I don’t know if you have noticed, but when it comes to incident response, the methodology applied by organizations can vary from the downright chaotic, to a well-disciplined, well-oiled machine. However, from what I have observed over the preceding five years of my professional life, the general approach seems to be ad-hoc and has suffered from a lack of discipline.
I have also observed that whilst there is security input from the security bucket of compliance and governance, there can be a very big mind-the-gap moment when it comes to getting the right kind of technical advice from the attending security teams – which by implication also infers there is a lacking in the area of skills.
It is now the year 2016, and when organizations consider security, they need to add two thoughts into the cauldron of risk assessment:
1. I have probably suffered some form of cyber-compromise, but don’t know it!
2. If I have not been hacked, I will be!
When encountering cyber adversity, or a part/full-on cyberattack, there are a number of keys which can dictate the potential of a positive outcome – and the more keys you have, the greater the chance of mitigating the event, and countering the attack.
The keys are as follows:
KEY 1: PREPARATION
Always expect the worst to happen, and be prepared and have an established CSIRT (Computer Security Incident Team) structure in place, which may be mobilized in a coordinated manner.
KEY 2: PROCESSES
The time of encountering an attack is not the time to consider how you will respond to the event. Here, it is essential to have documented processes in place to guide the CSIRT through the security engagement with clear and defined robust actions.
KEY 3: SKILLS
One very important element of the key chain is to have the right people in place whounderstand the ramifications and implications – people who can deliver value to the incident response process based on the technological risk.
KEY 4: TOOLS
Have tools and response capabilities in place that may be deployed to support the security mission, along with a team who has been trained in their use.
KEY 5: COMMUNICATIONS
It is important for those larger organizations to have both internal and externalcommunications protocols in place to assure they may apply follow-the-sun capabilities, as well as communicating with external agencies, such as the police when the event dictates.
KEY 6: CASE MANAGEMENT
At the core of all successful incident responses exists the ability to document a contemporaneous record of events, and to record any acquired element or artifacts that may seem to be pertinent to the case under investigation.
KEY 7: STAY LEGAL
It is essential that the applicable laws are understood in relation to the region, or regions which are implicated by the event – ranging from the UK with its Data Protection Act to those outsourcing domiciles, which fall under other international laws and directive.
KEY 8: CYBER THREAT INTELLIGENCE (CTI)
When encountering any form of cyber adverse interest, it is a good practice to seek out what any potential adversaries may be saying about your brand online though the employment of CTI – this can give an organisation suffering a cyberattack an insight into the attacker’s mind and objectives.
KEY 9: DIGITAL FORENSIC READINESS
Remember you may need to investigate the acquired artifacts in more depth, so having an evolved Digital Forensic Readiness Capability in the CSIRT Framework should be considered an essential element.
KEY 10: LEARNING
The last important element of the keys to success is to learn from past events and to adjust the futuristic rules of engaged on the past experiences.
It may be that the 10 Point Key Cycle as outlined above may be seen as imposing a difficult challenge on any security team to evolve such a multi-faceted skill set. However, focused training courses do exist which can deliver a one-stop-solution, along with the required commensurate skills and documentation sets – which at time of responding to a cyber security incident have, and can prove to represent an investment in the key steps to commercial survival.