Don’t Wait for the Next Breach – Simulate It

Over the past few months during the post-hoc analysis of WannaCry-Petya, we have spoken in great lengths about what should have been done during the incident. This is quite a tricky thing to do in a balanced way because we are all clever in hindsight. What hasn’t been spoken about enough is understanding more generally what we need to do when things go wrong.

This question isn’t as simple as it appears, as there are a lot of aspects to consider during an incident, and only a brief window to identify, contain and mitigate a threat. Let’s look at just a few of these:

Response times
This is often the greatest challenge but of utmost importance. The response is not only understanding the “how” and “why” of a threat but is also about putting the chain of events into action to make sure that the “what” doesn’t spiral out of control.

Creating an effective playbook
A playbook should be a guide on how your incident response plan must be executed. Orchestration platforms contain these playbooks/runbooks. Also, note that these are not generic plug and forget policies. They need to be optimized and mapped to your business and regulatory requirements and are often unique to your organization. Otherwise, the incident will be controlled by an incorrect playbook.

Skills and tool availability
Do you have the correct skills and tools available and are you able to leverage these. Do you understand where your security gaps are and do you know how to mitigate them?

On paper, incident response always works. Right until the moment of truth during a data breach that shows that it doesn’t. To avoid relying on theory only, it is best to run breach simulations and simulate some of the attacks that may affect your organization to find out if your processes and playbooks also work under more realistic conditions.

We’re always playing catch‒up for many reasons—new technologies, new vulnerabilities, and new threats. Software and hardware may possibly always be at the mercy of hackers, criminal actors and other threat actors, so prevention alone is futile. We have to become more resilient and better at dealing with the aftermath of an attack.

The key summary for me is this: How do you respond? Can the response be improved? Utilize the lessons learned in breach simulations to understand how you make the response better than before.

3 Best Practices for Incident Categorization to Support Key Performance Indicators

The DNA sequence for each human is 99.5% similar to any other human. Yet when it comes to incident response and the manner in which individual analysts may interpret the details of a given scenario, our near-total similarity seems to all but vanish. Where one analyst might characterize an incident as the result of a successful social engineering attack, another may instead identify it as a generic malware infection. Similarly, a service outage may be labeled as a denial of service by some, while others will choose to attribute the root cause to an improper procedure carried out by a systems administrator. Root cause and impact, or incident outcome, are just a couple of the many considerations that, unless properly accounted for in a case management process, will otherwise play havoc on a security team’s reporting metrics.

Poor Key Performance Indicators can blind decision makers

What is the impact of poor KPI’s? All too often the end result leads to equally poor strategic decisions. Money and effort may be assigned to the wrong measures, for example into more ineffective prevention controls instead of improved response capability. In a worst case scenario, poor KPI’s can blind decision makers to the most pertinent security issues of their enterprise, and the necessary funding for additional security may be withheld altogether.

Three best practices are required to address this all too common problem of attaining accurate reporting:

  1. A coherent incident management process is necessary in order to properly categorize incident activity. Its definitions must be clear, taking into account outliers, clarifying how root causes and impacts are to be tracked, and providing a workflow to assist analysts in accurately and consistently determining incident categorization.
  2. The process must be enforced to guarantee uniform results in support of coherent KPI’s. Training, quality assurance, and reinforcement are all necessary to ensure total stakeholder buy-in.
  3.  Security teams must have the technologies to support effective incident response and proper categorization of incidents.

There are several ways that the IncMan platform supports the three best practices:

First, IncMan provides a platform to act as the foundation for an incident management program. It provides customizable incident forms allowing for complete tailoring to an organization and the details it must collect in support of its unique reporting requirements. Custom fields specific to distinct incident types allow for detailed data collection and categorization. These custom fields can be coupled with common attributes to track specific data, thereby providing a high level of flexibility for security teams in maintaining absolute reporting consistency across the team’s individual members.

