A Weekend in Incident Response #12: How to Create Cyber Incident Recovery Playbooks in Line with New NIST Guide

When it comes to protecting your organization against cyber incidents, you can never be too careful. The methods and techniques employed by cyber criminals are becoming increasingly sophisticated with each passing day, requiring you to adapt and improve your cyber defense accordingly. One of the most important aspects of any type of protection against cyber attacks is the way you respond to and recover from current and past cybersecurity events. Cyber incident recovery playbooks as an integral part of an organization’s incident response strategy can go a long way toward reducing reaction times and restoring operations as soon as possible following an attack.

In this regard, it can be said that cybersecurity incident response platforms are necessary for every organization that needs to protect information and other assets that could be potential targets of cyber criminals. These types of platforms help businesses and government agencies stave off cyber attacks and recover from data breaches, and their usage is in line with recommendations by the United States National Institute of Standards and Technology (NIST). To make it easier for organizations to recover from various cybersecurity incidents as quickly as possible, the NIST constantly issues new and updated guidelines that represent a good foundation that organizations can rely on while developing their cyber incident response plans. The latest guide introduced by the NIST focuses on what organizations can do to make their recovery procedures and processes more effective and less time-consuming.

Efficient Risk Management

The Guide for Cybersecurity Event Recovery encompasses wide-ranging tips on how to create a best practices plan for making an organization’s system fully operational following a breach. One of the key points addressed in this guide is the fact that recovery is a crucial aspect of the broader risk management efforts within an organization, stressing that there are various solutions for bringing a system back online, but no matter the severity of the breach that brought the system down, every organization needs to be prepared to respond to these events in advance. To do that, organizations are advised to adopt detailed plans and cyber incident recovery playbooks for various types of cybersecurity incidents, so that they can reduce their reaction time and minimize the damage in the event of a data breach.

Playbooks are a central key to the Recovery Processes and Procedures

When it comes to recovery, the NIST guide basically states that every organization needs to focus on the development of recovery processes and procedures that are centered around playbooks, which would allow them to respond to different types of breaches in the most effective way.

Automated playbooks are considered to be a crucial tool for a successful recovery operation. Using a platform providing automated cyber security incident recovery playbooks increases the level of preparedness of your organization to quickly respond to cybersecurity events and recover from data breaches, ransomware, and other incidents. The guide advises recovery teams within each organization to run the plays with table top exercises so that they can be constantly aware of all potential risk scenarios and detect potential gaps in their response plans.

In addition to playbooks, the guide highlights the aspect of documenting current and past cybersecurity incidents as another important factor for improving an organization’s recovery capabilities. To that end, organizations should utilize a platform that includes automated playbooks and has the ability to track digital evidence and analyze the causes of cybersecurity incidents. Followed by an automated creation of extensive and detailed incident reports. A platform of this type is the best solution for a comprehensive cybersecurity incident protection, encompassing identification, detection, response, and recovery.

A Weekend in Incident Response #11: Protecting Trade Secrets and Personal Information Through Cyber Incident Response Plans

Protecting customer data and intellectual property are among the top priorities for government agencies, as well as corporations across many different industries, such as healthcare, finance, entertainment, and insurance, to name a few. The main goal of data breaches – which are extremely common in our digital world – is stealing confidential customer information or valuable intellectual property. Banks, hospitals, insurance companies, along with government institutions, are often the target of cyber crimes involving fraud and intellectual property theft. Considering that these types of breaches – which are not always avoidable or preventable – can have wide-ranging consequences for every organization. They must take a broad set of precautionary measures in order to minimize the damage and recover as soon as possible. Among those measures is devising incident response plans, as well as adopting a platform that can keep cybersecurity incidents under control, by helping you determine what type of cyber attack your organization is under, how you should prioritize your response, and what you can do to contain the damage.

Fast Incident Triage

If an organization uses a cybersecurity platform with robust incident response capabilities, the organization’s leadership can have peace of mind that even if they get attacked, they will be able to solve the incident as quickly and as efficiently as possible.

