It takes about six months for a company to detect that a data breach occurred in its system. During that time, hackers can do a lot of damage. So obviously you want to be able to mitigate the incident as quickly as possible. To do this, you should consider instituting best practice response to your security operations center.
“The baseline for cybersecurity best practice response for an incident must meet all of the needs for compliance, governance, business operations and threat mitigation,” explained Pravin Kothari, CEO of CipherCloud. “Business operations are the lifeblood of the enterprise and require that full and secure business operations are re-established as quickly as possible.”
We all want to think that our security system is good enough to keep cybercriminals out, but that’s not going to happen. The better approach is to focus on minimal dwell time, that time from penetration into the network until detection. Speed is an essential component of any best practice response. Ideally, said Kothari, you want to keep dwell time to a few minutes or at most a few hours in order to protect the enterprise.
“Your security operations center team must continually strive to reduce this number,” he said. “Anything measured in days, let alone weeks or months is unacceptable as this allows the attackers to exfiltrate data.”
The Type of Incident Matters
How you put your best practice response into action will depend on the type of cyber incident you’re dealing with. Threat events may fall anywhere on the spectrum of cyberattacks, said Daniel Norman, research analyst at the Information Security Forum. Incidents range from a simple attack, such as a basic piece of malware being found on a system, to a highly targeted, sophisticated “multi-pronged attack” that could possibly compromise PII or disrupt critical systems.
“Ultimately, responses to different severities of incidents will typically involve different individuals, and therefore, organizations should prepare accordingly,” said Norman.
Once you identify the type of cyberattack you’re dealing with, if you have a plan in place, you’ll be able to hit the ground running. Luckily, most formal incident response frameworks from groups such as SANS or NIST provide an outline of six phases that must be addressed when dealing with any type of security incident, noted Nathan Wenzler, senior director of cybersecurity at Moss Adams. Those phases are:
- Discovery and Identification
- Lessons Learned
“Preparation can be the single most time-consuming part of the entire effort, as it stretches beyond merely putting a plan together,” Wenzler said. Proper preparation for responding to security incidents includes identifying core and potential team members, constructing formal communication protocols (both in- and out-of-band, as necessary) and, most importantly, actually testing the plans periodically. Utilizing tabletop exercises or live “fire drills” will validate that the processes and plans work as expected.
“These types of exercises ensure that when a real security incident happens, your team knows what the plan is, knows it will work, and prevents a team from needing to scramble to find ways to handle an unexpected situation, likely making mistakes or exacerbating the problem even further,” Wenzler added.
While this amount of work can seem like a huge amount of overhead to leadership, it’s a small cost in comparison to potential government action that can result from a poorly executed response to a major security incident.
Getting Leadership Onboard
Getting leadership onboard with any type of cybersecurity exercise is always a challenge, and developing a best response plan is no exception.
“Leadership worries about breach response related to compliance, impact to reputation, and ultimately potential impact to revenue and profitability,” said Kothari. “Cybersecurity experts necessarily focus more on the technical aspects of the cyberattack, from beginning to end. Compliance is important to them, but only as it impacts baseline requirements for security operations center operations.”
Kothari advised the cybersecurity team to provide as much detail of an attack to improve the feedback that is given to leadership as part of the best practice response. Questions to build the forensics of an attack are as follows:
- How was initial access accomplished? How could it have been prevented?
- Did they use spear phishing, or compromise the supply chain, or replicate through removable media?
- How was the initial attack executed?
- How did the attackers establish persistence, escalate privileges and evade existing defenses?
- If so, were they configured correctly or misconfigured in some way?
- How were credentials accessed?
- How did they do discovery and move laterally through the network?
- How was command and control established?
- Most importantly, they want to understand exactly what avenues were used for data exfiltration—how was the data transferred to the cyber attacker?
“Answering all of this will require careful and painstaking work to document the path and complete activities of the cyberattacker,” said Kothari. This, then, goes a long way to show leadership how important these response plans are to the organization.
And, hopefully, with the best practice response plans in place, that dwell time will be reduced significantly, and serious damage can be averted.