Next, playbooks can be associated with specific incident types, providing step-by-step instructions for specialized incident response activities. Playbooks enforce consistency and can further reinforce reporting requirements. However, playbooks are not completely static, and while they certainly provide structure, IncMan’s playbooks also offer the ability to improvise, add, remove or substitute actions on the fly.

The platform’s Knowledge Base offers a repository for reference material to further supplement playbook instructions. Information collection requirements defined within playbook steps can be linked to Knowledge Base references, arming analysts with added information, for example with standard operating procedures pertaining to individual enterprise security tools, or checklists for applicable industry reporting requirements.

IncMan also includes Automated Responder Knowledge (ARK), a machine learning driven approach that learns from past incidents and the response to them, to suggest suitable playbooks for new or related incident types. This is not only useful for helping to identify specific campaigns and otherwise connected incident activity but can also highlight historical cases that can serve as examples for new or novice analysts.

Finally, the platform’s API and KPI export capabilities enable the extraction of raw incident data, allowing for data mining of valuable reporting information using external analytics tools. This information can then be used to paint a much clearer picture of an enterprise’s security posture and allow for fully-informed strategic decision-making.

Collectively, the IncMan features detailed above empower an organization with the means to support consistency in incident categorization, response, and reporting. For more information, please visit us at https://www.dflabs.com

Slaying the Hydra – Incident Response and Advanced Targeted Attacks

In incident response, protecting against a targeted attack is like slaying the hydra. For those not familiar with what a hydra is, it is a multi-headed serpent from Greek mythology, that grows two new heads for every head you chop off. A determined attacker will try again and again until they succeed, targeting different attack vectors and using a variety of tactics, techniques, and procedures.

The Snowden and Shadowbroker leaks really drove this home, giving partial insight into the toolkit of nation state actors. What really stuck out to me was the sheer variety of utilities, frameworks, and techniques to infiltrate and gain persistence in a target. Without the leak, would it be possible to reliably determine that all of those hacking tools belonged to a single entity? Would a large organization with thousands of alerts and hundreds of incidents every day be able to identify that these different attacks belonged to a single, concerted effort to breach their defenses, or would they come to the conclusion that these were all separate, unrelated attempts?

Our colleagues in the Threat Intelligence and Forensic analysis industries have a much better chance to correlate these tools and their footprint in the wild – they may discover that some of these tools share a command and control infrastructure for example. A few did have at least an outline of the threat actor, but judging by the spate of advisories and reports that were released after the leaks, not very many actually appear to have achieved this to a great degree. The majority were only able to piece the puzzle together once equipped with a concise list of Indicators of Compromise (IoC) and TTP’s to begin hunting with.

“How does this affect me? We are not important enough to attract the attention of a nation state actor”

Some readers may now be thinking, “How does this affect me? We are not important enough to attract the attention of a nation state actor”. I would urge caution in placing too much faith in that belief.

On the one hand, for businesses in some countries the risk of economic espionage by-nation state hacking has decreased. As I wrote on Securityweek in July, China has signed agreements with the USA, Canada, Australia, Germany and the UK limiting hacking for the purpose of stealing trade secrets and economic espionage. However, this does not affect hacking for national security purposes, and it will have little impact on privately conducted hacking. These are also bilateral agreements, and none exist in other nations, for example, Russia or North Korea. For militarily and economically weaker nation states, offensive cyber security is a cheap, asymmetric method of gaining a competitive or strategic advantage. As we have seen, offensive cyber activity can target civilian entities for political rather than economic reasons, and hackers are increasingly targeting the weakest link in the supply chain. This means that the potential probability of being targeted is today based more on your customer, partner, and supply chain network, and not just on what your organization does in detail. Security through obscurity has never been a true replacement for actual security, but it has lost its effectiveness as targeted attacks have moved beyond only focusing on the most prominent and obvious victims. It has become much easier to suffer from collateral damage.