One of the key elements to an effective incident response is incident triage. Organizations should acquire a cybersecurity platform that offers this feature, which is essential for improving its CSIRT’s efficiency. Incident triage is important because it allows your team to quickly analyze what happened and determine what actions they need to take first, enabling a continuation of the operations within the organization and containment of the damage.

Case Management

Once a data breach is detected, and the incident triage process is completed, some of the next steps involve managing the impact and preparing for potential litigation, which organizations often face when they’ve experienced a data breach. To that end, corporations and government agencies should use a platform that provides litigation support, which covers several aspects, such as customizable reports needed for material disclosures, as well as the preservation of evidence and chain-of-custody tracking to preserve all artifacts and record all activities. Allowing a proper investigation that could help your organization avoid crippling potential legal liabilities.

In conclusion – the mentioned features are crucial for protecting customer data and trade secrets in the era of data breaches. Organizations can easily take advantage of extra robust feature functionality by obtaining a cybersecurity platform that incorporates all those capabilities necessary for a complete solution that meets and exceeds your requirements.

How Are Automated Incident Response Playbooks Crucial to an Effective IR Program

Considering that we live and work in an increasingly connected world, it can be said that nowadays there is no organization that is immune to cyber attacks and data breaches. No matter how sophisticated your cyber defense is, you always need to be prepared for all eventualities that might arise from potential vulnerabilities within your computer networks or systems. That is why having a proper cyber incident response plan in place is crucial to the security of every organization since it enables you to detect and respond to cyber security breaches as quickly and efficiently as possible. For a cyber incident response plan to be successful, it should rely on automated incident response playbooks that can provide an automated response to any cyber attack, reducing the time it takes to solve an incident and allowing your organization to resume operations as soon as possible.

Automated Computer Forensics and Remediation

By using a platform that incorporates automated playbooks, organizations streamline their cybersecurity. As the playbooks provide automated digital forensics and remediation of the target, in addition to prioritized workflows that help when responding to all threats in the most effective manner.

To put it briefly, automated cyber incident response playbooks replace several time-consuming and often very costly processes and tasks that need to be completed following an advanced cyber attack. Tasks like tracking and gathering evidence that usually takes a lot of time to complete which only prevents investigators from spending more time trying to solve the problem. With a platform that offers automated playbooks, your cyber security team can focus on analyzing an incident, instead of collecting information.

Quick Response to Every Specific Incident

Security incident response playbooks help cyber security teams select the workflow that’s best suited for a specific threat. This allows them to prioritize their response, as well as choose the right tools that are required to solve a problem. These kinds of playbooks are a paramount part of an automated and orchestrated incident response, which is a key requirement for every SOC and CSIRT.

In conclusion, businesses and organizations are searching for a solution that enables a quick recovery from cyber attacks and helps prevent future potential threats. Investing in a complete platform that includes automated playbooks is one of the wisest investments they can make to protect proprietary and critically valuable information.

A Weekend in Incident Response #9: How Can Banks Meet the New Cyber Security Requirements?

Financial institutions are always at a great risk of falling victims to cyber-attacks. They are under a constant threat of being attacked by hackers looking to obtain confidential information that can be potentially very lucrative. In a bid to make sure banks are prepared to respond to cyber threats in the most efficient manner, three U.S. federal agencies in charge of overseeing and regulating the work of banks have proposed a set of cyber security requirements that the financial institutions must meet when it comes to the management of cyber security risks.

The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have issued an advance notice of proposed rulemaking (ANPR) that contains standards on how to manage and improve resilience regarding cybersecurity risks.

The standards are designed to help protect financial institutions, as well as their clients, against potential cyber threats.

Incident Response and Cyber Resilience Among the Standards

Per the advance notice, the proposed standards will cover a specific group of financial institutions, including depository institutions and depository institution holding companies with total assets of at least $50 billion, along with financial market infrastructure companies and non-bank financial companies that are supervised by the Board.

These covered entities should comply with specific cyber security requirements that are designed to improve their cyber incident response procedures and prepare for potential cyber-attacks.

