3 Best Practices for Incident Categorization to Support Key Performance Indicators

The DNA sequence for each human is 99.5% similar to any other human. Yet when it comes to incident response and the manner in which individual analysts may interpret the details of a given scenario, our near-total similarity seems to all but vanish. Where one analyst might characterize an incident as the result of a successful social engineering attack, another may instead identify it as a generic malware infection. Similarly, a service outage may be labeled as a denial of service by some, while others will choose to attribute the root cause to an improper procedure carried out by a systems administrator. Root cause and impact, or incident outcome, are just a couple of the many considerations that, unless properly accounted for in a case management process, will otherwise play havoc on a security team’s reporting metrics.

Poor Key Performance Indicators can blind decision makers

What is the impact of poor KPI’s? All too often the end result leads to equally poor strategic decisions. Money and effort may be assigned to the wrong measures, for example into more ineffective prevention controls instead of improved response capability. In a worst case scenario, poor KPI’s can blind decision makers to the most pertinent security issues of their enterprise, and the necessary funding for additional security may be withheld altogether.

Three best practices are required to address this all too common problem of attaining accurate reporting:

  1. A coherent incident management process is necessary in order to properly categorize incident activity. Its definitions must be clear, taking into account outliers, clarifying how root causes and impacts are to be tracked, and providing a workflow to assist analysts in accurately and consistently determining incident categorization.
  2. The process must be enforced to guarantee uniform results in support of coherent KPI’s. Training, quality assurance, and reinforcement are all necessary to ensure total stakeholder buy-in.
  3.  Security teams must have the technologies to support effective incident response and proper categorization of incidents.

There are several ways that the IncMan platform supports the three best practices:

First, IncMan provides a platform to act as the foundation for an incident management program. It provides customizable incident forms allowing for complete tailoring to an organization and the details it must collect in support of its unique reporting requirements. Custom fields specific to distinct incident types allow for detailed data collection and categorization. These custom fields can be coupled with common attributes to track specific data, thereby providing a high level of flexibility for security teams in maintaining absolute reporting consistency across the team’s individual members.

Next, playbooks can be associated with specific incident types, providing step-by-step instructions for specialized incident response activities. Playbooks enforce consistency and can further reinforce reporting requirements. However, playbooks are not completely static, and while they certainly provide structure, IncMan’s playbooks also offer the ability to improvise, add, remove or substitute actions on the fly.

The platform’s Knowledge Base offers a repository for reference material to further supplement playbook instructions. Information collection requirements defined within playbook steps can be linked to Knowledge Base references, arming analysts with added information, for example with standard operating procedures pertaining to individual enterprise security tools, or checklists for applicable industry reporting requirements.

IncMan also includes Automated Responder Knowledge (ARK), a machine learning driven approach that learns from past incidents and the response to them, to suggest suitable playbooks for new or related incident types. This is not only useful for helping to identify specific campaigns and otherwise connected incident activity but can also highlight historical cases that can serve as examples for new or novice analysts.

Finally, the platform’s API and KPI export capabilities enable the extraction of raw incident data, allowing for data mining of valuable reporting information using external analytics tools. This information can then be used to paint a much clearer picture of an enterprise’s security posture and allow for fully-informed strategic decision-making.

Collectively, the IncMan features detailed above empower an organization with the means to support consistency in incident categorization, response, and reporting. For more information, please visit us at https://www.dflabs.com

Team Approach to Cyber Security Incident Response

One of my favorite sports, American football, uses a term which has always fascinated me. This term is ‘situational football’ and its whole concept is to react according to the scenario in which you find yourself. American football clubs split their squads into essentially three teams.

Attack, which is the offensive team and the guys that typically score points.
Defense, which is the opposite team tasked with stopping the attacking team from scoring points.
Special teams, which is an often overlooked team. This team can be part of the defense or offense and is typically used for every other play that is not defined as an offensive or defensive setting.
Now, you may be wondering why I am talking about sports in a cyber security blog?!

Well, I always like to relate cyber security industry to other industries and to try to think outside of the box when discussing some of our approaches. That said, I’m going to make a beeline for this idea and start relating this to our thinking:

Attack, or Red teams, can have a positive impact on your response strategy. Relating your response plans and playbooks directly to common attack methods is advisable and should be used in conjunction with the relevant compliance standards. The actions taken in response to specific attack vectors will usually have a higher success rate than a generic catch-all cyber incident response plans. I would take a lot more comfort knowing I have playbooks designed for a specific threat vector than I would be hoping that one of my generic playbooks would cover it.

