With a growing number of data breaches over the past several years, it’s no surprise that a collection of best practices is evolving to help prevent them and to respond to them when they do occur. And they will occur - because bad guys make a living by figuring out ways to circumvent security best practices.
Here are a few tips that have stood the test of time, followed with a reference list of some vendor resources that can help you improve your incident response.
Prioritize Data Protection
The downfall of many security strategies is that they become too general and too thinly spread. Some level of prioritization can increase effectiveness by seeking to only safeguard the most important assets.
"Stop trying to protect everything," said Ray Boisvert, CEO of I-Sec Integrated Strategies (ISECIS). "Protect only what’s vital and accept that the rest may be compromised."
Document Your Response Process
Best practices in incident response demand that you have a documented process and follow it. Stress levels rise during attacks, and you’re likely to be pulled in many directions, leading to the omission of some key actions. Jake Williams, a certified instructor with the Sans Institute, recommends establishing check lists to ensure all tasks are accomplished in the order intended. Free incident response check lists are also available.
"Documentation during the incident is vital and checklists can help," he said.
Make Users Part of the Process
An often forgotten aspect of incident response is to inform end-users. For example, say a group has had their user credentials stolen. The minute IT knows that's happened is when the clock starts ticking. Immediately inform affected users that they should change their passwords.
"Making users part of the process is a critical component and best practice," said Rajneesh Chopra, vice president of Product Management, Netskope.
Understand Business Context
You may be required to take systems and applications offline for analysis during an investigation. When investigating a system for potential compromise, it’s critical to know what confidential data is stored on or passing through the system and to consider the business impact.
"Leverage data loss prevention tools to map out the important data flows in your organization," suggested Clint Sand, senior director, Global Cyber Readiness and Response Services at Symantec.
It is all too easy in an attack to find the apparent source of malware, eradicate it and leave it at that. But you may miss further traces of it on other systems.
"Follow every piece of evidence until you are certain that you have uncovered all of the attackers, clearly identified the hosts they have compromised and understood the tactics used against you," said Scott Crane, director, Product Management, Arbor Networks.
Proactively Collect Data
Crane also recommends that you collect all the data you may need well before you ever need it; this means the correct logs for properly configured security systems or packet traces from the relevant network locations.
"Investigations break down or take far longer because a crucial piece of evidence was not available," said Crane.
Go with the Flow
Packet analysis certainly provides the greatest visibility into network traffic. However, the number of packet capture probes required to cover all potential targets and locations can make it cumbersome and costly. Enter flow technologies such as NetFlow, which deliver performance metrics while providing over 90 percent of the visibility available from packet analysis.
"Security administrators can leverage flows to baseline normal behaviors and trigger for suspicious events that are often indicative of infiltration," said Michael Patterson, founder and product manager, Plixer. "When searching for a specific host, distributed flow collection systems can search in data collected from remote areas of the world and serve up exact matches in seconds."
Train and Drill
Nobody finds out that they are good at incident response or incident management during an ongoing incident. Incident responders and managers alike need training before the event. After training, they should conduct periodic drills in their own environments.
"The most effective training includes incident dry runs, often called sand table exercises, where incident responders and managers work through a mock incident," said Williams.
Enlist Outside Help
Do you have the internal resources to deal with incidents that attack mobile platforms, embedded systems or the growing use of Internet of Things devices? If not, it may be time to augment your internal skillset with some outside help.
"Putting a third-party vendor on retainer backs up your own team, but can also provide other expertise like crisis communication and legal support in the case of a data breach," said Sand.
Go on the Offensive
Boisvert advised companies regularly under attack to add an offensive element to what tend to be largely defensive strategies for incident response. He suggested that some might even want to consider delving into the Dark Web, a large collection of websites that use anonymity tools to hide their IP address.
"The best way to avoid an incident is to have a strong offense," said Boisvert. "Engage the Dark Web, find out who has your information, who is selling it and what the latest threats may be."
Short List of Vendors
Let’s take a look at some of the available vendor resources:
Arbor Networks offers Pravail Security Analytics as an appliance or via the cloud. This forensics tool uses packet capture as its data source, by tapping a live network stream or by uploading a file for analysis. Visualization allows the analyst to spot trends or anomalies in months of data.
"As it uses packet capture, it has the full context of the attack and can confirm its extent and impact, as well as look at what happened prior to the attack and what the attacker did next," said Crane.
Scrutinizer is a malware incident response system from Plixer based on NetFlow technology that can collect millions of flows per secondcto perform behavior analysis to uncover suspicious behavior. It also detects data exfiltration by monitoring Internet uploads over time.
Lancope’s StealthWatch System is another product that collects, stores and analyzes flows from network infrastructure and contextual data from sources including firewalls and identity solutions. Using behavioral analysis and anomaly detection, it identifies insider threats, attacks and zero-day infections on enterprise networks. It also builds profiles on all network hosts and users based on observed traffic.
Netskope is a cloud-based service that inspects enterprise user traffic to and from cloud apps. It can be deployed to inspect traffic from campus to remote (laptop or mobile device) users.
"Netskope can help organizations get ahead of hackers and insiders and provide forensic analysis capabilities," said Chopra. "It can invoke a quarantine and/or legal hold over content to better enable the incident response team to carry out an investigation."
Symantec Incident Response is a managed service with capabilities for readiness, security monitoring and emergency response. This reduces the time it takes to identify and eradicate advanced threats while decreasing the likelihood of future incidents, said Sand.
RSA Advanced Security Operations Center (SOC) solution is a combination of technology and services that gives security operations teams visibility to identify and investigate attacks.
Further tools and services include:
Fluke Networks provides enterprise monitoring, diagnostics, analysis, reporting, and application performance management.
Bluecoat proxy appliances offer Web caching, virus scanning, content filtering and instant messaging control.
Splunk is a platform that analyzes multiple logs and data sources to provide operational intelligence.
McAfee offers a system to detect the source of attacks, as well as consulting services on how to deal with them.
FireEye addresses automated threat forensics and dynamic malware protection against advanced cyber threats such as advanced persistent threats and spear phishing.
Dell SecureWorks is a managed security service.
In addition, there are many consulting firms that address anything from cyber penetration testing to post-breach response, as well as a forensic investigation. These include Deloitte, SecDev, PwC, CGI, Immunity, Mandiant, Raytheon and Resilient.
Drew Robb is a freelance writer specializing in technology and engineering. Currently living in Florida, he is originally from Scotland, where he received a degree in geology and geography from the University of Strathclyde. He is the author of Server Disk Management in a Windows Environment (CRC Press).