Cyber criminals are becoming more organized and professional

On the other hand, cyber criminals are becoming more organized and professional, with individual threat actors selling their services to a wide customer base. A single small group of hackers like LulzSec may have a limited toolbox and selection of TTP’s, but professional cybercrime groups have access to numerous hackers, supporting services and purpose-built solutions. If they are targeting an organization directly and are persistent and not opportunistic, it will be as difficult to discern that a single concerted attack by one determined threat actor is taking place.

What this means in practical reality for any organization that may become the target of a sophisticated threat actor, is that you have to be on constant alert. Identifying, responding to and containing a threat is not a process to be stepped through with a final resolution step – instead, cyber security incident response is an ongoing, continuous and cyclical process. Advanced and persistent attacks unfold in stages and waves, and like a war consist of a series of skirmishes and battles that continue until one side loses the will to carry on the conflict or succeeds in their objectives. Like trying to slay the hydra, each incident that you resolve means that the attacker will change their approach and that the next attempt may be more difficult to spot. Two new heads have grown instead of one.

To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT

To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT – but we must do this without creating a perpetual state of alarm. The former means that your team of analysts is always aware and alert, looking at individual incidents as potentially just one hostile act of many that together could constitute a concerted effort to exfiltrate your most valuable data, disrupt your operational capacity, or abuse your organization to do this to your partners or customers. In the latter case, your analysts will suffer from alert fatigue, a lack of true visibility of threats, and a lack of energy and time to be able to see the bigger picture.
The hydra will have too many heads to defeat.

In the Greek legend of Heracles, the titular hero eventually defeats the Hydra by cauterizing each decapitated stump with fire to prevent any new heads from forming. Treating an incident in isolation is the Security Incident Response equivalent of chopping off the head of the hydra without burning the stump. Applied to our problem, burning the stump means that we have to conduct the response to each incident thoroughly and effectively, and continue the process well beyond containment.

We must invest more time in hunting and investigating, and we have to correlate and analyze the relationship between disparate incidents. We must use threat intelligence more strategically to derive situational awareness, and not just tactically as a machine-readable list of IoC’s. This also requires gathering sufficient forensic evidence and context data about an incident and related assets and entities during the incident response process, so that we can conduct post event analysis and continuous threat assessment after containment and mitigation have been carried out. This way we can better anticipate the level of threat that we are exposed to, and make more informed decisions about where to focus our resources, add mitigating controls and improve our defenses. In Incident Response “burning the stump” means making it more difficult for threat actors to succeed in the future by presenting them with a hardened attack surface, reducing their reside time in our infrastructure, and reducing the time we need to discover and contain them. To do this we need to learn from every incident we manage.

Interested to know what 412 IT professionals and cyber security professionals think on the latest Security Analytics and Operations trends?

Visual Event Correlation Is Critical in Cyber Incident Associational Analysis

I can remember sometime around late 2001 or early 2002, GREPing Snort logs for that needle in a haystack until I thought I was going to go blind. I further recall around the same time cheering the release of the Analysis Console for Intrusion Databases (ACID) tool which helped to organize the information into something that I could start using to correlate events by way of analysis of traffic patterns.

Skip ahead and the issues we faced while correlating data subtly changed from a one-off analysis to a lack of standardization for the alert formats that were available in the EDR marketplace. Each vendor was producing significant amounts of what was arguably critical information, but unfortunately all in their own proprietary format. This rendered log analysis and information tools constantly behind the 8-ball when trying to ingest all of these critical pieces of disparate event information.

We have since evolved to the point that log file information sharing can be easily facilitated through a number of industry standards, i.e., RFC 6872. Unfortunately, with the advent of the Internet of Things (IoT), we have also created new challenges that must be addressed in order to make the most effective use of data during event correlation. Specifically, how do we quickly correlate and review:

a. Large amounts of data;

b. Data delivered from a number of different resources (IoT);

c. Data which may be trickling in over an extended period of time and,

d. Data segments that, when evaluated separately, will not give insight into the “Big Picture”

How can we now ingest these large amounts of data from disparate devices and rapidly draw conclusions that allow us to make educated decisions during the incident response life cycle? I can envision success coming through the intersection of 4 coordinated activities, all facilitated through event automation:

1. Event filtering – This consists of discarding events that are deemed to be irrelevant by the event correlator. This is also important when we seek to avoid alarm fatigue due to a proliferation of nuisance alarms.