Defense, or Blue Teams, are already a big part of response plans, and ongoing refinement of these plans should coincide with every incident lessons learned. A successful response should still have lessons to consider!
Special Teams are a mix of Red and Blue, of offense and defense. They are best positioned to engage in ‘situational football’ and to enable you to define your approach with more than one mindset, even, in some cases, conflicting mindsets. Using this combined approach will ensure an attackers methodology when searching for enrichment information during incident identification, and the pragmatism of a defender during containment and eradication activities. Having a defined response to each phase of IR is important, but engaging special teams and having the ability to refactor your playbooks on the fly is a key capability when orchestrating an effective cyber security incident response to a dynamic incident.

Unique situations can present themselves at every moment of the game. Our playbook features allow you to make your defense attack-minded by feeding in all the information gathered from your playbooks and allowing you to not be restricted by baseline actions alone. We want your defense to run actions at every point and to allow you to call an audible in any situation that presents itself. The freedom to apply this mindset will drive your incident response teams above and beyond what they see in front of them.

At DFLabs, we not only create playbooks specific to compliance standards and cyber security incident response standards, we also enable you to create and to actively amend your own custom playbooks. Our flexibility ensures that your playbooks can be built on the experience of your Red and Blue teams, in line with adversarial thinking specific to your organization or industry, and to the satisfaction of your corporate, industry and regulatory policies.
Contact us to find out more at [email protected]

Feed the Compliance Measures, Do Not Be Eaten by Them

At DFLabs, we typically find our financial clients saddled by regulations which, although important, add layers of complexity to the already complicated process of incident response. We want our clients to be able to feed the compliance measures, not be eaten by them, and we support this end by providing a simple, clear and easy to use playbook editing functionality within the IncMan automation and orchestration platform.

I often point out how IncMan adaptable playbooks are of benefit to companies when determining incident response steps in consideration of regulation. IncMan offers a number of measures to enforce regulatory policy on playbook actions.

Let us take a look at some quick examples:

Authorization levels: Effective use of the authorization chain means that personnel are engaged only for the tasks for which they have clearance.
Timed response: Playbook action enforce the urgency when dealing with a particular notification, action or identification, i.e. 72 hours to alert a particular authority about a breach.
Mandatory tasks: Prescribed tasks are essential for any organization to take the regulatory actions necessary whilst following corresponding incident response workflows.

This list is not exhaustive and IncMan offers lots of possible incident response workflows and points of use for regulatory compliance.

Beyond these measures, it is important to remember that the information gathered in the case record as part of the incident should be fully utilized. The post-mortem analysis of the incident and how it was managed, is as critical as the immediate response. This analysis will help you to define, restructure and organize the ongoing policy changes, and continually fine tune your incident response playbooks.

Our new correlation engine will give you the ability to not only see the entire picture, but also to learn how the picture was built over the course of a timeline of events. Correlation Engine 2.0 helps you to redefine your approach for incident trending and identifying relationships in incident data.

Flexible Playbooks for Any Situation

One of the major buzzwords when talking about cyber incident response is playbooks or run books i.e., advanced workflows with specific actions tailored to deal with and respond to cyber incidents.

Over the past few security conferences, I have noticed something of a trend emerging that centers on the uncertainty and hesitance that some incident response teams have regarding the use of playbooks and, in particular, around the notion of automation in incident response.

Another point of concern seems to be the security tools within existing infrastructure and how an incident response platform looks to make use of these tools. In an ideal scenario, an organization should use everything at its disposal in order to give its teams the best possible options for quick and successful incident response activities.

I think there are a couple of related challenges when talking about these issues, one of which is the existing resource skill sets and how they’re not the same across a typical IR team. This is a point that should really be considered when going through a solution discovery phase by asking the questions: What can I incorporate to best leverage the skills of the available resources? And, how do I best leverage the resources provided with an incident response platform?

At DFLabs, we look to help with these and many more points by providing out-of-the-box IncMan playbooks that are based on industry best practices and recognized standards. Furthermore, by giving you the ability to craft your own fully customized, simplified or advanced playbook, we enable your incident response teams with the freedom to react as they see fit, and in accordance with regulation or specific compliance measures applicable to your operations. To address any hesitance to automated response, your playbooks can be built to uniquely meet your comfort level, for example by leveraging automatic enrichment actions while also enforcing role-based security requirements to require authorization for any containment measures.

Lastly, by being platform agnostic, IncMan empowers you to incorporate your existing infrastructure for a comprehensive response strategy without a requirement for additional infrastructure investment.

Latest Ransomware Attack Highlights the Need for Advanced Security Automation and Orchestration Solutions

The latest ransomware attack that broke out last Friday, affecting more than 200,000 computers across 150 countries by Sunday, once again highlighted the need for improved preparedness to respond to large-scale cyber incidents by implementing advanced security automation and orchestration solutions capable of containing the damage from such events. In this case, the attackers exploited a vulnerability in Windows Server Message Block (SMB) protocol, which had been discovered and kept quiet for exclusive use by the National Security Agency (NSA).

