A Weekend in Incident Response #32: SOP – Standard Operating Procedures as Big Piece of the Cyber Incident Response Puzzle

Preparing for cybersecurity incidents and responding to them can be a significant burden for any organization. On a daily basis, most security teams will commonly deal with numerous cybersecurity events, many of which will trigger some number of resource-taxing and time-consuming tasks such as gathering and vetting information, analyzing data, and generating incident reports.

It is for this reason that every tool, every solution, and every procedure that can help ease that burden is often more than welcome. Implementing Standard Operating Procedures (SOP) is one of the essential steps towards ensuring a more streamlined and effective incident response process, one that allows security professionals to focus on the more substantial and high-value activities, such as in-depth investigations and implementing improvements in the overall incident response program.

Coordinating Incident Response

Standard operating procedures are aimed at helping CSIRTs to follow the most effective possible workflow when dealing with cyber security events. A typical SOP should contain a list of specific actions that that security professionals need to take whenever their organization faces a particular cyber incident. It ensures that all employees within an organization know their responsibility and what activities they need to take in the event of a cyber attack. For instance, an SOP might note at what point in the incident the CSIRT member is responsible for reporting data breaches to the Information Security Officer and where to submit incident reports in the aftermath of a breach. Further, the SOP might also state how to assign an incident severity level and where to distribute a list of recommendations or specific instructions on how to address a particular threat.

Another important aspect of a SOP is that it should ensure that all workflows and actions taken during incident response are in compliance with regulations that the organization is required by law to adhere to.

Orchestrate and Automate the Process

In order to be worthwhile and effective, cyber security teams and resources from an organization must adhere to SOPs and realize benefits from doing so. Some of the actions recommended or required by a SOP in a given situation may take up a large portion of the time and effort of a security team, so adopting a solution that can orchestrate and automate some of those tasks can go a long way towards realizing those benefits by saving time and cutting costs.

Security automation and orchestration platforms can programmatically handle some of those time-consuming manual tasks, such as generating and sending reports, thereby help drastically reduce reaction times. They can also help quickly determine the severity of an incident and the impact it has on an organization, freeing security resources to focus on the containment, eradication and recovery activities the sop standard operation procedure requires.

In summation, security automation and orchestration platforms are a crucial tool for ensuring a proper implementation of standard operating procedures as a key piece of the cyber incident response puzzle.

The Power of New-Age Playbooks in Incident Response

I have often talked about the benefits of employing flexible playbooks to deal with evolving cyber incidents and unique threat scenarios, and in these series of blogs, I am going to explore some of the points of emphasis when creating a new playbook.

The advantage to Security Orchestration, Automation and Response (SOAR) platforms, and in particular our IncMan platform, is the ability it provides to tailor playbooks or runbooks to deal with all manner of cyber incidents. These Playbooks are defined by three key factors:

1.Phases: Determine the number of phases for the response process based on the incident scenario. The phases are really a placeholder for what you are trying to achieve in your response.

2.Automation: How much automation will benefit the given scenario without hindering or otherwise adversely impacting your business.

3.Actions: What actions apply to each phase and what is the benefit to each action.

Wash, Rinse, Re-playbook.

Play books, or runbooks, should never be static and hard-coded for a fixed set of events. Ultimately, incidents will differ and you should always remain in control, ready to adapt and adjust the response workflow. This flexibility is vital should a Plan B need to be executed. The approach of IncMan to security playbooks & runbooks support both mature and emerging SOC teams by providing multi-flow advanced runbooks to the former, and for the less mature, a simplified playbook containing a dual mode where automation and manual actions can co-exist.

In talking with CSIRT/SOC managers, I have learned that they have typically aligned themselves with a particular standard. Most organizations follow the likes of ISO for Incident Response, NIST
800-62 or alternatives along the lines of CREST or NISA. Structured incident handling processes based on these standards are a great baseline, but how about also having actions and reactions pre-prepared and ready to respond immediately according to the threat you face? Can you see the instant advantage in having smaller, simpler playbooks and runbooks specific to an adversary or threat scenario?

Dealing with incidents with tailored playbooks will ultimately provide better threat coverage as each has enrichment and containment actions that are concentrated on the tasks specific to a given scenario. Additionally, allowing your SOAR product to tie the dots to bring enrichment to the observables and the indicators encountered in incidents will bring measurable value to the increased speed of the incident response process. Allowing analysts dynamic interaction at all phases of the workflow will help also help your reactions become more efficient. This mix of structured playbooks and dynamic response capability can also help push the CSIRT teams into a more pro-active mindset, allowing system and network-level security policy and infrastructure configuration changes to be handled on the fly while leveraging current and accurate information, and all from a single response console.