2. Event aggregation – This is a technique where a collection of many similar events (not necessarily identical) are combined into an aggregate that represents the underlying event data.

3. Event Masking – This consists of ignoring events pertaining to systems that are downstream of a failed system.

4. Root cause analysis – This is the last and quite possibly the most complex step of event correlation. Through root cause analysis, we can visualize data juxtapositions to identify similarities or matches between events to detect, determine whether some events can be explained by others, or identify causational factors between security events.

The results of these 4 event activities will promote the identification and correlation of similar cyber security incidents, events and epidemiologies.

According to psychology experts, up to 90% of information is transmitted to the human brain visually. Taking that into consideration, when we are seeking to construct an associational link between large amounts of data we, therefore, must be able to process the information utilizing a visual model. DFLabs IncMan™ provides a feature rich correlation engine that is able to extrapolate information from cyber incidents in order to present the analyst with a contextualized representation of current and historical cyber incident data.

As we can see from the correlation graph above, IncMan has helped simplify and speed up a comprehensive response to identifying the original infection point of entry into the network and then visual representing the network nodes that were subsequently affected, denoted by their associational links.

The ability to ingest large amounts of data and conduct associational link analysis and correlation, while critical, does not have to be overly complicated, provided of course that you have the right tools. If you’re interested in seeing additional capabilities available to simplify your cyber incident response processes, please contact us for a demo at [email protected]

A Weekend in Incident Response #12: How to Create Cyber Incident Recovery Playbooks in Line with New NIST Guide

When it comes to protecting your organization against cyber incidents, you can never be too careful. The methods and techniques employed by cyber criminals are becoming increasingly sophisticated with each passing day, requiring you to adapt and improve your cyber defense accordingly. One of the most important aspects of any type of protection against cyber attacks is the way you respond to and recover from current and past cybersecurity events. Cyber incident recovery playbooks as an integral part of an organization’s incident response strategy can go a long way toward reducing reaction times and restoring operations as soon as possible following an attack.

In this regard, it can be said that cybersecurity incident response platforms are necessary for every organization that needs to protect information and other assets that could be potential targets of cyber criminals. These types of platforms help businesses and government agencies stave off cyber attacks and recover from data breaches, and their usage is in line with recommendations by the United States National Institute of Standards and Technology (NIST). To make it easier for organizations to recover from various cybersecurity incidents as quickly as possible, the NIST constantly issues new and updated guidelines that represent a good foundation that organizations can rely on while developing their cyber incident response plans. The latest guide introduced by the NIST focuses on what organizations can do to make their recovery procedures and processes more effective and less time-consuming.

Efficient Risk Management

The Guide for Cybersecurity Event Recovery encompasses wide-ranging tips on how to create a best practices plan for making an organization’s system fully operational following a breach. One of the key points addressed in this guide is the fact that recovery is a crucial aspect of the broader risk management efforts within an organization, stressing that there are various solutions for bringing a system back online, but no matter the severity of the breach that brought the system down, every organization needs to be prepared to respond to these events in advance. To do that, organizations are advised to adopt detailed plans and cyber incident recovery playbooks for various types of cybersecurity incidents, so that they can reduce their reaction time and minimize the damage in the event of a data breach.

Playbooks are a central key to the Recovery Processes and Procedures

When it comes to recovery, the NIST guide basically states that every organization needs to focus on the development of recovery processes and procedures that are centered around playbooks, which would allow them to respond to different types of breaches in the most effective way.

Automated playbooks are considered to be a crucial tool for a successful recovery operation. Using a platform providing automated cyber security incident recovery playbooks increases the level of preparedness of your organization to quickly respond to cybersecurity events and recover from data breaches, ransomware, and other incidents. The guide advises recovery teams within each organization to run the plays with table top exercises so that they can be constantly aware of all potential risk scenarios and detect potential gaps in their response plans.

