Discussions about security breaches often focus on the planning elements, but simply talking about planning is not enough. Comprehensive plans need to be drawn up, fully executed and regularly reviewed in order to be successful. This is the only way to potentially contain the breach and limit the impact it could have on the organization. Properly planning and implementing is the difference between success and failure for companies when it comes to security and incident response.
As the ever-evolving cyber security landscape poses new challenges, companies are pushed even more to fight back the growing number and even more sophisticated levels of cyber attacks. Organizations across all sectors and industries are potential targets and could become victims at any time. With attacks escalating in all areas, whether via phishing or malware, for example, security operations teams need to be prepared to respond to existing and new types and strains of threats, in order to fully defend and protect their company assets and networks.
Along with prevention becoming increasingly difficult for security teams, some organizations also tend to have a weakness when it comes to incident response. Below outlines some of the main reasons why this failure is happening today and if this a true representation of your organization, it is important for action to be taken in order to improve it.
With the number of sophisticated cyber threats in the past several years growing at a phenomenal rate, the security industry has been facing an explosion of security tools available in the market. Many of these though have adversely resulted in creating more tasks for security teams and analysts in terms of monitoring, correlating, and responding to alerts. Analysts are pushed to work on multiple platforms and generate data from every single source manually, while afterwards then needing to enrich and correlate that data which can take many hours or even days.
Security budgets are often limited, and while it is often easier to gain support and approval for additional security apps and tools than it is for additional staff members, this means that many security teams often are forced to search innovative ways to perform many different tasks with extremely limited personnel resources.
Another important point to note is that with increased market competition for experienced and skilled analysts, companies are often forced to choose between hiring one highly skilled staff member versus a couple of less experienced, junior level ones.
Over the years, organizations have witnessed an increasing number of security tools to fight back the growing number of security threats. But even though these tools manage alerts and correlate through security information and management system, security teams are still overwhelmed by the volume of alerts being generated and in many instances are not physically able to respond to them all.
Every single alert must be verified manually and triaged by an analyst. Then, if the alert is determined to be valid, additional manual research and enrichment must take place before any other action to address the threat. While all of these processes take place, other potential alerts wait unresolved in a queue, while new alerts keep being added. The problem is, any one of these alerts may be an opportunity window for an attacker while they wait to be addressed.
Risk of Losing Skilled Analysts
Security processes are performed manually and are quite complex in nature, therefore training new staff members takes time. Organizations still rely on the most experienced analysts when it comes to decision making, based on their knowledge and work experience in the company, even with documented procedures in place. This is commonly referred to as tribal knowledge, and the more manual the processes are, the longer the knowledge transfer takes. Moreover, highly qualified analysts are considered a real treasure for the company, and every time a company loses such staff member, part of the tribal knowledge is also lost, and the entire incident response process suffers a tremendous loss. Even though companies make efforts to keep at least one skilled analyst who is able to teach other staff members the skills they have, they aren’t always successful in that.
Failure to Manage Phases
Security teams work with metrics that could be highly subjective and abstract, compared to other departments which often work with proven processes for measuring the effectiveness or ineffectiveness of a program. This is largely due to the fact that conservative approaches and methods for measuring ROI aren’t applicable, nor appropriate when it comes to security projects, and might give misleading results. Proper measurement techniques are of utmost importance when it comes to measuring the effectiveness and efficiency of a security program, therefore it is necessary to come up with a measurement process customized according to the needs of the company.
Another important issue that should be mentioned here is the one concerning the management of different steps of the incident response process. Security incidents are very dynamic processes that involve different phases, and the inability to manage these steps could result in great losses and damages to the company. For the best results, companies should focus on implementing documented and repeatable processes that have been tested and well understood.
In order to resolve these issues, organizations should consider the following best practices.
The coordination of security data sources and security tools in a single seamless process is referred to as orchestration. Technology integrations are most often used to support the orchestration process. APIs, software development kits, or direct database connections are just a few of the numerous methods that can be used to integrate technologies such as endpoint detection and response, threat intelligence, network detection, and infrastructure, IT service and account management.
Orchestration and automation might be related, but their end goals are completely different. Orchestration aims to improve efficiency by increased coordination and decreased context switch among tools for a faster and better-informed decision-making, while automation aims to reduce the time these processes take and make them repeatable by applying machine learning to respective tasks. Ideally, automation increases the efficiency of orchestrated processes.
