • Safeguarding sensitive information, intellectual property (IP), trademarks, copyrights, and trade secrets
  • Privacy of personally identifiable information (PII) and HIPAA information
  • Protection of client, customer, and business partner information

In addition, you should review regulatory compliance and response strategies that are written to support audits, compliance, and legal requirements. Lastly, you should perform a gap analysis of your existing security control documentation and supporting policies and procedures.

Network Security Review

When assessing network security with respect to IR, you should focus on the implementation of your organization’s defense-in-depth strategy, including:

  • Perimeter defense
  • Network segmentation and enclaves
  • Data visibility and security controls
  • Network visibility and security controls
  • Access controls and management
  • Enterprise logging
  • Remote access

In addition, you should look at your security operations center (SOC), focusing on the people, processes, and accessible technologies. At a minimum you should:

  • Identify and evaluate key personnel, processes, technologies, and training/exercises
  • Review tool reporting and alerting to support IR capabilities
  • Evaluate the SOC operations, including daily operations, hours of operation, monitoring, alerting, and reporting
  • Review incident detection, escalation procedures, and mechanisms in place for automation

Incident Response Team Review

Next, you should review the IR team under the lens of determining whether appropriate stakeholders are included and if they have access to IR plans and documentation; if everyone on the team is fully aware of the comprehensive team structure/goals; and if proper training and exercises are taking place. At a minimum, your IR team should include stakeholders from IT, public relations, legal, risk management, vendor management, HR, and executive leadership.

The roles and responsibilities of each stakeholder should be established and written in the IR plan, along with escalation procedures that are exercised and further evaluated. The effectiveness of your IR capability is directly related to your team being prepared and trained, and understanding their roles and responsibilities during an incident.

Internal And External Response Capabilities

When reviewing your internal response capabilities, you should begin by ensuring that there is a secure location (physical or digital) to store IR data. Ideally, there needs to be a war room for SOC and IR team personnel to work in a collaborative environment during an incident.

Additionally, your organization needs to have access to IR triage and investigation hardware and software; network, log, and system forensic software and equipment; and malware reverse engineering capabilities. Many organizations do not provide these capabilities in-house, so you can leverage a trusted partner – keeping in mind that it’s important to proactively select them before an incident occurs, not after.

Many times organizations choose to place organizations on retainer for legal, crisis management, regulator, and insurance assistance. Therefore, when reviewing your internal response capabilities, you must evaluate what areas your organization will address in-house and what areas are outsourced, which is called your external response capabilities.

For external response capabilities, you should review your organization’s process of vendor management, including documentation and contact information. During an IRRA, you should ensure that the agreements with IR providers are accessible and reviewed, as well as those with outside counsel, crisis management firms, auditors, regulators, law enforcement, information sharing associations, and insurance providers. Lastly, you should review third-party service level agreements (SLAs) that pertain to monitoring, incident response, and forensics support.

Practice Exercises

In addition to assessing your overall readiness, it’s equally important to train your team and practice your IR plan. There are two main approaches you can take. The first is a paper-based tabletop exercise in which team members get together and are presented with a security incident scenario. The team members act out their normal duties and talk through the steps they would take to address and resolve the incident, and then afterward the execution is analyzed and reported back to the team for feedback, guidance, and enhancement.

The second approach involves a live test in which a piece of benign malware is placed on an internal system. The SOC and technologies are then tested for detection, and the IR team is activated and their actions are monitored, including the process of submitting tickets to initiate an incident response, forensic imaging and analysis of a system, analysis of network logs, and preparation of documentation such as reports and internal/external communications.

This approach can be a true comprehensive test of your organization’s IR capabilities, but it is often time-consuming and may require activation of third-party agreements. That being said, the value is generally greater than that of the first approach, since it provides the team with real-life training and provides a deeper level of authenticity to the analysis.

Assessment Report

At the end of your IRRA, your final report should include what mitigation activity you recommend, as well as a roadmap that includes short-, mid-, and long-term IR capability enhancements with defined milestones to gauge progress. The enhancements must be actionable and quantifiable with measurable outcomes.

Keep in mind it’s important to present your findings in plain English for non-technical readers. Your recommendations will likely require buy-in from above, so you need to present the appropriate justifications for implementing and the measured risks for not taking action so your leaders have all the information they need to make an informed decision.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Microsoft President: Governments Must Cooperate on Cybersecurity
Kelly Sheridan, Staff Editor, Dark Reading,  11/8/2018
5 Reasons Why Threat Intelligence Doesn't Work
Jonathan Zhang, CEO/Founder of WhoisXML API and TIP,  11/7/2018
Why the CISSP Remains Relevant to Cybersecurity After 28 Years
Steven Paul Romero, SANS Instructor and Sr. SCADA Network Engineer, Chevron,  11/6/2018
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
Fidelis Cybersecurity provides organizations with a robust, comprehensive portfolio of products, services, and expertise to combat today's sophisticated advanced threats and prevent data breaches. Our commercial enterprise and government customers around the globe can face advanced threats with confidence through use of our Network Defense and Forensics Services – delivered by an elite team of security professionals with decades of hands-on experience – and our award-winning Fidelis XPS™ Advanced Threat Defense Products, which provide visibility and control over the entire threat life cycle.
Featured Writers
White Papers
Current Issue
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2018-11-12
Roundcube before 1.3.7 mishandles GnuPG MDC integrity-protection warnings, which makes it easier for attackers to obtain sensitive information, a related issue to CVE-2017-17688. This is associated with plugins/enigma/lib/enigma_driver_gnupg.php.
PUBLISHED: 2018-11-12
steps/mail/ in Roundcube before 1.3.8 has XSS via crafted use of <svg><style>, as demonstrated by an onload attribute in a BODY element, within an HTML attachment.
PUBLISHED: 2018-11-12
The Van Ons WP GDPR Compliance (aka wp-gdpr-compliance) plugin before 1.4.3 for WordPress allows remote attackers to execute arbitrary code because $wpdb->prepare() input is mishandled, as exploited in the wild in November 2018.
PUBLISHED: 2018-11-12
IBM Spectrum Protect 7.1 and 8.1 dsmc and dsmcad processes incorrectly accumulate TCP/IP sockets in a CLOSE_WAIT state. This can cause TCP/IP resource leakage and may result in a denial of service. IBM X-Force ID: 148871.
PUBLISHED: 2018-11-12
IBM WebSphere Application Server 7.0, 8.0, 8.5, and 9.0 is vulnerable to cross-site scripting. This vulnerability allows users to embed arbitrary JavaScript code in the Web UI thus altering the intended functionality potentially leading to credentials disclosure within a trusted session. IBM X-Force...