Over the past few months during the post-hoc analysis of WannaCry-Petya, we have spoken in great lengths about what should have been done during the incident. This is quite a tricky thing to do in a balanced way because we are all clever in hindsight. What hasn’t been spoken about enough is understanding more generally what we need to do when things go wrong.
This question isn’t as simple as it appears, as there are a lot of aspects to consider during an incident, and only a brief window to identify, contain and mitigate a threat. Let’s look at just a few of these:
– Response times
This is often the greatest challenge but of utmost importance. The response is not only understanding the “how” and “why” of a threat but is also about putting the chain of events into action to make sure that the “what” doesn’t spiral out of control.
– Creating an effective playbook
A playbook should be a guide on how your incident response plan must be executed. Orchestration platforms contain these playbooks/runbooks. Also, note that these are not generic plug and forget policies. They need to be optimized and mapped to your business and regulatory requirements and are often unique to your organization. Otherwise, the incident will be controlled by an incorrect playbook.
– Skills and tool availability
Do you have the correct skills and tools available and are you able to leverage these. Do you understand where your security gaps are and do you know how to mitigate them?
On paper, incident response always works. Right until the moment of truth during a data breach that shows that it doesn’t. To avoid relying on theory only, it is best to run breach simulations and simulate some of the attacks that may affect your organization to find out if your processes and playbooks also work under more realistic conditions.
We’re always playing catch‒up for many reasons—new technologies, new vulnerabilities, and new threats. Software and hardware may possibly always be at the mercy of hackers, criminal actors and other threat actors, so prevention alone is futile. We have to become more resilient and better at dealing with the aftermath of an attack.
The key summary for me is this: How do you respond? Can the response be improved? Utilize the lessons learned in breach simulations to understand how you make the response better than before.
I have often talked about the benefits of employing flexible playbooks to deal with evolving cyber incidents and unique threat scenarios, and in these series of blogs, I am going to explore some of the points of emphasis when creating a new playbook.
The advantage to Security Orchestration, Automation and Response (SOAR) platforms, and in particular our IncMan platform, is the ability it provides to tailor playbooks or runbooks to deal with all manner of cyber incidents. These Playbooks are defined by three key factors:
1.Phases: Determine the number of phases for the response process based on the incident scenario. The phases are really a placeholder for what you are trying to achieve in your response.
2.Automation: How much automation will benefit the given scenario without hindering or otherwise adversely impacting your business.
3.Actions: What actions apply to each phase and what is the benefit to each action.
Wash, Rinse, Re-playbook.
Play books, or runbooks, should never be static and hard-coded for a fixed set of events. Ultimately, incidents will differ and you should always remain in control, ready to adapt and adjust the response workflow. This flexibility is vital should a Plan B need to be executed. The approach of IncMan to security playbooks & runbooks support both mature and emerging SOC teams by providing multi-flow advanced runbooks to the former, and for the less mature, a simplified playbook containing a dual mode where automation and manual actions can co-exist.
In talking with CSIRT/SOC managers, I have learned that they have typically aligned themselves with a particular standard. Most organizations follow the likes of ISO for Incident Response, NIST
800-62 or alternatives along the lines of CREST or NISA. Structured incident handling processes based on these standards are a great baseline, but how about also having actions and reactions pre-prepared and ready to respond immediately according to the threat you face? Can you see the instant advantage in having smaller, simpler playbooks and runbooks specific to an adversary or threat scenario?
Dealing with incidents with tailored playbooks will ultimately provide better threat coverage as each has enrichment and containment actions that are concentrated on the tasks specific to a given scenario. Additionally, allowing your SOAR product to tie the dots to bring enrichment to the observables and the indicators encountered in incidents will bring measurable value to the increased speed of the incident response process. Allowing analysts dynamic interaction at all phases of the workflow will help also help your reactions become more efficient. This mix of structured playbooks and dynamic response capability can also help push the CSIRT teams into a more pro-active mindset, allowing system and network-level security policy and infrastructure configuration changes to be handled on the fly while leveraging current and accurate information, and all from a single response console.
Over the past few security conferences, I have noticed something of a trend emerging that centers on the uncertainty and hesitance that some incident response teams have regarding the use of playbooks and, in particular, around the notion of automation in incident response.
