April 22, 2015
April 22, 2015
“It’s not if, but when.”
This phrase has become rote within the security community, where the unfortunate reality is that breaches are inevitable, regardless of an organization’s industry or size. In acknowledging that a determined attacker can almost always get in, the focus becomes detection and containment in addition to prevention. A strong security strategy shouldn’t just ensure that your organization is difficult to compromise—it should also include plans for threat detection and incident response that maximize opportunities to detect a compromise and minimize fallout in the event of a breach.
Lay the Groundwork.
By nature, incident response requires high accuracy and swift investigation at each step: starting at the initial scoping stage and continuing all the way through to remediation. But when the clock is ticking, mistakes are more likely—and a single mistake can have a ripple effect that carries across the entire incident response lifecycle.
Preparation is key, so lay out your incident response strategy before disaster strikes. Times of chaos are not when you want to be bogged down with untangling processes or determining the best way to communicate crucial information.
Start by selecting an external incident response service provider, if you don’t already have one on retainer. This team will supplement in-house expertise and provide much needed support before, during, and after a breach. The ideal service providers will coordinate planning and map out an investor relations strategy within the first 30 days, which significantly lightens the resource burden placed on your own team. To maximize your investment, confirm that you’re enlisting people who are well versed in responding to compromises of varying size and severity.
Once you’ve locked in your investor relations firm, establish an incident response team and identify the key players so you can tackle the actual planning.
A comprehensive investor relations plan should outline the key stages of an incident investigation from analysis and detection through containment, remediation, and cleanup. Here are four best practices to keep in mind as your plan comes together:
Real-Life Threat Simulation.
Practice makes perfect, and the world of incident response is no exception. Scheduling time to “kick the tires,” so to speak, means you won’t discover outdated technology or untrained staff when you’re down to the wire with no time to spare.
A product doesn’t go to market without undergoing extensive testing. In the same vein, a dress rehearsal can expose vital gaps in an incident response plan. The fundamental goals of a rehearsal are to practice and optimize. It allows the players to understand exactly how to behave in the wake of a security incident, so that come show time, the team operates like a well-oiled machine.
Once the team has established how it will react to a threat scenario, practice executing the plan. Schedule a walkthrough and decide on the initial infection vector. This can be anything from a spear phishing attack to lateral movement via a third-party vendor, which is how many notable breaches have happened, including Target. To make this scenario as real and as high-stakes as possible, the attacker’s end goal should be exfiltrating your company’s most valuable data (see the first bullet point, above).
Next, pinpoint when and how people and technology will identify and locate the threat. From there, focus on the attacker’s level of sophistication. In other words, are they using advanced techniques or basic ones? How are they moving around the network? Is data escaping through a steady trickle or a large blast? Technical staff should attempt to chase the attacker through the network and, depending on the maturity of the organization, provide feedback on the evidence uncovered along the way.
The rehearsal should end with a sharing of lessons learned. An incident response service provider can certainly help with this piece by proactively identifying areas for improvement. Everyone involved should offer feedback on the tools that were used, as well as on the group’s overall level of communication and effectiveness.
Confidence, not Chaos.
Once someone discovers a breach or flags a suspicious security incident, the wheels are set in motion. Time is of the essence. The attacker needs to be stopped before they can do substantial damage; meanwhile, the targeted company must communicate the threat to the appropriate parties while still capturing necessary evidence in the event of an investigation.
Incidents can, of course, vary in scale. But regardless of whether it’s a small malware outbreak or a targeted attack on a client environment for the purpose of financial gain, the reality is that if you have a plan in place you’ve already gone a long way towards setting your business up for success. Your team can act quickly and confidently without second-guessing a decision or wasting precious hours determining next steps, instead focusing efforts on where they’re most needed: rapid response, investigation, and remediation.
Rapid7 cybersecurity analytics software and services reduce threat exposure and detect compromise for 3,500 organizations, including 30 percent of the Fortune 1000. From the endpoint to cloud, we provide comprehensive real-time data collection, advanced correlation, and unique insight into attacker techniques to fix critical vulnerabilities, stop attacks, and advance security programs. To better understand how Rapid7 can help you assess your organization’s security give us a call at 866-7-Rapid7or visit their website.