Visual Event Correlation Is Critical in Cyber Incident Associational Analysis

I can remember sometime around late 2001 or early 2002, GREPing Snort logs for that needle in a haystack until I thought I was going to go blind. I further recall around the same time cheering the release of the Analysis Console for Intrusion Databases (ACID) tool which helped to organize the information into something that I could start using to correlate events by way of analysis of traffic patterns.

Skip ahead and the issues we faced while correlating data subtly changed from a one-off analysis to a lack of standardization for the alert formats that were available in the EDR marketplace. Each vendor was producing significant amounts of what was arguably critical information, but unfortunately all in their own proprietary format. This rendered log analysis and information tools constantly behind the 8-ball when trying to ingest all of these critical pieces of disparate event information.

We have since evolved to the point that log file information sharing can be easily facilitated through a number of industry standards, i.e., RFC 6872. Unfortunately, with the advent of the Internet of Things (IoT), we have also created new challenges that must be addressed in order to make the most effective use of data during event correlation. Specifically, how do we quickly correlate and review:

a. Large amounts of data;

b. Data delivered from a number of different resources (IoT);

c. Data which may be trickling in over an extended period of time and,

d. Data segments that, when evaluated separately, will not give insight into the “Big Picture”

How can we now ingest these large amounts of data from disparate devices and rapidly draw conclusions that allow us to make educated decisions during the incident response life cycle? I can envision success coming through the intersection of 4 coordinated activities, all facilitated through event automation:

1. Event filtering – This consists of discarding events that are deemed to be irrelevant by the event correlator. This is also important when we seek to avoid alarm fatigue due to a proliferation of nuisance alarms.

2. Event aggregation – This is a technique where a collection of many similar events (not necessarily identical) are combined into an aggregate that represents the underlying event data.

3. Event Masking – This consists of ignoring events pertaining to systems that are downstream of a failed system.

4. Root cause analysis – This is the last and quite possibly the most complex step of event correlation. Through root cause analysis, we can visualize data juxtapositions to identify similarities or matches between events to detect, determine whether some events can be explained by others, or identify causational factors between security events.

The results of these 4 event activities will promote the identification and correlation of similar cyber security incidents, events and epidemiologies.

According to psychology experts, up to 90% of information is transmitted to the human brain visually. Taking that into consideration, when we are seeking to construct an associational link between large amounts of data we, therefore, must be able to process the information utilizing a visual model. DFLabs IncMan™ provides a feature rich correlation engine that is able to extrapolate information from cyber incidents in order to present the analyst with a contextualized representation of current and historical cyber incident data.

As we can see from the correlation graph above, IncMan has helped simplify and speed up a comprehensive response to identifying the original infection point of entry into the network and then visual representing the network nodes that were subsequently affected, denoted by their associational links.

The ability to ingest large amounts of data and conduct associational link analysis and correlation, while critical, does not have to be overly complicated, provided of course that you have the right tools. If you’re interested in seeing additional capabilities available to simplify your cyber incident response processes, please contact us for a demo at [email protected]

Improving the Alignment between Cyber Security and IT Service Management Processes

I frequently marvel at the solutions our customers implement in order to walk the fine line where security operations and IT governance converge. The capability to simultaneously engage the needs of IT service management and cyber security requirements frequently requires a creative approach to effectively align business objectives, priorities and a variety of risk postures. One common denominator I have observed is that the most effective cyber security plans address these 4 points of effective security and IT management policy:

1. Create the right policy
This involves a collaborative approach that leverages the stakeholders from not only the IT and Security Operations groups but Legal, HR and Operations as well to ensure that their needs are also being addressed. Policies are only as good as our ability to monitor and enforce. A policy that detrimentally affects the ability of any one organization to perform their duties will quickly be discarded, opening the door to a domino effect of security issues. Additionally, this collaboration should address organizational dynamics including core services, internal customers and, when applicable, external or business partners that may require access.

2. Perform a risk assessment and analysis
Industry requirements aside, performing a cyber security risk assessment and analysis is critical to building processes that address our most vulnerable systems and processes. We can subsequently formulate a corrective action plan that addresses not only current needs but anticipates future requirements. As part of a greater Business Continuity Planning program, a risk assessment provides the insight to avoid security and governance concerns before they truly become “issues”. An example of this is the development of your Disaster Recovery Plan. Determining the critical systems and the need for warm and cold site requirements as the result of a detailed risk analysis will save your teams hours of work when trying to rebuild critical system data.