Another point of concern seems to be the security tools within existing infrastructure and how an incident response platform looks to make use of these tools. In an ideal scenario, an organization should use everything at its disposal in order to give its teams the best possible options for quick and successful incident response activities.
I think there are a couple of related challenges when talking about these issues, one of which is the existing resource skill sets and how they’re not the same across a typical IR team. This is a point that should really be considered when going through a solution discovery phase by asking the questions: What can I incorporate to best leverage the skills of the available resources? And, how do I best leverage the resources provided with an incident response platform?
At DFLabs, we look to help with these and many more points by providing out-of-the-box IncMan playbooks that are based on industry best practices and recognized standards. Furthermore, by giving you the ability to craft your own fully customized, simplified or advanced playbook, we enable your incident response teams with the freedom to react as they see fit, and in accordance with regulation or specific compliance measures applicable to your operations. To address any hesitance to automated response, your playbooks can be built to uniquely meet your comfort level, for example by leveraging automatic enrichment actions while also enforcing role-based security requirements to require authorization for any containment measures.
Lastly, by being platform agnostic, IncMan empowers you to incorporate your existing infrastructure for a comprehensive response strategy without a requirement for additional infrastructure investment.
Many organizations often complain about having to abide by strict regulations regarding government notification of cyber security events, claiming that such mandates only put them under an extra strain, in terms of increased expenses and unnecessary burden on their employees.
But, given that the risk of cyber attacks for many government agencies and private organizations across the world continues to grow, all activities that have to do with cyber security obviously need to be intensified, and notifying authorities, is one of the key parts of those efforts. Detailed and timely government notifications of cyber security events often play a crucial role in preventing future incidents and improving and upgrading current incident response plans and programs.
Why Notifications Are Important
While it is true that government notification of a breach can be a time-consuming and complicated process, it is safe to say that – on top of overall cyber security efforts – it is also beneficial to companies in terms of protecting themselves from potential legal liabilities and substantial financial losses, along with unimaginable damage to their reputation.
Laws that mandate reporting cyber security incidents to governmental agencies and law enforcement vary from one country to another, but what they all have in common is the requirement to notify individuals whose sensitive information has been stolen or misused, or accessed in an unauthorized manner, in addition to notifying the authorities.
Save Time and Comply with Regulations Through Playbooks
One of the best ways to make sure your company complies with data breach notification laws is to update your cyber incident response program to include an automation and orchestration platform with dynamic reporting capabilities.
You can save a lot of valuable time by utilizing such a platform, considering that reporting cyber security events involves a complicated procedure and encompasses several different processes that can take up a lot of your time if you don’t use the proper tools to do it.
A platform with reporting capabilities can take care of all reporting requirements automatically and ensure that you don’t waste time on determining what information needs to be disclosed and how to notify law enforcement in a confidential manner, without risking accidentally sharing sensitive information with the public or with a party or individual that is not supposed to have access to it.
These types of platforms are able to quickly and reliably notify authorities and affected individuals of a data breach as soon as it occurs, through a variety of secure channels. They can create automated reports of any incident, containing information that describes the incident in detail, including what type of data has been accessed by an unauthorized person, and the amount of data that has been stolen, deleted, or compromised in any way.
By relying on a cyber incident response platform that features automated playbooks for breach notifications, your organization will always be prepared for the unwanted event of falling victim to a data breach and will avoid the risk of failing to comply with regulations that have to do with reporting cyber security events to law enforcement and affected organizations or individuals.
Cyber-attackers never stop inventing new and more creative methods and techniques that are supposed to be more difficult to prevent. One of the most common types of attacks nowadays are the DDoS attacks (Distributed Denial of Service attacks) , which are on the rise recently, unlike data breaches, according to the 2017 Cyber Incident & Breach Response Guide issued by the Online Trust Alliance.
Mitigating DDoS attacks is complicated and time-consuming. They often last several days and even weeks, bringing an organization’s operations to a complete halt for prolonged periods of time. It takes a coordinated effort from an organization’s CSIRT, C-level and its Internet Service Provider (ISP). Since it can take a lot of time to recover from a DDoS attack, it’s essential to have a response plan in place that is specifically designed to respond to these types of cybersecurity incidents. This will help reduce the team’s response time, contain the damage, and resume operations as soon as possible.