The agencies propose five categories of standards regarding cyber security:

  • cyber risk governance
  • cyber risk management
  • internal dependency management
  • external dependency management
  • incident response, cyber resilience and situational awareness

One Platform to Comply with all Cyber Security Requirements

Considering that there are a lot of aspects that the covered entities will have to pay attention to in order to meet the above-mentioned standards, it would be most cost-effective and practical for them if they adopted a platform that is capable of completing all tasks proposed by the standards.

Such platforms are now available on the market and can make life much easier for all organizations that these standards apply to. For instance, there are platforms that can help organizations ensure an effective and extensive incident response plan, providing complete control over cyber incidents. Organizations are advised to acquire such a platform that provides the ability to track and predict cyber security incidents, track and gather digital evidence, and create statistical reports, which are a key element to resolving a certain breach.

Also, that same platform can automatically manage all cases and data that’s required for cyber threats within your organization, as well as lab and inventory management, helping you comply with the cyber risk management requirements.

Finally, a platform that is specifically designed to prioritize your response and reduce the time it takes you to solve a cyber incident. The solution should help you comply with the Internal dependency management standards, while assessing the risk and provide action plans. A complete and full solution helps organizations reduce the risks of cyber-attacks and comply with the External dependency management standards.

A weekend in Incident Response #8: How to Prepare for the Updated US-CERT Cybersecurity Notification Guidelines

The United States Computer Emergency Readiness Team (CERT) has announced that it will implement new cybersecurity notification guidelines, which are going to have a significant impact on how government agencies and organizations from the private sector deal with cyber incidents.

As the US-CERT states, the new guidelines will impose new requirements regarding notifications on cybersecurity incidents, that must be complied with by all Federal Departments and agencies; state, local, tribal, and territorial government agencies; along with private-sector organizations, and Information Sharing and Analysis Organizations. The cybersecurity notification guidelines will include a specific procedure involving how, when, and who the covered entities will be required to notify after they detect an incident within their organizations.

Identifying Incidents Through a Seven-Step Process

According to the guidelines, in order for an agency to be able to notify the CERT of an incident properly, it will have to complete a process consisting of seven steps. For starters, the agency must identify the current level of impact an incident has on its services or functions. Then, identification of the type of information lost, compromised, or corrupted, is required. This step should be followed by an estimation of the scope of time and resources that an agency will have to spend in order to recover from the incident.

Next, agencies should identify when the activity was first detected, after which they will be required to identify how many systems, records, and users have been impacted. The final two steps are the identification of the location of the network the activity was observed in, and identification of the point of contact information for additional follow-up.

After completing the above-named steps, agencies will have to submit the notification to the US-CERT, with a specific set of information that is required to be included in the notification, such as:

  • Information on the attack vector(s) that lead to the incident
  • Indicators of compromise
  • Information related to any mitigation activities that the agency has taken in response to the incident

Incident Response Platforms

In order to be able to comply with the new requirements regarding cybersecurity incident notifications, organizations are advised to employ a cybersecurity platform that provides a comprehensive and automated incident and forensic case management.

A platform that provides you with a set of playbooks specifically tailored to many potential cyber threats. Your organization can save a great deal of time and resources by using a tool that can create automated incident reports and send them to your cybersecurity team, a process which would be in compliance with the new US-CERT guidelines.

Considering that the cybersecurity incident notification process under the new cybersecurity notification guidelines is extensive and can be challenging for some organizations that do not have the resources or the knowledge necessary to complete it, acquiring a platform that can do all the required steps for you is the best solution for all entities covered by the guidelines. This is where a platform containing prioritized workflows designed to help your business respond to current threats and prepare your cyber defense systems for future threats, which are bound to occur eventually, can come in handy. Finally, considering the upcoming US-CERT guidelines, every private-sector organization and government agency could use a platform that can track digital evidence and entire investigative processes, as some of the key steps that should be performed when notifying authorities of an incident.

A Weekend in Incident Response #7: The Importance of Accurate Cyber Incident Reporting and Preservation of Digital Evidence

Although cyber security solutions are advancing at an extraordinarily fast pace, the harsh reality is that cyber attacks will continue to occur and hackers will continue to breach the networks and computer systems of businesses and government agencies around the globe. Efficient and accurate cyber incident reporting is considered key to mitigating the potential damage these attacks can inflict.

