Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Partner Perspectives  Connecting marketers to our tech communities.
04:20 PM
Ryan Vela
Ryan Vela
Partner Perspectives
Connect Directly

Breach Defense Playbook: Incident Response Readiness (Part 2)

Will your incident response plan work when a real-world situation occurs?

As I discussed in my last post, having an incident response readiness assessment (IRRA) can be a make-it-or-break-it factor when it comes to breach response preparedness. In this post, I’ll detail what specifically you should be looking at during the evaluation, as well as how to conduct the final stages of training the team and providing a report so your findings can be put into action.

Documentation Review

Your documentation review should begin with your incident response (IR) plan, security operations plans, escalation plans, security baseline documents, and corporate policies such as:

  • Safeguarding sensitive information, intellectual property (IP), trademarks, copyrights, and trade secrets
  • Privacy of personally identifiable information (PII) and HIPAA information
  • Protection of client, customer, and business partner information

In addition, you should review regulatory compliance and response strategies that are written to support audits, compliance, and legal requirements. Lastly, you should perform a gap analysis of your existing security control documentation and supporting policies and procedures.

Network Security Review

When assessing network security with respect to IR, you should focus on the implementation of your organization’s defense-in-depth strategy, including:

  • Perimeter defense
  • Network segmentation and enclaves
  • Data visibility and security controls
  • Network visibility and security controls
  • Access controls and management
  • Enterprise logging
  • Remote access

In addition, you should look at your security operations center (SOC), focusing on the people, processes, and accessible technologies. At a minimum you should:

  • Identify and evaluate key personnel, processes, technologies, and training/exercises
  • Review tool reporting and alerting to support IR capabilities
  • Evaluate the SOC operations, including daily operations, hours of operation, monitoring, alerting, and reporting
  • Review incident detection, escalation procedures, and mechanisms in place for automation

Incident Response Team Review

Next, you should review the IR team under the lens of determining whether appropriate stakeholders are included and if they have access to IR plans and documentation; if everyone on the team is fully aware of the comprehensive team structure/goals; and if proper training and exercises are taking place. At a minimum, your IR team should include stakeholders from IT, public relations, legal, risk management, vendor management, HR, and executive leadership.

The roles and responsibilities of each stakeholder should be established and written in the IR plan, along with escalation procedures that are exercised and further evaluated. The effectiveness of your IR capability is directly related to your team being prepared and trained, and understanding their roles and responsibilities during an incident.

Internal And External Response Capabilities

When reviewing your internal response capabilities, you should begin by ensuring that there is a secure location (physical or digital) to store IR data. Ideally, there needs to be a war room for SOC and IR team personnel to work in a collaborative environment during an incident.

Additionally, your organization needs to have access to IR triage and investigation hardware and software; network, log, and system forensic software and equipment; and malware reverse engineering capabilities. Many organizations do not provide these capabilities in-house, so you can leverage a trusted partner – keeping in mind that it’s important to proactively select them before an incident occurs, not after.

Many times organizations choose to place organizations on retainer for legal, crisis management, regulator, and insurance assistance. Therefore, when reviewing your internal response capabilities, you must evaluate what areas your organization will address in-house and what areas are outsourced, which is called your external response capabilities.

For external response capabilities, you should review your organization’s process of vendor management, including documentation and contact information. During an IRRA, you should ensure that the agreements with IR providers are accessible and reviewed, as well as those with outside counsel, crisis management firms, auditors, regulators, law enforcement, information sharing associations, and insurance providers. Lastly, you should review third-party service level agreements (SLAs) that pertain to monitoring, incident response, and forensics support.

Practice Exercises

In addition to assessing your overall readiness, it’s equally important to train your team and practice your IR plan. There are two main approaches you can take. The first is a paper-based tabletop exercise in which team members get together and are presented with a security incident scenario. The team members act out their normal duties and talk through the steps they would take to address and resolve the incident, and then afterward the execution is analyzed and reported back to the team for feedback, guidance, and enhancement.

The second approach involves a live test in which a piece of benign malware is placed on an internal system. The SOC and technologies are then tested for detection, and the IR team is activated and their actions are monitored, including the process of submitting tickets to initiate an incident response, forensic imaging and analysis of a system, analysis of network logs, and preparation of documentation such as reports and internal/external communications.

This approach can be a true comprehensive test of your organization’s IR capabilities, but it is often time-consuming and may require activation of third-party agreements. That being said, the value is generally greater than that of the first approach, since it provides the team with real-life training and provides a deeper level of authenticity to the analysis.

Assessment Report

At the end of your IRRA, your final report should include what mitigation activity you recommend, as well as a roadmap that includes short-, mid-, and long-term IR capability enhancements with defined milestones to gauge progress. The enhancements must be actionable and quantifiable with measurable outcomes.

Keep in mind it’s important to present your findings in plain English for non-technical readers. Your recommendations will likely require buy-in from above, so you need to present the appropriate justifications for implementing and the measured risks for not taking action so your leaders have all the information they need to make an informed decision.

Ryan Vela is a Regional Director for Fidelis Cybersecurity. He has 15-years' experience in conducting investigations and digital forensic analysis. Ryan served as a Strategic Planner at the Defense Computer Forensics Laboratory (DCFL), where he established plans for the ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
Overcoming the Challenge of Shorter Certificate Lifespans
Mike Cooper, Founder & CEO of Revocent,  10/15/2020
7 Tips for Choosing Security Metrics That Matter
Ericka Chickowski, Contributing Writer,  10/19/2020
Register for Dark Reading Newsletters
White Papers
Current Issue
Special Report: Computing's New Normal
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 uses Ghostscript for processing of uploaded EPS documents, and consequently may be subject to attacks related to a "schwache Sandbox."
PUBLISHED: 2020-10-21
BigBlueButton before 2.2.8 (or earlier) does not set the secure flag for the session cookie in an https session, which makes it easier for remote attackers to capture this cookie by intercepting its transmission within an http session.
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), the client-side Mute button only signifies that the server should stop accepting audio data from the client. It does not directly configure the client to stop sending audio data to the server, and thus a modified server could store the audio data and/or tr...
PUBLISHED: 2020-10-21
In BigBlueButton before 2.2.8 (or earlier), uploaded presentations are sent to clients without a Content-Type header, which allows XSS, as demonstrated by a .png file extension for an HTML document.
PUBLISHED: 2020-10-21
BigBlueButton through 2.2.8 records a video meeting despite the deactivation of video recording in the user interface. This may result in data storage beyond what is authorized for a specific meeting topic or participant.