When it comes to improving cyberincident response, security teams can learn a valuable lesson from the military about the importance of standard operating procedures. “SOPs” document prescribed methods for carrying out an activity or responding to a difficult situation.
The U.S. Army has SOPs for seemingly everything, and for good reason. Many SOPs help soldiers react to difficult situations with a clear head. Often these SOPs are designed to save lives, like the one that dictates where soldiers should place their first aid kits among their gear.
SOPs for cybersecurity – and more specifically, those developed for cyberthreat intelligence programs – can improve incident response. By establishing specific processes for conducting threat intelligence research, security teams can more quickly determine whether a compromise has occurred, and if so, its scope and impact.
How to Establish SOPs for Threat Intelligence
Threat intelligence typically consists of compromise indicators – which often take the form of IP addresses, domain names, URLs, file names and malware hashes. Answering the following questions about each indicator can help establish SOPs:
IP addresses: Are some network devices more critical than others? Which ones? Do I have the visibility I need to quickly determine if those devices are routing traffic to or from suspicious IPs? Is there a documented process for conducting this kind of research? Do I understand my security technologies well enough to carry out this research under pressure?
Domain names: Do I have the ability to quickly look up domain traffic? Can I quickly look up in a “whois” database those domains for registration info? Is there a documented process for conducting this research? Do I understand my security technologies well enough to do this under pressure?
URLs: Can I quickly look up suspicious URLs and the end-users who visited them? Is there a documented process for doing this kind of research? Do I understand my security technologies well enough to do this under pressure?
File names & malware hashes: Do I have the endpoint visibility I need to quickly determine if a particular file name or malware hash is present on any of my endpoints?
These questions indicate the need for SOPs that help identify the presence of compromise indicators in an organization's IT environment. They also emphasize the importance of proactively inventorying network devices and endpoints, so that security teams know exactly how many and which of those assets they need to investigate and remediate.
Organizations at all levels of cybersecurity maturity can benefit from these and other SOPs; a state-of-the-art threat intelligence program isn't a prerequisite for creating them. In the heat of the moment, SOPs can prevent panic and help to facilitate an efficient, effective incident response inside any organization with the foresight and willingness to create them.
Alex Cox is the director of RSA's Threat Intelligence function and a former U.S. Army Captain.