Strategic and Tactical Measurement
Information in favor of tactical decisions usually consists of incident data for analysts and managers, which might consist of indicators of compromise assets, process status, and threat intelligence. This information improves decision-making from incident triage and investigation, through containment and eradication.
On the other hand, strategic information is aimed at executives and managers, and it’s used for high-level decision making. This information might comprise statistics and incident trends, threat intelligence and incident correlation. Advanced security programs might also use strategic information to enable proactive threat hunting.
If these challenges sound familiar within your security operations team, find out how DFLabs’ Security Orchestration, Automation and Response solution can help to address these to improve your overall incident response.
Cyber criminals do not discriminate against anyone when it comes to their targets of choice. They go after whatever organization they consider to have a potential to yield substantial financial benefits, without taking into account that some of their exploits might even lead to international conflict or an environmental catastrophe of unimaginable scale.
Cyber attacks on critical infrastructures have become commonplace lately, threatening public health and safety, and deteriorating relations between countries. Having in mind how sophisticated and advanced these cyber threats are, it is no wonder that it is extremely difficult to detect and prevent all of them, so a proper cyber incident response plan that would help contain the damage and recover from an attack becomes a necessity.
Incident Response Solutions for Critical Infrastructure Sectors
Critical infrastructure is comprised of organizations from various sectors, including health care, energy, telecommunications, financial services, government, and transportation, among others. All businesses and institutions that are part of one of these sectors are potential targets for cyber criminals.
To improve their ability to mitigate cyber security threats more effectively, these organizations are advised to create a workflow-based incident response plan relying on automation and orchestration platform.
Benefits of a Workflow-Based Security Incident Response Plan
By utilizing an incident response platform that allows an orchestrated approach while automating certain routine and time-consuming tasks, organizations can greatly reduce reaction times of their cyber security teams, and start the recovery process as soon as possible.
A workflow-based platform, that incorporates a set of actions tailored to specific types of cyber attacks, allows security teams to go through all stages of an incident response quickly and effectively, by providing them with concrete steps that need to be taken based on the type and scope of an attack. Furthermore, based on the attack types, knowledge sharing articles could be associated with the incident for faster and more efficient resolving.
In addition to workflows, automation-and-orchestration incident response platforms can easily integrate with intelligence sharing platforms, allowing organizations to send and receive essential cyber security events information, improving their ability to prevent future attacks.
Cyber attacks on critical infrastructure are probably going to become even more common, so investing in an incident response platform with automation and orchestration capabilities would be of great help to organizations looking to enhance their cyber defenses moving forward. By doing that, they would also be contributing to efforts for preserving international peace and public safety.
One of my favorite sports, American football, uses a term which has always fascinated me. This term is ‘situational football’ and its whole concept is to react according to the scenario in which you find yourself. American football clubs split their squads into essentially three teams.
–Attack, which is the offensive team and the guys that typically score points.
–Defense, which is the opposite team tasked with stopping the attacking team from scoring points.
–Special teams, which is an often overlooked team. This team can be part of the defense or offense and is typically used for every other play that is not defined as an offensive or defensive setting.
Now, you may be wondering why I am talking about sports in a cyber security blog?!
Well, I always like to relate cyber security industry to other industries and to try to think outside of the box when discussing some of our approaches. That said, I’m going to make a beeline for this idea and start relating this to our thinking:
–Attack, or Red teams, can have a positive impact on your response strategy. Relating your response plans and playbooks directly to common attack methods is advisable and should be used in conjunction with the relevant compliance standards. The actions taken in response to specific attack vectors will usually have a higher success rate than a generic catch-all cyber incident response plans. I would take a lot more comfort knowing I have playbooks designed for a specific threat vector than I would be hoping that one of my generic playbooks would cover it.
–Defense, or Blue Teams, are already a big part of response plans, and ongoing refinement of these plans should coincide with every incident lessons learned. A successful response should still have lessons to consider!
Special Teams are a mix of Red and Blue, of offense and defense. They are best positioned to engage in ‘situational football’ and to enable you to define your approach with more than one mindset, even, in some cases, conflicting mindsets. Using this combined approach will ensure an attackers methodology when searching for enrichment information during incident identification, and the pragmatism of a defender during containment and eradication activities. Having a defined response to each phase of IR is important, but engaging special teams and having the ability to refactor your playbooks on the fly is a key capability when orchestrating an effective cyber security incident response to a dynamic incident.
