The 5 P’s for Incident Response

Oct 03, 2017 | by Mary Roark

Will Incident Response ever get any easier? 

Unfortunately, probably not.

So the question becomes – what should security teams be doing to increase incident response readiness?  This can be answered with the top Five P’s for Incident Response:

  1. Practice: 10,000 hours is proposed as the minimum effort to achieve mastery in a field according to Malcolm Gladwell in his book Outliers. That is about 250 weeks – so about 5 years of working full time on something.  Many of us are already worried about the security industry skills shortage, especially with statistics such as “59% of security staffs lack the expertise to assist with threat mitigation”.  Unfortunately, there is no magic bullet, practice makes perfect.  In security, we use the terminology “Security Best Practices” all the time. It is essential to schedule time to practice what roles and responsibilities everyone has in the event of a breach.  Simulations, stress testing and reviewing the plan will help the organization identify gaps in training, procedure and coverage.  Some of the questions you want to ask are: Are there new business assets that have not been included in plan? Has the organization changed?  How old are your security plans? Another important aspect of the plan is the Communications piece.  Are there communications timelines and escalations to organizations such as legal, finance and marketing – if a press release is required? And think about out of line communications (outside the email system that has just been breached) so that threat actors are not alerted to your counter measures.  The plan should be written in a format that facilitates teams to practice their response to a threat and sharpen their skills.

  2. Misreading the Punch: In reacting to incidents and breeches – it is imperative to realize that deception may be involved.  Threat actors will attempt to distract the SOC staff.  So a phishing attack may distract analyst away from much more impactful threats that may be aimed at the exfiltration of data.  A famous Sun Tzu quote reminds us of this:

    All warfare is based on deception. Hence, when able to attack, we must seem unable; when using our forces, we must seem inactive; when we are near, we must make the enemy believe we are far away; when far away, we must make him believe we are near.

    Thus, it is important NOT to misread the punch.  In order to defend, the big picture should always be kept in mind.  Appropriate resources need to be assigned to certain threats, but always scanning the landscape to understand the full scope of attacks and what activity could be masked by certain types of threats. We are all trained to react to fires, but we need to try not to get lost in the heat and smoke.  An evaluation of the motivation of threat actors will help to identify what fires are really fires and what are just nuisance activities.

  3. People - the Problem and the Solution: Security jobs are stressful with alert fatigue and cognitive overload common.  Continuous and frequent training of users is necessary.  Equally important is providing security analysts tools which automate activities to eliminate the “security grunt work.”  Evaluate how to up-level the analyst job. According to Network World, “Alert fatigue is more about the context and the experience: How many alerts do your analysts review and in what fashion, and are those alerts actionable or relevant? If you’re used to acting on alerts because they’re relevant, specific, and have the correct context, your analysts will be less susceptible to alert fatigue.”  Business context and the identification and ranking of assets into categories like domain controllers, intellectual property, and executive email accounts will help to prioritize alerts and provide analyst focus.  Job rotations – maybe one day a week as a T2 for T1 analyst – will help to gain knowledge, establish a culture of cross training and sharing information so that your employees will pick up best practices and see what more there is to learn.  Additional education can be tied to work period commitments – an exchange of service for training. Finally, retention is even more important than hiring given the value of each and every individual with security skills.

  4. Patterns - Partner to Target Vector: The weakest link in security is people.  They click on almost everything despite training.  User awareness campaigns are necessary on a continuous basis. Yet, most frustrating is that the more tech savvy individuals are the ones who are most likely to violate corporate security guidelines and “People who think they’re ‘tech-savvy’ are 18% more likely to be hit by ID theft” according to a survey by CBT nuggets.  We have all heard the Target story and have isolated HVAC vendors.  But what other partners, consultants, and trusted advisors have access to your networks?  Due to the fact that they are people – there is a weakness that can be exploited.  One contractor at RSA with more than 30 years of experience frequently found that his privileges had been revoked.  While he would lose productivity, he acknowledged each time that he understood based on the documents he had access to why there were frequent audits of his accounts.  Include 3rd party users, contractors and partners with access to your systems in security training and audit exercises. Supply chain risk has risen in profile,  is now included in the new draft NIST framework and is considered relevant to all businesses.

  5. Proactive Hunting vs. Reactive: All of this requires proactive effort to put policy in place for frequent and through reviews of the daily, and even hourly, actions within the SOC.  It is necessary to constantly evaluate and question if we are utilizing analyst’s time wisely and focusing on those threats with the most damaging impact.  Practicing the skills that will be needed in a crisis.  Like firemen – it is important to perform drills – in order to be ready when needed. Most importantly, take the opportunity to hunt and act proactively.  Look for threat actors where you think they would hide.  Don’t wait for the alert. Don’t wait until it is too late.  Set up red and blue teams to challenge your current security assumptions. Security teams need to understand the threat actor’s mentality and motivation.  Question everything.  And give your security staff the tools and the time they need to proactively hunt for the bad guys.

Summary

The 5 P’s are straight forward, but require continuously asking questions that will drive the right behaviors within security teams.  Making time to Practice, assigning time for Proactive Hunting, even if it does not yield results.  Skills must be used or they are forgotten and that includes all the users who need to be reminded again and again – Don’t Click.

 

Learn more...
RSA Global Services is introducing new services to provide customers with additional options and flexibility to support their cybersecurity program development needs.

Watch this 1 minute summary about the NIST CSF offer on YouTube

Author: Mary Roark

Category: RSA Fundamentals

Keywords: Incident Response, NIST, Threat Hunter