Security Incident Response is a key part of the security operations of any organization. Despite the wide usage of the term, it is often not fully understood by those who are in charge of taking key decisions.
In this blog series, we will cover the three key aspects of Incident Response - Process, People, and Technology - from an organizational perspective. In this first part of the series, we will cover the Process part of Incident Response (IR).
Evolution of Security Incident Management
The popular PPDR framework for cybersecurity strategy lists four key components - Prevention, Protection, Detection, and Response. Earlier, the security strategies of organizations were focused on protection but it shifted towards detection as attackers kept finding new ways to bypass security protection tools. This change has come about due to the improvement in technology and skills related to the detection of advanced threats and techniques used by the attackers.
Starting from the Intrusion Detection System (IDS) to Security Information and Event Management (SIEM) platforms, modern detection platforms also include User and Entity Behavior Analytics (UEBA) and Endpoint Detection and Response (EDR) technologies.
This rapid innovation in detection technology has also been accompanied by the requisite skill development for security personnel to detect and respond to advanced alerts generated by these platforms.
Presently, the security landscape is once again changing with a shift towards security strategies aimed at responding to threats using new technology. In the last few years, advancement in incident response technologies has been witnessed due to multiple factors including the increasing number of security incidents, shortage of skilled manpower, and the need for a real-time response to the incidents.
Many IR platforms have evolved over the last few years to focus on responding to alerts generated from multiple detection technologies, and those reported by internal employees, third-parties, or regulators. The outcome of this technological evolution is the next-generation IR platform which enables an organization to respond to the identified incidents with efficient orchestration and automation capabilities.
Dealing with complexities in Incident Response
The core motive behind any IR framework is to facilitate a systematic investigation without causing undue panic or deviations from the core security issues. To accomplish this, it is essential to follow a reliable IR process based on the Incident Response Lifecycle.
However, in real-world scenarios, often times IR teams tend to get diverted from the core IR process due to the multi-stakeholder environment, pressures for reporting to management, and due to the complex series of events happening at the time of the incident. It is always recommended to avoid any kind of panic response while handling an incident. This is an important lesson for all IR teams.
Below are some of the things for IR Managers to keep in mind while handling an incident:
- Take control of the situation
- Lead your own path for incident investigation
- Guide the people involved in the incident
- Communicate with the right people at the right time
- Assign appropriate roles to different members of the team
Now let us take a look at the key phases of an IR process.
Incident Response Lifecycle
The diagram below shows the five high-level phases involved in Security Incident Response management. Each of the five phases holds equal importance during an IR operation.
Often times, IR teams only focus on the first three phases while ignoring the last two. However, it is important to follow through the entire process so as to ensure that the necessary defense mechanisms are put in place and the same type of incident does not reoccur.
Since a lot of in-depth information is already available on each of the phases, we will briefly cover the significance of each phase.
In the IR process, the first phase is perhaps the most important one as it draws in the complete ecosystem within which an incident occurs. This ecosystem consists of all the assets of the organization, vulnerabilities, malware, threat actors, malicious artifacts, and TTPs. Drawing high-level connections between various components of this ecosystem helps in understanding the extent of the threat.
Once you know the boundary of your case, defining the associated containment steps and defining the scope for your investigation becomes easier. With all that out of the way, you are able to contain the threat and the investigation is completed. Then, it's time to run through the Eradication & Recovery phase for the systems involved in the incident.
The last phase of Learnings is an important one which can involve discussions on security strategy, policy or procedural changes required, technology configuration required, new technology purchase required, or any SOP change required for an analyst.
Rather than just documenting the learnings from the incident, it is necessary to see through the implementation of changes with a concrete timeline and keeping the respective stakeholders in the loop. When an incident is closed without the proper execution of the learning phase, the IR teams are likely to face repetitive incidents, resulting in repetitive IR operations.
Before and after the Incident Response Lifecycle
There are two more important aspects of the IR process apart from the IR Lifecycle. The one that comes before the IR Lifecycle is Incident Preparation and one that comes during the incident or after it which is called IR Governance.
Incident Preparation - In this phase, you take steps to enhance the readiness of your organization to deal with an incident. This can include steps like drafting the IR playbooks, having access to the latest network architecture diagram, getting single-source-of-truth for different control validation (Asset management, Endpoint security control list, UAM control list, Network Security control list), list of security exceptions given, approved employee communication templates, approved customer communication templates, important contacts list, escalation metrics, central knowledge base for security incidents, and more.
Moreover, before you start your IR process, it is necessary to define the Incident itself. Drafting the definition of a Security Event, Security Incident, and a Cyber Crisis, along with the measurable and approved criteria is important.
IR Governance - Getting complete visibility and control over your IR organization is important. To define the control over IR operations, you can have policies, processes, SOPs, and guidelines in place. However, for its practical implementation, you need your workflows defined into a system that can then be followed for each of the security incidents.
Periodic analyst threat briefings and special executive threat briefing should be provided to sensitize the IR team as well as the supporting stakeholders. This helps them understand the day-to-day security threats which the organization is facing, along with providing visibility over any operational challenges.
To gain visibility over ongoing IR operations, defining distinct Key Risk Indicators (KRIs) and Key Performance Indicators (KPIs), and measuring them through an automated system is required. These KRIs should contain parameters to derive People efficacy, Process efficacy, and Technology efficacy. Being able to gain visibility of ongoing operations at the IR manager level and deciphering the same for senior management
Having the visibility of operations at the IR manager level, and the ability to decipher the same for senior management in terms of cost and time-driven metrics is the sign of a successful IR organization.
We will take a pause here as there are vast aspects of IR that cannot be covered here. In the next part of this blog series, we will look at the People aspect of an IR organization.