All cyber security experts agree that cyber attacks are inevitable and can’t always be prevented. No matter how sophisticated an organization’s cyber defense is, there will always be a way to breach it. With that in mind, the best way to defeat attackers is to devise the best possible cyber incident response plan. The way you respond to an incident is one of the crucial aspects to the efforts for ultimately defeating hackers and preventing recurring attacks. Reporting and forensic investigations are the two of the most important elements of a successful cyber incident response plan.

Keeping Incidents Under Control

A quick and effective response to a cyber incident should include having firm control over all data breaches and incidents, which is best executed through the utilization of an incident response orchestration platform that provides automated and manual response, to immediately detect and respond to breaches.

There are platforms on the market that provide complete control over cyber security incidents, along with gathering evidence efficiently, specific, and detailed playbooks that help you react to an incident fast and effectively, and integration with forensic and response systems.

These types of features are essential for organizations that want to make sure that they preserve the scene of a cyber security incident, which in turn results in a more effective investigation, fast recovery, as well as compliance with existing regulations. It’s an accurate way to prevent a destruction or loss of evidence, which often occurs unintentionally and prevents a speedy recovery following a breach.

Efficient Reporting

An efficient incident response includes accurate cyber incident reporting, as well. Reporting to authorities is an important part of the process of resolving cyber-crime cases, and it should be conducted in accordance with existing regulations, such as the EU Network Information Security (NIS) directive, and the new cyber incident reporting rule introduced by the U.S. Department of Defense, that is supposed to go into effect in 2017.

If your organization is a victim of a cyber-attack, notifying authorities about the incident should be one of your top priorities. The creation of reports is useful for a faster recovery. With a tool that can create automated incident reports and send them to the security team within an organization, the organization reduces the time it takes to react and resolve a cyber incident, and contain the damage.

A Weekend in Incident Response #6: Improving Digital Skills of Police Forces Should Be a Top Priority for Governments

With cyber-crime on the rise globally, it’s clear that law enforcement agencies around the world need to raise their level of cyber-security preparedness so that they can respond to this growing threat accordingly. But, it seems that improving their own digital skills has turned out to be a tough challenge for some police forces.

A recent report by England-based Her Majesty’s Inspectorate of Constabulary (HMIC) shows that the police officers in England and Wales are having trouble coping with the increased amount and complexity of cases involving cyber-crime.

Digital Forensic Capabilities Must Be Improved

The report finds that several police forces in England and Wales show a severe lack of digital skills that are needed to solve modern crimes. Specifically, investigators have proven to be insufficiently prepared to gather and process digital evidence, which is one of the crucial aspects of cyber crimes.

Another challenge that is underscored in the report is the fact that police forces are having difficulties understanding how different IT systems work, and how they can retrieve and share data between different systems.

Automated Case Management is One of the Solutions

Considering the significant gap in digital skills among police officers that the report notes, it’s clear that law enforcement agencies could use a tool that can help them overcome these challenges.

There are solutions that can be employed to make investigations into cyber incidents more efficient and help alleviate the problem of not being able to retrieve and process digital evidence properly. There are platforms that can track digital evidence and entire investigative processes automatically, helping to accelerate the investigation into a cyber incident.

A platform that is capable of gathering and managing information during cyber forensics processes, can make police forces much more efficient and prepare them for the challenges that are an inseparable part of modern crimes.

In order to be able to solve cyber crimes, police forces need to employ platforms that provide integrated support for cyber forensic tools, in addition to an integrated knowledge base access, as solutions that can help offset investigators’ lack of digital skills.

A Weekend in Incident Response #5: Reducing the Risks of Cyber Attacks in the Healthcare Sector

The healthcare industry is under a constant threat of cyber attacks, mostly due to the fact that organizations within this sector keep a variety of confidential and pertinent information, such as credit card information, social security numbers, insurance-related information, and some believe most importantly personal medical records.

A recent report states that healthcare entities have been under increased risk of targeted attacks lately, including phishing attacks, ransomware attacks, and network hacking attacks. The heightened risk for cyber attacks points to a growing need for enhanced protection, in addition to raising awareness of the different types of cyber attacks that many healthcare organizations are facing.