WannaCry, as the virus is called, is delivered via an email attachment and when executed, paralyzes computers running vulnerable Windows operating systems by encrypting their files. Once it encrypts a computer’s hard disk, WannaCry then spreads to vulnerable computers connected to the same network, and also beyond, via the Internet. This is in many ways a typical ransomware attack, infecting computers with a virus that has the ability to spread quickly to other vulnerable systems; however, the infection in this instance, and the speed at which it spread, was more intense than any other such attack in recent memory. The consensus among cyber security experts around the world is that the damage from this attack could have been reduced to a minimum, and more serious consequences could have been avoided, if organizations had been better prepared and had more effective cyber incident response plans and solutions in place.

Early Detection and Damage Containment via Automation and Orchestration

When affected by an attack such as WannaCry, after an organization’s computer system has been breached, the best thing that the organization can do is try to keep the incident under control by preventing the infection from spreading. There are various security solutions designed to achieve this end, but an automation and orchestration platform is arguably the best suited for the task. When an infected computer is detected, this platform can quickly isolate it in the early stages of an attack, blocking traffic to and from it to contain its spread, and thus reduce the business impact to a minimum.

Recovery and Remediation

Once containment is achieved, the platform provides organizations with the ability to quickly remediate the incident by guiding cybersecurity professionals through the entire process, using pre-defined playbook actions for a faster and more effective execution. The playbook actions can suggest the best remediation and recovery methods, and how to enforce them in the most effective manner. For instance, how to restore files and update the appropriate firewall rules.

All of the above is only a fraction of the capabilities of a typical automation and orchestration platform, a security tool that has become critical for any organization seeking to avoid the immense cost and long-lasting consequences of cyber-attacks such as WannaCry.

Cyber-attacks such as this one are only expected to become more common and more sophisticated in the future, and for this reason WannaCry should serve as an example of why now is the time for organizations serious about cyber security to focus on improving preparedness and containment capabilities through investment in advanced security automation and orchestration.

A Weekend in Incident Response #21: How to Mitigate Cyber Security Risks in Health Care?

Health care institutions are facing an increasing risk of cyber attacks. There are a few reasons why organizations providing health-care services are under such a high cyber security risks, with the increase utilization of IoT devices singled out by security experts as the leading one over the last couple of years. The fact that many hospitals around the world keep adopting BYOD policies only raises the risk of cyber attacks in the health care sector.

Considering that there is more than enough statistics showing that the most common cyber attacks on health-care organizations include phishing incidents and malware attacks, it is safe to say that IoT devices and BYOD policies are exposing this sector to an ever higher and constant cyber security threat, requiring increased efforts for raising cyber security awareness among employees and implementing advanced incident response measures.

Developing an Effective Incident Response Plan

Incident response plans are one of the essential elements of any organization’s efforts for mitigating cyber security risks. Having a comprehensive and constantly updated incident response plan helps organizations be prepared for any type of cyber attack in case their cyber defense is breached, and odds for that to occur are extremely high at any given moment. While establishing an effective incident response plans, health-care organizations are advised to start by acquiring a cyber incident response platform that provides an automated and orchestrated response to all sorts of cyber attacks.

Health-care institutions could use such a platform to contain the damage and prevent the loss of confidential and sensitive patient data in the aftermath of a breach. A cyber incident response platform can provide them with automated playbooks that allow cyber incident response teams to react to different types of attacks quickly and effectively.

Phishing and Malware Incident Playbooks

There are platforms providing playbooks for phishing attacks and ransomware attacks, which health-care institutions are often facing. Those playbooks will tell cyber security teams exactly what to do when their information systems and computer networks are attacked through one of the above-mentioned methods. Playbooks help CSIRTs prepare their systems for potential phishing attacks, identify them as soon as they occur, contain the damage, and recover from any incident in a timely manner. When it comes to ransomware attacks, playbooks help you reduce the time it takes you to establish a precise diagnosis, identify the kind of malware and the infection target, and assess the range of infection. Also, they help you determine the level of impact of an attack, suggesting taking specific actions that are appropriate for any given level of impact.

With that in mind, automation and orchestration platforms with automated playbooks are one of the best solution for any health-care organization that is under a threat of getting attacked by cyber criminals.

A Weekend in Incident Response #12: How to Create Cyber Incident Recovery Playbooks in Line with New NIST Guide

When it comes to protecting your organization against cyber incidents, you can never be too careful. The methods and techniques employed by cyber criminals are becoming increasingly sophisticated with each passing day, requiring you to adapt and improve your cyber defense accordingly. One of the most important aspects of any type of protection against cyber attacks is the way you respond to and recover from current and past cybersecurity events. Cyber incident recovery playbooks as an integral part of an organization’s incident response strategy can go a long way toward reducing reaction times and restoring operations as soon as possible following an attack.

