Four Key Steps to Rapid Incident Response

by Dan Sullivan

Is it possible to avoid security breaches? Judging from recent headlines, probably not. Victims range from startups like Kreditech, to major retailers like Target,to the US State Department and even the White House. Regardless of the security measures you have in place, it is prudent to assume you will suffer a breach at some point. Be sure to have a response plan in place — just in case.

If you find it difficult to justify the time needed to develop a response plan, consider how long you will have to formulate a response once an attack begins. According to a 2013 Verizon study, 84% of successful attacks compromised their targets in a matter of hours. The brief time window for detecting and mitigating attacks requires not only constant monitoring but a rapid response. That means having a plan in place.

As you formulate your strategy for handling breaches, keep in mind four key aspects of incident response including: analysis and assessment, response strategy, containment, and prevention of a subsequent attack.

The first step in managing a security breach is detecting it. This is one of the most difficult challenges facing IT professionals. You are trying to detect a stealth adversary with many potential points of entry into your system and you have no knowledge of when the attack will occur. Also, attack-related events may occur in rapid succession or over extended periods of time. Some of the steps in the attack may appear innocuous, such as an executive unknowingly downloading and opening malicious content. Others may be more apparent, such as a disgruntled employee downloading large volumes of customer data to a USB drive. In all cases, analyzing logs and integrating data from multiple application and servers logs can help identify events indicative of an attack.

The response strategy spans both technical and business aspects of your organization. An incident response team should be in place to address the breach. This will include containing the threat (discussed below), notifying stakeholders, and communicating the progress of the response efforts. There may be a need to coordinate with those responsible for business continuity and disaster recovery in cases of large-scale attacks, such as suffered by Sony last year.

Containment is the process of isolated compromised devices and network segments to limit the spread of a breach. Containment can be as crude as cutting power to a compromised device. If malicious activity originates with a mobile device, a mobile device management (MDM) system can block that device from accessing network resources. Network administrators can change firewall filtering rules to limit traffic into and out of a subnet. They may also consider updating DNS entries of compromised servers to point to failover servers, assuming those have not been compromised. Monitoring application, operating system, and network logs during containment operations can help understand the effects of your responses

The fourth issue to keep in mind is preventing subsequent attacks. A security breach can have wide and unexpected consequences. It is also a potential opportunity to learn how your security measures were compromised. Was someone tricked by a phishing lure? Was an administrator account compromised by simple, brute force dictionary attack? Did an insider take advantage of excessive privileges? Security Information and Event Management systems support forensic analysis and can help integrate event data from across your infrastructure. This may enable you to find correlations between events that lead to insights about the behavior of the attackers and the vulnerabilities in your systems.
This brief discussion of incident response planning touches on just some of the most salient aspects dealing with a breach. Sources, such as CERT, provide detailed resources to help organizations create computer security incident response teams and incident response best practices.