Incident Response: Three more factors critical for efficient IR6 Jan 2021 | Andreas van Leeuwen Flamino and Kamal Rajan
In this post, we will cover three additional factors:
Key objectives in every IR are to identify how a threat actor gained their initial foothold, and establish which hosts are compromised. This will help the IR team qualify and quantify the breach, prioritise containment actions, and recommend steps to eradicate the attacker from the environment.
Our experience shows that most organisations do not have an up-to-date asset inventory, lacking a formal process for updating the asset inventory after changes in the environment. We commonly experience situations where:
Of course, in larger organisations hosts get added and decommissioned on an ongoing basis, making it difficult to provide an up-to-date asset inventory. But it is better to have one that is as close to the current state as possible, then not to have a proper process to maintain one at all.
Shadow IT, where departments or individual employees set up their own infrastructure to meet their objectives, poses another major challenge in maintaining an asset inventory. Some examples are:
In the event of a major breach, everyone is under pressure to help contain the breach as quickly as possible, so having an up-to-date asset inventory is something you want to prepare ahead of identifying a breach.
In a nutshell, if you don’t know what hosts or network devices you have and what is stored on them, it is difficult to conclude an IR with the confidence. The attacker may have other easy ways back into the environment unknown to you or the IR team, even if the primary entry point has been identified.
Tabletop Exercises (TTX) are discussion-based simulated scenarios where the participants are required to play through their roles as if it were an actual incident. By discussing the scenario in advance, CISOs and other IR team members can identify flaws or gaps in the organisation's response readiness and make improvements.
Tabletop Exercises are an excellent way to test the Incident Response Plan (IRP), make sure that all key stakeholders are aware of their responsibilities, and what type of decisions they will need to take in the situation of an actual incident.
By going through a realistic attack scenario, where the TTX leader injects new facts that continue building the pressure, areas for improvement of the plan will surface.
Communication lines, decision points and decision authority are best tested ahead of an actual incident. Especially in large organisations where key departments may be more siloed, a TTX often proves invaluable.
The biggest benefit of a TTX is that it starts creating muscle memory because it forces the stakeholders to jointly start thinking about the best course of action to take when a certain scenario needs to be addressed, by identifying the gaps between documented responses and actual actions taken.
Last but certainly not least is the importance of having logs. Detailed and relevant logs need to be collected for all key assets. These logs need to follow a consistent format, and if at all possible, they need to be sent to a central location for correlation, or at the very least, safe storage.
Your business-critical services, servers and Internet-facing systems are the most vulnerable to attack. They are usually referred to as crown jewels. For your crown jewels, make sure that the following recommendations are followed with regards to logs:
The great thing about ensuring the presence of well-formed, properly time-synced logs is that it is not expensive to set up.
Even if the only action you take after reading this article is preparing an inventory of your key servers, services and workstations and ensure that proper logs are being written and stored, you will greatly benefit from this during your next security incident.
In a future blog, we will cover the differences between an IR in an OT (Operational Technology) context compared to an IT context.
Connect with us