In a recent SearchSecurity tip, we outlined several questions that organizations must answer when building a computer security incident response team.
In a recent SearchSecurity tip, we outlined several questions that organizations must answer when building a computer security incident response team. But once you answer these questions, there should be another step in the process: determining what threats there are to the organization, as well as how best to prepare for and detect these threats.
To get there, organizations should start with a simple model to help determine the best strategies for their cybersecurity incident management plan. It’s called a simplified incident management process model for two reasons. First, it focuses on those things that an organization must do before attempting to create incident response capabilities. Second, it focuses on incident management as opposed to incident response because this model presents the path to detection that must occur before any incident response activity is possible.
The three components of this process model are protect, prepare and detect. This three-pronged model contains some fundamental principles to consider.
Principle 1. An organization can only protect itself against those cybersecurity threats that it already knows about.
Principle 2. For threats that are unknown, an organization must react to them quickly and effectively.
Principle 3. It is not possible to respond to any computer or information security incident until an organization can detect that an incident has occurred.
Component one: Protect
As mentioned above, the first principle is that an organization can only protect itself against those threats that are already known. To put it another way, unless you know that a specific threat exists, it is not possible to take steps to protect against it.
A common source of many cybersecurity problems is software vulnerabilities. In the past, a software vulnerability was discovered, then reported to the software publisher, the CERT Coordination Center and US-CERT. Over a period of weeks, the software publisher would work to mitigate the vulnerability — usually in the form of a distributed software patch. All this was usually done before public disclosure of the vulnerability. The elapsed time for this entire process was often less than six weeks.
That was then, but this is the age of the zero-day vulnerability. With a zero-day vulnerability, the software flaw that causes the vulnerability is unknown to software users and perhaps even the software publisher. There is also no public announcement about the vulnerability, and no patch, workaround or other protective action is available. Therefore, it is not possible to protect against zero-day vulnerabilities or to develop pre-emptive strategies for them.
It is possible to protect against known vulnerabilities for which software patches or upgrades are available. A reasonable protection strategy should include a vulnerability management program to ensure that all known software vulnerabilities are identified, mitigated or eliminated.
Other reasonable protection strategies are:
- risk assessments;
- identification of critical information assets;
- internal and external threat awareness and updating defenses based on current threats and risk scenarios;
- monitoring 100% of internet traffic as it enters and leaves the organization;
- use of email gateways to filter, analyze, drop or quarantine malicious or spam email;
- configuration management programs;
- proactive penetration tests;
- vulnerability scanning and identification; and
- up-to-date asset inventory — you can’t protect it if you don’t know it exists.
Even if a computer security problem is public, it is still a threat if an organization is unaware of it. That’s why protection strategies designed to discover an organization’s underlying vulnerabilities, such as conducting regular risk and threat assessments, are essential.
Component two: Prepare
Once an organization has done all it can to protect itself against known problems, it can turn its attention to those computer security vulnerabilities and threats that it doesn’t know about. How? Beyond protecting itself against known vulnerabilities, an organization can prepare itself to react effectively to those problems that arise without prior notice or knowledge.
A zero-day vulnerability is an example of this scenario, as well. It is not possible to specifically protect an organization against a computer security incident that is the result of a zero-day vulnerability. However, if an organization has built a secure gateway and ensures that all the internet traffic flows through that gateway, for instance, then it is possible to monitor all the internet traffic as it enters and leaves the organization. This ability, coupled with other preparation strategies, could enable an organization to detect and stop unwanted behavior resulting from a zero-day vulnerability.
Preparation strategies that help organizations deal with computer security incidents include:
- Monitor 100% of internet traffic as it enters and leaves the organization.
- Create baselines of internal network traffic and behavior, then monitor for unusual or unwanted protocols or remote access.
- Monitor network traffic for deviation from baselines.
- Implement security awareness training.
- Implement a backup program.
- Develop cybersecurity policies and procedures.
- Develop an incident reporting policy and associated guidelines.
- Create an incident response capability as part of a broader incident management strategy.
Component three: Detect
When it comes to responding to computer security incidents, the ability to detect when incidents occur is critical: There can be no response without the ability to detect. In 2017, the average time to detect a cybersecurity breach was 191 days. Improving the ability to quickly detect cybersecurity incidents should be a goal for every organization.
There are several things that an organization can do to improve its ability to detect incidents.
- Develop an understanding of how organizational networks are really configured, including applications, protocols and network traffic baselines.
- Once you have an understanding of how the network is supposed to operate, you must monitor the network closely to detect when deviations from the norm occur.
- Create and operate a security operations center as the focus point for network monitoring, including user reports, threat intelligence, and inputs from firewalls, intrusion detection/prevention systems, NetFlow, and other proactive and reactive detection systems.
This is a look at how to develop a simplified incident management process model for organizations that want to eventually build more detailed computer security incident response capabilities. Organizations should first look at the three areas mentioned above when developing incident response capabilities: how best to protect against, prepare for and detect cybersecurity threats. Without understanding these simplified, general vulnerabilities first, creating incident response capabilities and strategies may prove ineffective.