DDoS Attack Playbooks
In order to prepare for a future DDoS attack, it’s recommended that organizations utilize a cyber incident response platform, which has the ability todetect, predict and respond to various types of cybersecurity incidents. These platforms provide specialized automated playbooks for the different types of incident, allowing organizations to automate the immediate response to a cybersecurity event and give their SOC and CSIRT the time to focus on recovery and making the organization’s systems fully functional as soon as possible.
Effective Containment and Recovery
A typical DDoS attack playbook includes the key aspects of a cyber incident response, such as analysis, containment, remediation, recovery, and post-incident actions. By employing such a playbook, the organization can quickly determine the specific part of the infrastructure that has been affected by the attack, so that the team can know the necessary actions required to take in order to resolve the incident. A pre-defined playbook will help organizations contain the damage by notifying the SOC and CSIRT on how to block the DDoS attack based on the analysis performed by the incident response platform.
After you have taken the proposed actions to contain the incident, the playbook will guide you through the remediation process. It will involve contacting your ISP and notifying law enforcement, which is where a cyber incident response platform’s capability to create automated incident reports comes in handy, too.
Finally, if you are utilizing a cyber incident response platform, you will have the possibility to enhance your preparedness for future cybersecurity events, by creating statistical reports that contain all the necessary metrics, which you can use to adjust your response to different types of attacks.
DFLabs previews new cyber incident response playbook for Asian regulatory environment
Boston – November 7, 2016 – DFLabs, the global leader in cyber incident response automation and orchestration, announced today its Vice President of Engineering, Andrea Fumagalli, will present on “Standardizing Data Breach Response: State of the Art” at Data Privacy Asia 2016, to be held November 9-11 in Singapore at the One Farrer Hotel & Spa. DFLabs will also preview a new playbook dedicated to breach notification, response and compliance activities specific to the Asian regulatory environment.
One of the largest data sets on the market, the IncMan RP playbook is a unique new module of the company’s cyber incident response automation and orchestration platform, IncMan. The playbook is based on U.S. and EU regulations and industry standards and gives customers immediate access to a large number of pre-built incident and data breach response actions to follow. Providing the most playbooks available today to handle the entire breach response process – from technical to operational and legal – it is divided into state/federal, industry sector and type of incident/breach segments and works with both human and machine based processes.
“Active data breach and privacy regulations are making incident response platforms mandatory and our commercial and government customers in Singapore and Asia are working very hard to establish the right framework for cyber incident and breach response. As the first mover in fast growing categories of Security Operations, Analytics and Reporting (SOAR) and Security Incident Response Platforms (SIRP), we are happy and proud to participate in this important event, educate on global standards and best practices, and serve customers with our unique new playbooks,” said Dario Forte, Founder and CEO of DFLabs.
In his Data Privacy Asia 2016 session on Wednesday, November 9th from 4:00pm- 4:30pm, Fumagalli will cover the recent progress made by ISO (International Organization for Standardization) in the field of Incident and Data Breach Response. In the past 36 months 5 standards have been published, with the purpose of providing practitioners and evaluator a series of tools – based upon consensus – able to support Cyber Security Operations and Breach Response. As one of the most recognized experts in ISO standards, he will give an overview on the entire spectrum, along with some insights on how to implement them within any size of the organization, including an overview of the available technologies to automate and orchestrate incident management and response.
“These developments further our vision of Supervised Active Intelligence® to combine automation, orchestration, and response in one powerful platform, giving cyber operations and incident response teams the ability to react faster globally while maintaining the critical element of human control,” added Forte.
DFLabs is a recognized global leader in cyber incident response automation and orchestration. The company is led by a management team recognized for its experience in and contributions to the information security field including co-edited many industry standards such as ISO 27043 and ISO 30121. IncMan – Cyber Incidents Under Control – is the flagship product, adopted by Fortune 500 and Global 2000 organizations worldwide. DFLabs has operations in Europe, North America, Middle East, and Asia with US headquarters in Boston, MA and World headquarters in Milano, Italy. For more information visit: DFLabs or connect with us on Twitter @DFLabs.
Leslie Kesselring, Kesselring Communications