In addition to playbooks, the guide highlights the aspect of documenting current and past cybersecurity incidents as another important factor for improving an organization’s recovery capabilities. To that end, organizations should utilize a platform that includes automated playbooks and has the ability to track digital evidence and analyze the causes of cybersecurity incidents. Followed by an automated creation of extensive and detailed incident reports. A platform of this type is the best solution for a comprehensive cybersecurity incident protection, encompassing identification, detection, response, and recovery.

A Weekend in Incident Response #11: Protecting Trade Secrets and Personal Information Through Cyber Incident Response Plans

Protecting customer data and intellectual property are among the top priorities for government agencies, as well as corporations across many different industries, such as healthcare, finance, entertainment, and insurance, to name a few. The main goal of data breaches – which are extremely common in our digital world – is stealing confidential customer information or valuable intellectual property. Banks, hospitals, insurance companies, along with government institutions, are often the target of cyber crimes involving fraud and intellectual property theft. Considering that these types of breaches – which are not always avoidable or preventable – can have wide-ranging consequences for every organization. They must take a broad set of precautionary measures in order to minimize the damage and recover as soon as possible. Among those measures is devising incident response plans, as well as adopting a platform that can keep cybersecurity incidents under control, by helping you determine what type of cyber attack your organization is under, how you should prioritize your response, and what you can do to contain the damage.

Fast Incident Triage

If an organization uses a cybersecurity platform with robust incident response capabilities, the organization’s leadership can have peace of mind that even if they get attacked, they will be able to solve the incident as quickly and as efficiently as possible.

One of the key elements to an effective incident response is incident triage. Organizations should acquire a cybersecurity platform that offers this feature, which is essential for improving its CSIRT’s efficiency. Incident triage is important because it allows your team to quickly analyze what happened and determine what actions they need to take first, enabling a continuation of the operations within the organization and containment of the damage.

Case Management

Once a data breach is detected, and the incident triage process is completed, some of the next steps involve managing the impact and preparing for potential litigation, which organizations often face when they’ve experienced a data breach. To that end, corporations and government agencies should use a platform that provides litigation support, which covers several aspects, such as customizable reports needed for material disclosures, as well as the preservation of evidence and chain-of-custody tracking to preserve all artifacts and record all activities. Allowing a proper investigation that could help your organization avoid crippling potential legal liabilities.

In conclusion – the mentioned features are crucial for protecting customer data and trade secrets in the era of data breaches. Organizations can easily take advantage of extra robust feature functionality by obtaining a cybersecurity platform that incorporates all those capabilities necessary for a complete solution that meets and exceeds your requirements.

How Are Automated Incident Response Playbooks Crucial to an Effective IR Program

Considering that we live and work in an increasingly connected world, it can be said that nowadays there is no organization that is immune to cyber attacks and data breaches. No matter how sophisticated your cyber defense is, you always need to be prepared for all eventualities that might arise from potential vulnerabilities within your computer networks or systems. That is why having a proper cyber incident response plan in place is crucial to the security of every organization since it enables you to detect and respond to cyber security breaches as quickly and efficiently as possible. For a cyber incident response plan to be successful, it should rely on automated incident response playbooks that can provide an automated response to any cyber attack, reducing the time it takes to solve an incident and allowing your organization to resume operations as soon as possible.

Automated Computer Forensics and Remediation

By using a platform that incorporates automated playbooks, organizations streamline their cybersecurity. As the playbooks provide automated digital forensics and remediation of the target, in addition to prioritized workflows that help when responding to all threats in the most effective manner.

To put it briefly, automated cyber incident response playbooks replace several time-consuming and often very costly processes and tasks that need to be completed following an advanced cyber attack. Tasks like tracking and gathering evidence that usually takes a lot of time to complete which only prevents investigators from spending more time trying to solve the problem. With a platform that offers automated playbooks, your cyber security team can focus on analyzing an incident, instead of collecting information.

