Often misunderstood, incident response can be the difference between an uncoordinated reaction to trouble, perhaps misinterpretation, perhaps even hours of misdirection or paralysis, on the one hand, and the prompt, effective and timely action. In other words, the difference in some cases between catastrophe and containment.
The most important factor is the incident response plan. This is not a business continuity plan. It is not a disaster recovery plan, although the incident response plan can be incorporated within the business continuity if that fits the corporate model.
For the sake of argument let’s assume you don’t have a plan (you may have one that you established and then haven’t dusted off for years or one to meet audit needs but never implemented). So where do we start?
The first place is to designate a team leader, and an associate leader in case the leader is away on vacation or otherwise unavailable. The leader is key because he sets the tone. He may or may not be exclusive in that role, depending on the size of the organization and the frequency with which you are breached. It’s possible that in a highly targeted company, one that’s continuous target of advanced persistent threats, the leader can be and often is a full-time position. The leader will also oversee and supervise during an attack and see that the appropriate follow-up action is taken.
The next thing on the list is talented and appropriate response. System administrator, networking expert, security experts who specialize in the various forms of attack. So, a key part of the team is a malware specialist who can quickly identify malware, reverse-engineer it and write a signature for it. This part cannot be overemphasized. Among the top companies, there are two types of organizations: Those that know they are under continual attack from hackers, generally from nation states (probably China), and those that don’t realize they are under attack.
The latter group, in fact, extends beyond APT. Most companies go weeks, months or even years without discovery of breaches. The Verizon Data Breach Investigations reports backs this up year after year.
Monitor network patterns aggressively and take regular baseline patterns of “normal” traffic. Knowing what traffic should be can give you the first tell-tale that something is wrong. Many companies have the right tools in place in terms of network monitoring and baselines, but don’t use them to the full extent for security purposes.
Maintain an aggressive vulnerability management program for network and application layers. The patch management program will limit your exposure, especially against spear-phishing and social engineering attacks. Most attacks, even most APTs, do not use zero-day exploits.
Consider how you would respond to different kinds of attack. A targeted attack for a quick smash and grab; a carefully planned APT; a social engineering attack from Twitter or Facebook. A DDoS attack can be particularly difficult, as cyber criminals increasingly use application-layer attacks which appear to be legitimate attacks but can bring a system to its knees. Companies have to be alert to diversions, as DDoS attacks are sometimes used to focus attention on the DDoS attack while the intruders slip through unnoticed to steal information, their true goal.
Responses may be different depending on the type of attack, but you must be prepared to respond.
Next, responding to the attack.