Driven by a rapidly developing threat landscape, effective incident response is now a mainstay of rigorous cyber security programmes -although it remains an area that even many seasoned information security specialists struggle to come to grips with. While it is seen as a dark art by many, incident response need not be an overly complex subject, and there are a number of relatively straight-forward measures and well-defined approaches that can assist an organisation’s preparation for delivering well executed and effective incident response.
Context have a strong track record of incident response within the UK and elsewhere, a history and competency that is demonstrated by accolades such as our inclusion on the CESG/CPNICyber Incident Response (CIR) scheme. It is this history dealing with some of the most sophisticated threats that we have drawn on to produce the proven and actionable guidance that the IET article is based on.
A few fundamentals
As a starting point, standards such as NIST Special Publication 800-61 or ISO 27035, or methodologies such as those developed by the SANS Institute provide a good foundation to approach incident response in a methodical manner. Building on this there are a few core approaches that are emphasised in current best-practice,and that are particularly important when addressing the modern sophisticated threat.
Perhaps the most important of these is that incident response should be approached in an iterative and intelligence led manner. While many of the standard methodologies present incident response as a series of phases, this phase-based approach should not be considered as a linear process. Good incident response takes the investigative findings as they come to light, and feeds them back into the investigation in order to increase the chances of detection and map out the full extent of an attack. In this way, while an organisation may be moving to contain, eradicate and recover from an attack, the process of detection and analysis will be ongoing and thereby increase the likelihood of effective and complete removal of the threat.
As well as understanding what you will do during anincident response scenario, it is also increasingly important to understand the lifecycle of an attack and the behaviour and capabilities that various actors are likely to exhibit. This approach has been well addressed over the last few years through models such as attack tree or kill-chain analysis, and pays good dividends in the areas of prevention and network security monitoring, as well as incident response. Good incident response is not just about understanding how you will react in the event of a breach; it is also equally important to understand what the attackers are likely to do.
With these areas of emphasis in mind, perhaps the single greatest determinant as to the effectiveness of an incident response effort is the level and quality of preparation that preceded it. Once an incident occurs it is often too late to meaningfully address the issues encountered in a retrospective manner, particularly during the high pressure circumstances of a live incident response scenario. Therefore, incident readiness preparations are of prime importance.
Adequate preparation will ensure that the necessary policy, structure, processes and materials are in place to deal with an incident prior to one arising, which will thereby serve to increase the quality and effectiveness of response efforts by ensuring that fundamental decisions about how to handle an incident are not being made in the midst of a high pressure and time constrained situation. This process will also ensure the availability of the sources of information upon which the investigative process relies, as well as the tools, capability and skills necessary to exploit this information to the full.
While incident readiness is a topic that could be discussed at great length as a standalone topic, there are four core tasks that must be addressed that will vastly increase an organisation's ability to respond effectively. Good incident response preparation requires:
- Preparation of an Incident Response plan
- Identification and retention of information sources
- Identification and acquisition of the required capability and skills
- An understanding of the threat landscape with specific regard to the organisation of interest
The key point is that an organisation must know how and what it is going to do during an incident response situation, as well as ensure it has the necessary information, materials, skills and capabilities available to do this effectively.
We will look into the areas of incident response planning and information source management in a bit more detail below.
The incident response plan
The Incident Response plan is generally part of a larger body of interrelated policy, procedures and guidelines that combine to address all facets of the security and risk function within an organisation. For example a key component of this policy framework will be the organisational Cyber Security Strategy, or equivalent work, which provides the overarching direction and reference for the full range of security work across an organisation. Similarly, areas such as the organisational risk management framework, or even change management policies, are important parts of the same policy ecosystem.
The Incident Response plan may be a single document or itself broken out into interrelated policy, plan and procedures, but regardless of the format it takes at a minimum an incident response plan should:
- Identify and delegate the roles, responsibilities and levels of authority required during Incident Response
- Identify the lines of communication, both inside and outside the organisation, including formal points of contact within the relevant teams and stakeholders
- Outline how communications will be managed, including formal reporting requirements
- Define the structure and composition of the incident response team
- Define, at a relatively high level, how the organisation will perform and manage incident response efforts
- Provide a means for assessing, prioritising and describing events and incidents
At a lower level the production of a set of standard operating procedures for common incident response tasks, including investigation, containment and eradication actions are also beneficial and should be considered in the longer term.
The availability of the information necessary to investigate and fully map out an incident is a fundamental precondition of effective Incident Response; however it is something that is largely missing in many organisations, even those with nominal Incident Response plans in place.
While there are many systems available that assist in the collection and analysis of this information, most notably in the area of Security Information and Event Management (SIEM) systems, a large scale implementation of these types of systems is often not necessary in the first instance for incident response purposes, as long as the relevant sources of information have been identified and are being managed appropriately.
There is a great wealth of information available on most networks that is valuable during incident response investigations but is often overlooked. Some of the more obvious examples include firewall connection logs, proxy logs, web server logs, information from configuration and systems management solutions, DNS logs, antivirus systems and information from enterprise archiving solutions to name a few.
A concerted effort should be undertaken to identify and manage these sources as part of Incident Response preparations. This should include a review of the information being logged from these sources, format of the information, retention periods and accessibility. For systems such as antivirus consideration should also be given to the preservation of artefacts, for example from an Incident Response perspective it is preferable to quarantine malicious files rather than delete them so that further analysis can be performed by Incident Responders as necessary.
In conjunction with CPNI we have produced a guide to Effective Log Management that provides a light-weight approach to address these information requirements.
The investigation and handling of an incident is invariably a high pressure situation more akin to a marathon than a sprint. The overarching goal of any response effort should be to enable recovery in the shortest possible time while providing the highest level of assurance. However, in the high pressure circumstances of live incident response an adequate level of assurance is something that is often dangerously disregarded in the sprint for the finish. Investigative efforts should be undertaken in an iterative fashion, maximising the benefit of available information and turning the tables on the attacker. Similarly every effort should be made to capitalise on the valuable lessons and insights provided by an incident response effort and a thorough post incident process is indispensable.
There is much more to incident response and preparation that we haven’t been able to cover in this post. If you would like further information or assistance then please get in contact.
Contact and Follow-Up
Nick is a part of our Response team in Context's London office. See the Contact page for how to get in touch.