Seven Steps to Simplify and Improve Your Incident Response
By Carolyn Crandall, CMO
Organizations continue to state that deploying effective and efficient incident response remains one of their top ongoing challenges. Unfortunately, there isn’t an easy solution since the goal line continues to move back, while the “game” gets increasingly more complex. CSIRTs battle with a combination of more malicious activity data to sift through; limited time, manpower and expertise resources; and of course, the more severe consequences of today’s data breaches. Here are seven key steps that can help simplify and improve the process of detection, incident handling and response.
1. Gain a Complete Picture
The most effective approach to stopping an attack is to prevent it from occurring in the first place. Leverage tools that provide the visibility into likely attack paths and help assess vulnerabilities that provide the open doors for attackers. Being able to understand where exposed credentials, one of the most popular forms of attack, are and also the misconfigurations will remove the onramps and make it harder for an attacker to escalate their privileges. The second recommendation is to understand the changes in your network, what assets are coming on and off the network and have insight into how these changes present additional risk and opportunity for an attacker. There are so many ways for a modern-day attacker to enter the network, that it is now a top priority to detect them quickly and understand how easy or hard it will be for them to get access to their target.
2. Detect Early and Lay Traps
Incorporating deception capabilities into incident response is a powerful addition to the suite of solutions available to CSIRTs. Deception adds the visibility and by way of lures and traps, efficient detection of in-network threats. The solution will also not only add early detection, but will also enhance the value of current security infrastructure. Hand-in-hand, deception platforms, prevention, and SIEM systems can work together for efficient continuous threat management to build a stronger defense against today’s sophisticated attacker. The use of deception is accelerating with analysts recommending it and enterprise survey respondents indicating that it is being investigated and actively being deployed in production, in 2017.
One of the reasons for growing adoption, is the ability these new solutions accelerate incident response by not only providing early attack detection, but also by automatically taking disparate attack information, correlating and displaying it on one dashboard. In addition to being able to visualize the attack information, CSIRTs can also easily complete the actions to block and quarantine the attack through 3rd party integrations. Automatic response actions can also be set up for high severity alerts, giving the team time to understand and better address the incident. Playbooks can also be created for repeatable processes and simplifying future incident responses. Distributed deception platforms can integrate with third party prevention systems, such as firewalls, SIEMs, NAC, and end-point (EDR) to automatically block and quarantine attacks. This expedites response actions, prevents the attack from continuing to spread through the network, and can empower threat hunting for forensic artifacts in other parts of the network to confirm they have eradicated the attack.
3. Adapt to the Threat Environment
The threat environment is constantly changing, and as such, solutions need to adapt accordingly. Technology that leverages machine learning can be used to determine attack patterns or in the case of deception, to learn and spin up decoy traps based upon suspicious activity. Being able to open communications with Command and Control Centers (C2C) in order to understand the attacker’s lateral movement and any polymorphic activity can also give insight into an attacker’s tools and methods. This can be leveraged to better respond to an attack and strengthen prevention systems against future attacks. Attack time-lapsed replay shown in a topographical map, can help visualize attacker movement, show attack lateral movement, and paths taken throughout the attack. Detection is critical and when combined with in-depth analysis and insight into attacker behavior, can not only stop and attack but also strengthen overall defenses.
4. Multi-Source Insight
The best incident response solutions will be able to ingest information from all devices and attack data sources, and correlate attack data, logs, endpoint memory forensics, and the use of deception credentials gained by tracking failed log-ins to create a more complete picture of the attack. A more comprehensive view of the attack can ultimately reduce false positives and investigation time, simplifying and accelerating your overall response.
5. Automate for Efficiency
Look for new ways to automate as much of you IR solution as you can; attackers certainly are using automation to their advantage. Using automations for sharing and correlating attack information will remove manual steps so that more time can be dedicated to remediating the incident or other tasks. Think about the hours alone that can be saved in analyzing phishing emails or a polymorphic attack. Solution integrations that automate blocking and isolation of an attack can also save on resources and provide time-to-respond benefits. These integrations will also extend the value of existing infrastructure with automated feedback loops that teach these systems to be smarter through the sharing of attack information and signatures.
6. Collaborate Continuously
Creating a single source for the security team to review correlated attack information and to collaborate on incident response allows teams to see real threats and activity patterns that they might have missed or ignored based on a partial view of threat activity. In addition, it creates a consolidated environment for information security teams to post-incident response activities and comments, allowing for effortless coordination and sharing of data across the organization without losing valuable historical data.
7. Accelerate the Fix
Swift and effective remediation, means not only the quarantine of an infected system but instant transfer to the IT Help Desk. Integration with of information with applications such as ServiceNow or Jira to automatically generate trouble tickets will accelerate remediation significantly. Providing the IT Help Desk information on exactly what the team needs to promptly remediate an infected system or unit will drive faster resolution and, in many cases, the proof needed to take critical systems off-line for repair.
If you are continuously looking for ways to improve you IR capabilities, you will find ways to stay ahead of the game. That sounds obvious, but finding the time to stay on top of the new solutions that can fill your gaps and make your current solutions more effective is not only worth it; it’s likely an imperative if you wish to great ahead of the modern-day attacker.