Unique situations can present themselves at every moment of the game. Our playbook features allow you to make your defense attack-minded by feeding in all the information gathered from your playbooks and allowing you to not be restricted by baseline actions alone. We want your defense to run actions at every point and to allow you to call an audible in any situation that presents itself. The freedom to apply this mindset will drive your incident response teams above and beyond what they see in front of them.
At DFLabs, we not only create playbooks specific to compliance standards and cyber security incident response standards, we also enable you to create and to actively amend your own custom playbooks. Our flexibility ensures that your playbooks can be built on the experience of your Red and Blue teams, in line with adversarial thinking specific to your organization or industry, and to the satisfaction of your corporate, industry and regulatory policies.
Contact us to find out more at [email protected]
Protecting customer data and intellectual property are among the top priorities for government agencies, as well as corporations across many different industries, such as healthcare, finance, entertainment, and insurance, to name a few. The main goal of data breaches – which are extremely common in our digital world – is stealing confidential customer information or valuable intellectual property. Banks, hospitals, insurance companies, along with government institutions, are often the target of cyber crimes involving fraud and intellectual property theft. Considering that these types of breaches – which are not always avoidable or preventable – can have wide-ranging consequences for every organization. They must take a broad set of precautionary measures in order to minimize the damage and recover as soon as possible. Among those measures is devising incident response plans, as well as adopting a platform that can keep cybersecurity incidents under control, by helping you determine what type of cyber attack your organization is under, how you should prioritize your response, and what you can do to contain the damage.
Fast Incident Triage
If an organization uses a cybersecurity platform with robust incident response capabilities, the organization’s leadership can have peace of mind that even if they get attacked, they will be able to solve the incident as quickly and as efficiently as possible.
One of the key elements to an effective incident response is incident triage. Organizations should acquire a cybersecurity platform that offers this feature, which is essential for improving its CSIRT’s efficiency. Incident triage is important because it allows your team to quickly analyze what happened and determine what actions they need to take first, enabling a continuation of the operations within the organization and containment of the damage.
Once a data breach is detected, and the incident triage process is completed, some of the next steps involve managing the impact and preparing for potential litigation, which organizations often face when they’ve experienced a data breach. To that end, corporations and government agencies should use a platform that provides litigation support, which covers several aspects, such as customizable reports needed for material disclosures, as well as the preservation of evidence and chain-of-custody tracking to preserve all artifacts and record all activities. Allowing a proper investigation that could help your organization avoid crippling potential legal liabilities.
In conclusion – the mentioned features are crucial for protecting customer data and trade secrets in the era of data breaches. Organizations can easily take advantage of extra robust feature functionality by obtaining a cybersecurity platform that incorporates all those capabilities necessary for a complete solution that meets and exceeds your requirements.
Considering that we live and work in an increasingly connected world, it can be said that nowadays there is no organization that is immune to cyber attacks and data breaches. No matter how sophisticated your cyber defense is, you always need to be prepared for all eventualities that might arise from potential vulnerabilities within your computer networks or systems. That is why having a proper cyber incident response plan in place is crucial to the security of every organization since it enables you to detect and respond to cyber security breaches as quickly and efficiently as possible. For a cyber incident response plan to be successful, it should rely on automated incident response playbooks that can provide an automated response to any cyber attack, reducing the time it takes to solve an incident and allowing your organization to resume operations as soon as possible.
Automated Computer Forensics and Remediation
By using a platform that incorporates automated playbooks, organizations streamline their cybersecurity. As the playbooks provide automated digital forensics and remediation of the target, in addition to prioritized workflows that help when responding to all threats in the most effective manner.
To put it briefly, automated cyber incident response playbooks replace several time-consuming and often very costly processes and tasks that need to be completed following an advanced cyber attack. Tasks like tracking and gathering evidence that usually takes a lot of time to complete which only prevents investigators from spending more time trying to solve the problem. With a platform that offers automated playbooks, your cyber security team can focus on analyzing an incident, instead of collecting information.
Quick Response to Every Specific Incident
Security incident response playbooks help cyber security teams select the workflow that’s best suited for a specific threat. This allows them to prioritize their response, as well as choose the right tools that are required to solve a problem. These kinds of playbooks are a paramount part of an automated and orchestrated incident response, which is a key requirement for every SOC and CSIRT.
