Developing a Tailored Incident Response for All Types of Attacks
Does your IT security team react to a malware attack in the same way as they would a phishing attack? Do they proceed any differently when unauthorized user access occurs? How about a denial of service attack?
When organizations are hit by external cyberattacks or internal breaches, many IT security teams react in ad hoc fashion with a response plan oftentimes defined based on a limited view of what is going on and the resources they have available. They basically formulate their plan on-the-fly and hope they can limit the damage as much as possible.
Others proactively create a generic incident response plan—where they document the process, the required resources and key decision-makers. But such plans often fall short of success when considering the many different attack types, a few offered here as examples:
|Malware||Virus||Elevation of Privilege|
|Unauthorized Access||Root Access||Phishing|
|Improper Usage||Denial of Service||Data Theft|
To ensure sufficient mitigation that enables your business to limit the extent to which business assets, sensitive information and intellectual property are compromised—and to return IT operations back to normal as quickly as possible—specific workflows for each type of attack are required. Only then can the IT security team follow the most efficient incident response process applicable and gain access to the necessary resources at the right time—both in terms of investigation and repair as well as communication and decision-making along the way.
Ideally, the incident response workflow for each attack type should include all seven steps of the Incident Response Life Cycle—as defined by NIST1 guidelines:
- Prepare: establish your incident response capabilities while preventing as many incidents as possible by ensuring systems, networks and applications are sufficiently secure.
- Detect: determine when incidents occur as well as the type and extent of each attack.
- Analyze: validate each incident and rapidly perform analysis to determine the scope of the problem.
- Contain: shut down/disconnect/disable complete systems and/or functions before incidents overwhelm resources or expand the scope of their payload(s).
- Eradicate: eliminate incident components and mitigate exploited vulnerabilities; then remediate still-exploitable vulnerabilities on non-affected systems to prevent similar incidents in the future.
- Recover: restore systems and confirm normal functioning.
- Post-Incident Handling: conduct a “lessons learned” engagement to improve security measures and your incident-handling process; update the response workflow(s) accordingly.
In the coming months, this blog series delves into each of these seven steps with details on which actions to take within each step and the resources from the business that need to be assigned to each step. This approach allows you to prevent and mitigate attacks, so that operations are not affected or return to normal quickly.
Just as importantly, the detailed workflows can help you deal with the things you might not otherwise plan for—a near certainty in today’s cyber threat environment.
For more information on developing incident response workflows for your business, visit www.incidentresponse.com. Stay tuned for additional posts in this blog series.