3. Define appropriate procedures
If actionable processes and procedures are the lifeblood of effective security operations and governance alignment, then a platform to ensure that these policies are available to the appropriate stakeholders in the form of actions that are vetted, repeatable and defensible should be considered the heart. Security orchestration and automation products, while typically focusing on security operations, can provide this needed heart to IT governance requirements as well. DFLabs IncMan™ provides our customers with over 100 Playbooks that outline the appropriate procedures for a broad range of incidents, delivered in a format that can be easily followed or edited as requirements change and evolve. This gives the user maximum flexibility to ensure the needs of all stakeholders are addressed consistently and with minimum delay during incident response activities when the time is often of the essence.

4. Focus on staffing
Staffing is a common issue on several fronts. Locating and retaining experienced staff is only part of the problem. Facilitating a knowledge transfer between experienced and inexperienced staff is also problematic and frequently results is a small group of individuals that handle the majority of the demanding cases. The good news is that more evolved organizations have recognized the value of utilizing the previously mentioned Playbooks. IncMan Playbooks provide a roadmap designed by the experienced staff members to guide the inexperienced members during the response process. This effectively provides these organizations with a force multiplier by not only reducing incident dwell time but providing the necessary knowledge transfer as well.

If you want more information about how DFLabs IncMan can help align your security and IT service management processes please contact us [email protected] for a no obligation demonstration.

A Weekend in Incident Response #31: How Can You Help Your Cybersecurity Team Handle Increasing Volume of Cyber Attacks?

In the context of cyber security, two of the most pressing concerns facing many organizations are the ever-rising number of cyber attacks and figuring out how to keep them at bay without having to increase manpower. The recent Cyber attacks are now more sophisticated and noticeably more common than they were even just a few years ago. Faced with this increased volume, private entities and government agencies are struggling to figure out how to help their security teams respond to cyber events in an effective and timely manner, while finding that most potential solutions require either substantial financial expense, or rely on the addition of specialized human resources.

Hiring skilled staff is a real challenge for most organizations amid an acute and global cyber security skills shortage. Unmet demand has led professionals in this field to command disproportionately high salaries and made it that much more difficult for businesses and governments to attract cyber security talent. Consequently, organizations are now also forced to seek out technical solutions that might actually help decrease their reliance on specialized and expensive human resources. This is where cyber security incident response platforms come in as arguably the most convenient, practical and cost-effective solution to the growing cyber security threat issue and specialized resource shortage.

Ease the Strain on Security Teams by Automating Time Consuming Incident Response Tasks

security automation and orchestration platform is the economical solution to enable an organization to respond to cyber threats and eradicate them in the most effective and fastest way possible. It is also the best way to ease the strain on security teams which, in many organizations, are already overwhelmed with an uninterrupted incident response workload.

Analyzing and assessing the legitimacy, impact and scope of a cyber incident are some of the most time-consuming tasks undertaken by cyber security professionals today. It is exactly within those tasks that an orchestration and automation platform can be of most service. From an incident identification and analysis perspective, these platforms are force multipliers which greatly accelerate the incident triage process. They provide an organization with the ability to analyze the cause and effect of each incident and to assess the scope and impact to an organization from any number of incidents at any given time. From a response perspective, and beyond their ability to automate response activity on existing security infrastructure, they can generate automated incident reports for distribution to in-house security teams, providing response and recovery resources with key insights into the scope and severity of an incident, thereby often dramatically reducing reaction times.

In short, the dual challenge of addressing a growing number of cyber attacks while maintaining an ability to mount an effective response within an existing cyber security team, is best tackled by employing an automation and orchestration platform. Deploying this tool as a force multiplier for both existing security infrastructure and human resources, allows security teams to offload the most intensive tasks and frees these professionals to focus on the more high-value areas of a cyber security threat response.

Team Approach to Cyber Security Incident Response

One of my favorite sports, American football, uses a term which has always fascinated me. This term is ‘situational football’ and its whole concept is to react according to the scenario in which you find yourself. American football clubs split their squads into essentially three teams.

Attack, which is the offensive team and the guys that typically score points.
Defense, which is the opposite team tasked with stopping the attacking team from scoring points.
Special teams, which is an often overlooked team. This team can be part of the defense or offense and is typically used for every other play that is not defined as an offensive or defensive setting.
Now, you may be wondering why I am talking about sports in a cyber security blog?!

Well, I always like to relate cyber security industry to other industries and to try to think outside of the box when discussing some of our approaches. That said, I’m going to make a beeline for this idea and start relating this to our thinking:

Attack, or Red teams, can have a positive impact on your response strategy. Relating your response plans and playbooks directly to common attack methods is advisable and should be used in conjunction with the relevant compliance standards. The actions taken in response to specific attack vectors will usually have a higher success rate than a generic catch-all cyber incident response plans. I would take a lot more comfort knowing I have playbooks designed for a specific threat vector than I would be hoping that one of my generic playbooks would cover it.