In conclusion, businesses and organizations are searching for a solution that enables a quick recovery from cyber attacks and helps prevent future potential threats. Investing in a complete platform that includes automated playbooks is one of the wisest investments they can make to protect proprietary and critically valuable information.
Although cyber security solutions are advancing at an extraordinarily fast pace, the harsh reality is that cyber attacks will continue to occur and hackers will continue to breach the networks and computer systems of businesses and government agencies around the globe. Efficient and accurate cyber incident reporting is considered key to mitigating the potential damage these attacks can inflict.
All cyber security experts agree that cyber attacks are inevitable and can’t always be prevented. No matter how sophisticated an organization’s cyber defense is, there will always be a way to breach it. With that in mind, the best way to defeat attackers is to devise the best possible cyber incident response plan. The way you respond to an incident is one of the crucial aspects to the efforts for ultimately defeating hackers and preventing recurring attacks. Reporting and forensic investigations are the two of the most important elements of a successful cyber incident response plan.
Keeping Incidents Under Control
A quick and effective response to a cyber incident should include having firm control over all data breaches and incidents, which is best executed through the utilization of an incident response orchestration platform that provides automated and manual response, to immediately detect and respond to breaches.
There are platforms on the market that provide complete control over cyber security incidents, along with gathering evidence efficiently, specific, and detailed playbooks that help you react to an incident fast and effectively, and integration with forensic and response systems.
These types of features are essential for organizations that want to make sure that they preserve the scene of a cyber security incident, which in turn results in a more effective investigation, fast recovery, as well as compliance with existing regulations. It’s an accurate way to prevent a destruction or loss of evidence, which often occurs unintentionally and prevents a speedy recovery following a breach.
An efficient incident response includes accurate cyber incident reporting, as well. Reporting to authorities is an important part of the process of resolving cyber-crime cases, and it should be conducted in accordance with existing regulations, such as the EU Network Information Security (NIS) directive, and the new cyber incident reporting rule introduced by the U.S. Department of Defense, that is supposed to go into effect in 2017.
If your organization is a victim of a cyber-attack, notifying authorities about the incident should be one of your top priorities. The creation of reports is useful for a faster recovery. With a tool that can create automated incident reports and send them to the security team within an organization, the organization reduces the time it takes to react and resolve a cyber incident, and contain the damage.
This past summer, many cyber security experts expressed their concerns that certain Russian groups were involved in the hacking attack on the U.S. Democratic National Committee’s (DNC) computer network, leaking 20,000 emails from various Democratic Party officials. The DNC hack made the headlines around the globe, and for good reason.
No matter who the perpetrator was, one thing is clear: the hack of the DNC servers inflicted serious harm to both the Democratic Party as an institution, as well as many of its members, mainly related to the public image of the party and of various individuals.
However, it could have had further, more wide-ranging implications, including an impact on the upcoming U.S. presidential election, which is why it is very important to understand what could have been done to prevent it, and what kind of response and management process for the incident should have been chosen.
Was the Hack Avoidable?
Even though it’s difficult to confidently say whether the DNC hack could have been avoided, without knowing the confidential specifics of the incident, there are a lot of things that could have been done that would have probably protected the DNC’s computer server much better.
The consensus among leading analysts familiar with this incidents is that the DNC hack was most likely conducted through spear phishing, which is one of the most common methods for initiating a cyber attack.
With that in mind, one of the easiest ways to avoid falling victim to such a fraud is to train people within your organization on how to recognize and react to such threats. People should be familiarized with the spear phishing technique and how it works, making them more aware of the difference between legitimate emails and links and malicious ones, with the latter being the basis of all phishing scams.
What’s the Appropriate Response to These Types of Incidents?
Sometimes, no matter how well every person within an organization is trained and educated on cyber security threats, attacks on a company or an institution server or network occurs, and that is when you need to be able to react as fast and as efficiently as possible to prevent the loss of confidential information, and avoid a major blow to your organization’s reputation, and consequently, your bottom line.
To that end, having a cyber incident response plan in place is key to bringing cyber incidents under control and minimizing or completely avoiding the potential consequences of a breach.
According to statistics from a recent AT&T report, 62% of organizations admitted to being breached in 2015, but only 34% of organizations polled had an incident response plan. These statistics inevitably point to the need for increasing awareness of the fact that every organization is highly vulnerable to cyberattacks, and the necessity of devising a plan and having the right tools that would help them mitigate the impact of any breach and go about their business as soon as possible.