Healthcare Surpasses Financial Sector as the Most Frequently Attacked Industry

According to data provided by Advisen and Hiscox, the average cost of a cyber incident in the healthcare industry cost $150,000. A recent report published by IBM states that the healthcare industry was attacked more frequently than any other sector last year, replacing the financial services sector at the top. According to the report, over 100 million healthcare records were compromised in 2015, which is a staggering figure by all standards.

The Advisen and Hiscox report also notes that there has been a 1.6-times increase in Health Insurance Portability and Accountability Act (HIPAA) violations in the last five years. This statistic suggests that entities such as hospitals and clinics, need to ramp up their efforts for ensuring HIPAA compliance because it is one of the key steps toward achieving improved protection against cyber attacks.

Detecting Ransomware and Phishing Attacks

Currently, the most common cyber threats faced by healthcare entities include phishing attacks and ransomware. These are the most commonly used techniques by hackers trying to retrieve confidential patient information that is critical to protect. The best practices for preventing such threats involve data encryption tools, which are recommended for all covered entities.

Another solution that can be useful to healthcare organizations is a software that can create rules and can be integrated with different tools that can be adjusted in a way that allows them to automatically detect and report problems. Platforms with such capabilities should be a crucial part of each entity’s cyber defense efforts.

How to React in Case You Are Attacked

Even though there are tools designed to detect and prevent ransomware and phishing attacks, hackers often manage to find a way to go around all sorts of defenses and breach even the most sophisticated security armors. When that happens, organizations must be prepared to react as quickly and as effectively as possible with a proven solution.

To that end, all covered entities, including healthcare organizations, need to have a Computer Security Incident Response Team (CSIRT) in place. In order to help their CSIRT resolve cyber incidents, entities are advised to acquire platforms that have the ability to automatically notify CSIRTs when a cyber attack occurs, be it via e-mail or SMS, and gather a team of investigators to do the forensics on a given incident.

Incident Response platforms featuring specialized playbooks are also necessary for tackling healthcare-related incidents. They are the most indicated tool for resolving cyber incidents fast and efficiently, through their ability to accelerate the incident triage process, integrate with forensics and response systems, and predict similar events in the future. Some of those platforms (SIRPs) are also able to provide playbooks for vertical regulation, such as HIPAA and similar.

A Weekend In Incident Response #4: How to Reduce the Noise of Cyber Threat Intelligence

Is Cyber Threat Intelligence Still Useful?

The importance of information in business in today’s modern world is invaluable. But, in some cases, having large amounts of information coming your way can actually hurt your business. This holds true particularly for organizations that are constantly dealing with the risk of cyber attacks, and every piece of information that could help them prevent those attacks can be of great use to them. This is where cyber threat intelligence comes in, as one of the crucial aspects of developing an effective cyber defense strategy.

But, with so many feeds from various sources at their disposal, determining which information is relevant and credible and distinguishing it from the data that is not essential in regard to a potential cyber threat has become a major challenge for many cyber security professionals. As a result, being able to reduce the noise coming from the flurry of threat intelligence is now key to creating successful security operations.

Overwhelming Amount of Cyber Threat Information

A new study recently conducted by Ponemon Institute LLC, and sponsored by Anomali, reveals that the amount of threat intelligence that cyber security professionals deal with is overwhelming, preventing them from tackling incidents more efficiently.

The study, titled The Value of Threat Intelligence: A Study of North American and United Kingdom Companies, surveyed more than 1,000 professionals from the cyber security industry, with 70 percent of them saying that threat intelligence is often “too voluminous and/or complex to provide actionable intelligence”. This is a figure that should raise a concern, considering that almost half of the respondents (46%) said that incident responders rely on threat data during the incident response process. Furthermore, according to the study, there is too much data to really make sense of if enterprises have a limited resource staff of security operations center analysts or threat analysts.

SIEM Integration Vs IR Orchestration

Cyber security experts agree that in order to be able to use cyber threat intelligence data in an effective and productive way, there must be an SIEM integration in place. However, while 62% of those surveyed said they were aware of this necessity, as many as 64% of them stated that putting such integration in place takes a lot of time and resources, making it a tough feat.

