By Jeremy Rasmussen, CISSP, CEH, PMP
Abacode Cybersecurity Director
As a professor at the University of South Florida teaching courses in IT security for the past 16 years, there is one essential point I’ve tried to hammer home for students: effective cybersecurity does not come from a single point product, such as an antivirus or firewall. Rather, it comes from having a comprehensive framework that encompasses:
It all starts at the top. Cybersecurity can’t be implemented as a grassroots program started by the IT Department. If there isn’t buy-in and leadership from executive management, the framework will fail. That’s why we say, “Cybersecurity issues are now CEO issues.”
Let’s look at the basic building blocks that go into creating an effective cybersecurity framework. The first building block is prevention. This includes the following:
- Developing and implementing security policies and procedures
- Conducting employee security awareness training
- Designing and implementing network security
- Other security controls
These are all necessary measures – however, the defender has to protect 1,000 ways in, while the attacker only has to find one. So mistakes are inevitable. The question is: how quickly can you detect and respond to these issues?
How incident response works
An organization needs a formalized, written Incident Response (IR) Plan that spells out the who, what, and how when it comes to the response being carried out. Just as with all cybersecurity plans (such as business continuity and disaster recovery plans), an IR plan must be tested periodically to ensure its effectiveness, and should be updated with lessons learned after every invocation of the plan.
The National Institute of Standards and Technology (NIST) published SP 800-61 “Computer Security Incident Handling Guide”, which outlines the common vectors used by attackers to compromise system security. These include:
- External/Removable Media
- Denial of Service (DoS)
- Improper Usage
- Loss or Theft
- Other methods
Attackers exploit these ways in to create adverse events or “incidents” on the system – that is, events that have a negative consequence, such as:
- System crashes
- Packet floods
- Unauthorized use of system privileges
- Unauthorized access to sensitive data
- Execution of malware that destroys data
What are the indicators that lead us to realize that an incident has taken place? We outline them in the table below:
|IDSs||Uses attack signatures to identify malicious activity; the signatures must be kept up to date so that the newest attacks can be detected. Produces false positives that must be vetted.|
|SIEMs||Correlates both host and network based log data to generate alerts.|
|Antivirus and antispam software||Detects various forms of malware, generates alerts, and prevents the malware from infecting hosts.|
|File integrity checking software||Detects changes made to important files during incidents. Uses a hashing algorithm to obtain a cryptographic checksum for each designated file.|
|Third-party monitoring services||Managed SOC providers offer subscription-based monitoring services.|
|OS & application logs||Records which accounts were accessed and what actions were performed. Centralized logging is valuable.|
|Network logs||Valuable in identifying network trends and in correlating events detected by other devices.|
|Network flows||Shows a particular communication session occurring between hosts. Can be used to find anomalous network activity caused by malware, data exfiltration, and other malicious acts.|
|Info on new vulnerabilities & exploits||Sources include National Vulnerability Database (NVD), US-CERT, BugTraq, and others.|
|People inside the organization||Users, system administrators, network administrators, security staff, and others. Validate and measure confidence level of info.|
|People outside the organization||An organization might be contacted by a party claiming a system at the organization is attacking its systems. External users may also report other indicators, such as a defaced web page or an unavailable service.|
Now, just because there is an indicator does not mean an incident has occurred. Your trained cybersecurity analysts must make their best judgment based on available information to determine whether to escalate the incident to the next level. This incident escalation is based on:
- Functional Impact. What impact does the incident have on our operations? How difficult will it be to maintain business continuity?
- Informational Impact. What impact does the incident have on our data? How valuable was the data, and what would the fallout be from its compromise?
- Recoverability Impact. How much time will it take to recover?
Which personnel in the organization make up the Incident Response (IR) Team? Typically, this includes:
- Chief Information Officer (CIO)
- Chief Information Security Officer (CISO)
- Information Technology (IT) Manager
- IT Cybersecurity engineers / analysts
- Other incident response teams
- External incident response teams
- IT System owner
- Human resources
- Public affairs
- Legal department
- External legal counsel
- Cyber Breach Insurance agent
Each person on the team must have a defined role and be aware of his or her role and how to execute it in case of an escalated incident.
IR Team Communications
Who is notified first in the case of an incident, and how they will be notified, should be carefully spelled out in the IR Plan. Depending on whom you ask, you will receive several differing opinions on who should be alerted first. For instance, attorneys will typically advise you to contact legal counsel first, because they can control liability from a legal standpoint. IT managers, however, argue that they should be contacted initially, so that they can contain the incident.
Considering that communications in the enterprise could be compromised due to a breach, the IR Team should consider utilizing out-of-band communications (e.g., third-party email accounts, cell phones, in-person meetings).
The IR Team should establish clear protocols for communications with third parties, such as:
- Law enforcement
- Affected individuals
Legal counsel must maintain control and oversight of determining what, if anything, should be communicated and when such communication should occur to these parties. You should consider having all communications pass through legal counsel to maintain the privacy and attorney-client privilege of these messages.
IR Containment Strategy
The main goals of the incident containment strategy are as follows:
- Limit potential damage
- Preserve evidence
- Maintain service availability
- Determine time and resources needed to implement strategy
- Evaluate effectiveness of strategy
- Evaluate duration of solution
What are the appropriate response action for IR? The answer depends. In some cases, you may wish to shut down a system, disconnect it from the network, or disable functions. However, in other cases, you could decide to maintain surveillance, perhaps by redirecting the attacker to a honey pot to monitor activity or gather additional evidence.
All forensic investigations should be conducted with the “silver platter doctrine” – that is, assume that the end goal of the investigation is a civil or criminal trial and handle all evidence with the utmost care, maintaining chain-of-custody, and ensuring forensic integrity.
Have a plan, and stick to it. Document everything. Determine the goals of the investigation, usually:
- How did the incident occur?
- Which, if any, data or resources were exfiltrated or misused?
- How can we make sure this won’t happen again?
- Understand the focus of the investigation:
- Computer/data as fruits of a crime
- Computer/data as instrument of a crime
- Computer/data as evidence of a crime
I will write more on digital forensics at another time.
Today, there is an assumption of breach. It is the new normal. How ready are you, and how quickly can you detect and respond?
With Abacode’s Cyber Lorica™ program, which includes IDS/SIEM and 24/7 monitoring, we can detect and proactively respond to:
- Other attacks
Effective incident response can turn a $10 million incident into a $10 thousand incident.