Quick Response to Every Specific Incident

Security incident response playbooks help cyber security teams select the workflow that’s best suited for a specific threat. This allows them to prioritize their response, as well as choose the right tools that are required to solve a problem. These kinds of playbooks are a paramount part of an automated and orchestrated incident response, which is a key requirement for every SOC and CSIRT.

In conclusion, businesses and organizations are searching for a solution that enables a quick recovery from cyber attacks and helps prevent future potential threats. Investing in a complete platform that includes automated playbooks is one of the wisest investments they can make to protect proprietary and critically valuable information.

A Weekend in Incident Response #9: How Can Banks Meet the New Cyber Security Requirements?

Financial institutions are always at a great risk of falling victims to cyber-attacks. They are under a constant threat of being attacked by hackers looking to obtain confidential information that can be potentially very lucrative. In a bid to make sure banks are prepared to respond to cyber threats in the most efficient manner, three U.S. federal agencies in charge of overseeing and regulating the work of banks have proposed a set of cyber security requirements that the financial institutions must meet when it comes to the management of cyber security risks.

The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have issued an advance notice of proposed rulemaking (ANPR) that contains standards on how to manage and improve resilience regarding cybersecurity risks.

The standards are designed to help protect financial institutions, as well as their clients, against potential cyber threats.

Incident Response and Cyber Resilience Among the Standards

Per the advance notice, the proposed standards will cover a specific group of financial institutions, including depository institutions and depository institution holding companies with total assets of at least $50 billion, along with financial market infrastructure companies and non-bank financial companies that are supervised by the Board.

These covered entities should comply with specific cyber security requirements that are designed to improve their cyber incident response procedures and prepare for potential cyber-attacks.

The agencies propose five categories of standards regarding cyber security:

  • cyber risk governance
  • cyber risk management
  • internal dependency management
  • external dependency management
  • incident response, cyber resilience and situational awareness

One Platform to Comply with all Cyber Security Requirements

Considering that there are a lot of aspects that the covered entities will have to pay attention to in order to meet the above-mentioned standards, it would be most cost-effective and practical for them if they adopted a platform that is capable of completing all tasks proposed by the standards.

Such platforms are now available on the market and can make life much easier for all organizations that these standards apply to. For instance, there are platforms that can help organizations ensure an effective and extensive incident response plan, providing complete control over cyber incidents. Organizations are advised to acquire such a platform that provides the ability to track and predict cyber security incidents, track and gather digital evidence, and create statistical reports, which are a key element to resolving a certain breach.

Also, that same platform can automatically manage all cases and data that’s required for cyber threats within your organization, as well as lab and inventory management, helping you comply with the cyber risk management requirements.

Finally, a platform that is specifically designed to prioritize your response and reduce the time it takes you to solve a cyber incident. The solution should help you comply with the Internal dependency management standards, while assessing the risk and provide action plans. A complete and full solution helps organizations reduce the risks of cyber-attacks and comply with the External dependency management standards.

A weekend in Incident Response #8: How to Prepare for the Updated US-CERT Cybersecurity Notification Guidelines

The United States Computer Emergency Readiness Team (CERT) has announced that it will implement new cybersecurity notification guidelines, which are going to have a significant impact on how government agencies and organizations from the private sector deal with cyber incidents.

As the US-CERT states, the new guidelines will impose new requirements regarding notifications on cybersecurity incidents, that must be complied with by all Federal Departments and agencies; state, local, tribal, and territorial government agencies; along with private-sector organizations, and Information Sharing and Analysis Organizations. The cybersecurity notification guidelines will include a specific procedure involving how, when, and who the covered entities will be required to notify after they detect an incident within their organizations.