In my corporate experience, the companies that are actually integrating SIEM with CTI, represent a minority. The main challenge of such lack of integration is the impossibility of valorizing the TI Feeds, during an incident. But, there is a new technology trend that addresses this exact problem. There are platforms that are capable of sitting on top of the SIEM, integrating multiple tools from different vendors, which is one of the biggest challenges that threat analysts are faced with. This approach is usually taken during the incident triage phase, it is not intended to be a SIEM replacement but can help SOC and CSIRTs to reduce reaction time and related noise. Such platform fits the Incident Response and SOC Orchestration space, featuring multiple integrations that are easy to use and configure and, nowadays, are probably the only way to reach a near real time- and money-saver incident response, filling the gap that is created when the data sources are originated by different vendors. Such platforms support SIEM integration and could represent a great solution for all entities that are trying to create a successful and affordable cyber defense, by effectively reducing the noise of threat intelligence.

In one of my next columns, I will introduce this paradigm, along with its main potentials in the world of Security Operations and Incident Response. In the meanwhile, you can follow me on our LinkedIn Page, by clicking here.

DFLabs Presents on “Standardizing Data Breach Response” at Data Privacy Asia 2016

DFLabs previews new cyber incident response playbook for Asian regulatory environment

Boston – November 7, 2016DFLabs, the global leader in cyber incident response automation and orchestration, announced today its Vice President of Engineering, Andrea Fumagalli, will present on “Standardizing Data Breach Response: State of the Art” at Data Privacy Asia 2016, to be held November 9-11 in Singapore at the One Farrer Hotel & Spa. DFLabs will also preview a new playbook dedicated to breach notification, response and compliance activities specific to the Asian regulatory environment.

One of the largest data sets on the market, the IncMan RP playbook is a unique new module of the company’s cyber incident response automation and orchestration platform, IncMan. The playbook is based on U.S. and EU regulations and industry standards and gives customers immediate access to a large number of pre-built incident and data breach response actions to follow. Providing the most playbooks available today to handle the entire breach response process – from technical to operational and legal – it is divided into state/federal, industry sector and type of incident/breach segments and works with both human and machine based processes.

“Active data breach and privacy regulations are making incident response platforms mandatory and our commercial and government customers in Singapore and Asia are working very hard to establish the right framework for cyber incident and breach response. As the first mover in fast growing categories of Security Operations, Analytics and Reporting (SOAR) and Security Incident Response Platforms (SIRP), we are happy and proud to participate in this important event, educate on global standards and best practices, and serve customers with our unique new playbooks,” said Dario Forte, Founder and CEO of DFLabs.

In his Data Privacy Asia 2016 session on Wednesday, November 9th from 4:00pm- 4:30pm, Fumagalli will cover the recent progress made by ISO (International Organization for Standardization) in the field of Incident and Data Breach Response. In the past 36 months 5 standards have been published, with the purpose of providing practitioners and evaluator a series of tools – based upon consensus – able to support Cyber Security Operations and Breach Response. As one of the most recognized experts in ISO standards, he will give an overview on the entire spectrum, along with some insights on how to implement them within any size of the organization, including an overview of the available technologies to automate and orchestrate incident management and response.

“These developments further our vision of Supervised Active Intelligence® to combine automation, orchestration, and response in one powerful platform, giving cyber operations and incident response teams the ability to react faster globally while maintaining the critical element of human control,” added Forte.

About DFLabs
DFLabs is a recognized global leader in cyber incident response automation and orchestration. The company is led by a management team recognized for its experience in and contributions to the information security field including co-edited many industry standards such as ISO 27043 and ISO 30121. IncMan – Cyber Incidents Under Control – is the flagship product, adopted by Fortune 500 and Global 2000 organizations worldwide. DFLabs has operations in Europe, North America, Middle East, and Asia with US headquarters in Boston, MA and World headquarters in Milano, Italy. For more information visit: DFLabs or connect with us on Twitter @DFLabs.

Media contacts:
Leslie Kesselring, Kesselring Communications
503-358-1012
[email protected]