In this regard, it can be said that cybersecurity incident response platforms are necessary for every organization that needs to protect information and other assets that could be potential targets of cyber criminals. These types of platforms help businesses and government agencies stave off cyber attacks and recover from data breaches, and their usage is in line with recommendations by the United States National Institute of Standards and Technology (NIST). To make it easier for organizations to recover from various cybersecurity incidents as quickly as possible, the NIST constantly issues new and updated guidelines that represent a good foundation that organizations can rely on while developing their cyber incident response plans. The latest guide introduced by the NIST focuses on what organizations can do to make their recovery procedures and processes more effective and less time-consuming.

Efficient Risk Management

The Guide for Cybersecurity Event Recovery encompasses wide-ranging tips on how to create a best practices plan for making an organization’s system fully operational following a breach. One of the key points addressed in this guide is the fact that recovery is a crucial aspect of the broader risk management efforts within an organization, stressing that there are various solutions for bringing a system back online, but no matter the severity of the breach that brought the system down, every organization needs to be prepared to respond to these events in advance. To do that, organizations are advised to adopt detailed plans and cyber incident recovery playbooks for various types of cybersecurity incidents, so that they can reduce their reaction time and minimize the damage in the event of a data breach.

Playbooks are a central key to the Recovery Processes and Procedures

When it comes to recovery, the NIST guide basically states that every organization needs to focus on the development of recovery processes and procedures that are centered around playbooks, which would allow them to respond to different types of breaches in the most effective way.

Automated playbooks are considered to be a crucial tool for a successful recovery operation. Using a platform providing automated cyber security incident recovery playbooks increases the level of preparedness of your organization to quickly respond to cybersecurity events and recover from data breaches, ransomware, and other incidents. The guide advises recovery teams within each organization to run the plays with table top exercises so that they can be constantly aware of all potential risk scenarios and detect potential gaps in their response plans.

In addition to playbooks, the guide highlights the aspect of documenting current and past cybersecurity incidents as another important factor for improving an organization’s recovery capabilities. To that end, organizations should utilize a platform that includes automated playbooks and has the ability to track digital evidence and analyze the causes of cybersecurity incidents. Followed by an automated creation of extensive and detailed incident reports. A platform of this type is the best solution for a comprehensive cybersecurity incident protection, encompassing identification, detection, response, and recovery.

A Weekend in Incident Response #7: The Importance of Accurate Cyber Incident Reporting and Preservation of Digital Evidence

Although cyber security solutions are advancing at an extraordinarily fast pace, the harsh reality is that cyber attacks will continue to occur and hackers will continue to breach the networks and computer systems of businesses and government agencies around the globe. Efficient and accurate cyber incident reporting is considered key to mitigating the potential damage these attacks can inflict.

All cyber security experts agree that cyber attacks are inevitable and can’t always be prevented. No matter how sophisticated an organization’s cyber defense is, there will always be a way to breach it. With that in mind, the best way to defeat attackers is to devise the best possible cyber incident response plan. The way you respond to an incident is one of the crucial aspects to the efforts for ultimately defeating hackers and preventing recurring attacks. Reporting and forensic investigations are the two of the most important elements of a successful cyber incident response plan.

Keeping Incidents Under Control

A quick and effective response to a cyber incident should include having firm control over all data breaches and incidents, which is best executed through the utilization of an incident response orchestration platform that provides automated and manual response, to immediately detect and respond to breaches.

There are platforms on the market that provide complete control over cyber security incidents, along with gathering evidence efficiently, specific, and detailed playbooks that help you react to an incident fast and effectively, and integration with forensic and response systems.

These types of features are essential for organizations that want to make sure that they preserve the scene of a cyber security incident, which in turn results in a more effective investigation, fast recovery, as well as compliance with existing regulations. It’s an accurate way to prevent a destruction or loss of evidence, which often occurs unintentionally and prevents a speedy recovery following a breach.

Efficient Reporting

An efficient incident response includes accurate cyber incident reporting, as well. Reporting to authorities is an important part of the process of resolving cyber-crime cases, and it should be conducted in accordance with existing regulations, such as the EU Network Information Security (NIS) directive, and the new cyber incident reporting rule introduced by the U.S. Department of Defense, that is supposed to go into effect in 2017.

If your organization is a victim of a cyber-attack, notifying authorities about the incident should be one of your top priorities. The creation of reports is useful for a faster recovery. With a tool that can create automated incident reports and send them to the security team within an organization, the organization reduces the time it takes to react and resolve a cyber incident, and contain the damage.