Defense, or Blue Teams, are already a big part of response plans, and ongoing refinement of these plans should coincide with every incident lessons learned. A successful response should still have lessons to consider!
Special Teams are a mix of Red and Blue, of offense and defense. They are best positioned to engage in ‘situational football’ and to enable you to define your approach with more than one mindset, even, in some cases, conflicting mindsets. Using this combined approach will ensure an attackers methodology when searching for enrichment information during incident identification, and the pragmatism of a defender during containment and eradication activities. Having a defined response to each phase of IR is important, but engaging special teams and having the ability to refactor your playbooks on the fly is a key capability when orchestrating an effective cyber security incident response to a dynamic incident.

Unique situations can present themselves at every moment of the game. Our playbook features allow you to make your defense attack-minded by feeding in all the information gathered from your playbooks and allowing you to not be restricted by baseline actions alone. We want your defense to run actions at every point and to allow you to call an audible in any situation that presents itself. The freedom to apply this mindset will drive your incident response teams above and beyond what they see in front of them.

At DFLabs, we not only create playbooks specific to compliance standards and cyber security incident response standards, we also enable you to create and to actively amend your own custom playbooks. Our flexibility ensures that your playbooks can be built on the experience of your Red and Blue teams, in line with adversarial thinking specific to your organization or industry, and to the satisfaction of your corporate, industry and regulatory policies.
Contact us to find out more at [email protected]

Feed the Compliance Measures, Do Not Be Eaten by Them

At DFLabs, we typically find our financial clients saddled by regulations which, although important, add layers of complexity to the already complicated process of incident response. We want our clients to be able to feed the compliance measures, not be eaten by them, and we support this end by providing a simple, clear and easy to use playbook editing functionality within the IncMan automation and orchestration platform.

I often point out how IncMan adaptable playbooks are of benefit to companies when determining incident response steps in consideration of regulation. IncMan offers a number of measures to enforce regulatory policy on playbook actions.

Let us take a look at some quick examples:

Authorization levels: Effective use of the authorization chain means that personnel are engaged only for the tasks for which they have clearance.
Timed response: Playbook action enforce the urgency when dealing with a particular notification, action or identification, i.e. 72 hours to alert a particular authority about a breach.
Mandatory tasks: Prescribed tasks are essential for any organization to take the regulatory actions necessary whilst following corresponding incident response workflows.

This list is not exhaustive and IncMan offers lots of possible incident response workflows and points of use for regulatory compliance.

Beyond these measures, it is important to remember that the information gathered in the case record as part of the incident should be fully utilized. The post-mortem analysis of the incident and how it was managed, is as critical as the immediate response. This analysis will help you to define, restructure and organize the ongoing policy changes, and continually fine tune your incident response playbooks.

Our new correlation engine will give you the ability to not only see the entire picture, but also to learn how the picture was built over the course of a timeline of events. Correlation Engine 2.0 helps you to redefine your approach for incident trending and identifying relationships in incident data.

Flexible Playbooks for Any Situation

One of the major buzzwords when talking about cyber incident response is playbooks or run books i.e., advanced workflows with specific actions tailored to deal with and respond to cyber incidents.

Over the past few security conferences, I have noticed something of a trend emerging that centers on the uncertainty and hesitance that some incident response teams have regarding the use of playbooks and, in particular, around the notion of automation in incident response.

Another point of concern seems to be the security tools within existing infrastructure and how an incident response platform looks to make use of these tools. In an ideal scenario, an organization should use everything at its disposal in order to give its teams the best possible options for quick and successful incident response activities.

I think there are a couple of related challenges when talking about these issues, one of which is the existing resource skill sets and how they’re not the same across a typical IR team. This is a point that should really be considered when going through a solution discovery phase by asking the questions: What can I incorporate to best leverage the skills of the available resources? And, how do I best leverage the resources provided with an incident response platform?

At DFLabs, we look to help with these and many more points by providing out-of-the-box IncMan playbooks that are based on industry best practices and recognized standards. Furthermore, by giving you the ability to craft your own fully customized, simplified or advanced playbook, we enable your incident response teams with the freedom to react as they see fit, and in accordance with regulation or specific compliance measures applicable to your operations. To address any hesitance to automated response, your playbooks can be built to uniquely meet your comfort level, for example by leveraging automatic enrichment actions while also enforcing role-based security requirements to require authorization for any containment measures.

Lastly, by being platform agnostic, IncMan empowers you to incorporate your existing infrastructure for a comprehensive response strategy without a requirement for additional infrastructure investment.