Identifying Incidents Through a Seven-Step Process

According to the guidelines, in order for an agency to be able to notify the CERT of an incident properly, it will have to complete a process consisting of seven steps. For starters, the agency must identify the current level of impact an incident has on its services or functions. Then, identification of the type of information lost, compromised, or corrupted, is required. This step should be followed by an estimation of the scope of time and resources that an agency will have to spend in order to recover from the incident.

Next, agencies should identify when the activity was first detected, after which they will be required to identify how many systems, records, and users have been impacted. The final two steps are the identification of the location of the network the activity was observed in, and identification of the point of contact information for additional follow-up.

After completing the above-named steps, agencies will have to submit the notification to the US-CERT, with a specific set of information that is required to be included in the notification, such as:

  • Information on the attack vector(s) that lead to the incident
  • Indicators of compromise
  • Information related to any mitigation activities that the agency has taken in response to the incident

Incident Response Platforms

In order to be able to comply with the new requirements regarding cybersecurity incident notifications, organizations are advised to employ a cybersecurity platform that provides a comprehensive and automated incident and forensic case management.

A platform that provides you with a set of playbooks specifically tailored to many potential cyber threats. Your organization can save a great deal of time and resources by using a tool that can create automated incident reports and send them to your cybersecurity team, a process which would be in compliance with the new US-CERT guidelines.

Considering that the cybersecurity incident notification process under the new cybersecurity notification guidelines is extensive and can be challenging for some organizations that do not have the resources or the knowledge necessary to complete it, acquiring a platform that can do all the required steps for you is the best solution for all entities covered by the guidelines. This is where a platform containing prioritized workflows designed to help your business respond to current threats and prepare your cyber defense systems for future threats, which are bound to occur eventually, can come in handy. Finally, considering the upcoming US-CERT guidelines, every private-sector organization and government agency could use a platform that can track digital evidence and entire investigative processes, as some of the key steps that should be performed when notifying authorities of an incident.

A Weekend in Incident Response #7: The Importance of Accurate Cyber Incident Reporting and Preservation of Digital Evidence

Although cyber security solutions are advancing at an extraordinarily fast pace, the harsh reality is that cyber attacks will continue to occur and hackers will continue to breach the networks and computer systems of businesses and government agencies around the globe. Efficient and accurate cyber incident reporting is considered key to mitigating the potential damage these attacks can inflict.

All cyber security experts agree that cyber attacks are inevitable and can’t always be prevented. No matter how sophisticated an organization’s cyber defense is, there will always be a way to breach it. With that in mind, the best way to defeat attackers is to devise the best possible cyber incident response plan. The way you respond to an incident is one of the crucial aspects to the efforts for ultimately defeating hackers and preventing recurring attacks. Reporting and forensic investigations are the two of the most important elements of a successful cyber incident response plan.

Keeping Incidents Under Control

A quick and effective response to a cyber incident should include having firm control over all data breaches and incidents, which is best executed through the utilization of an incident response orchestration platform that provides automated and manual response, to immediately detect and respond to breaches.

There are platforms on the market that provide complete control over cyber security incidents, along with gathering evidence efficiently, specific, and detailed playbooks that help you react to an incident fast and effectively, and integration with forensic and response systems.

These types of features are essential for organizations that want to make sure that they preserve the scene of a cyber security incident, which in turn results in a more effective investigation, fast recovery, as well as compliance with existing regulations. It’s an accurate way to prevent a destruction or loss of evidence, which often occurs unintentionally and prevents a speedy recovery following a breach.

Efficient Reporting

An efficient incident response includes accurate cyber incident reporting, as well. Reporting to authorities is an important part of the process of resolving cyber-crime cases, and it should be conducted in accordance with existing regulations, such as the EU Network Information Security (NIS) directive, and the new cyber incident reporting rule introduced by the U.S. Department of Defense, that is supposed to go into effect in 2017.

If your organization is a victim of a cyber-attack, notifying authorities about the incident should be one of your top priorities. The creation of reports is useful for a faster recovery. With a tool that can create automated incident reports and send them to the security team within an organization, the organization reduces the time it takes to react and resolve a cyber incident, and contain the damage.