Tom Cross, director of security research, Lancope
Tom Cross, director of security research, Lancope

Breaches happen to major organizations on a regular basis. While it isn't realistic for organizations to expect that it will never happen to them, a rapid, professional and continuous response can limit the scope of a breach and its impact on a company's reputation. However, you can only respond effectively if you are properly prepared.

A successful incident response effort must involve the right mix of people, processes and technology. It must also be a continuous effort that never stops. Organizations should be constantly analyzing attacker behaviors to both thwart attacks in real-time and feed threat intelligence back into the overall response strategy to better prevent future incidents.

Strong response teams

The first step in planning for incident response should be the creation of appropriate security incident response teams. These should include both an operational computer security incident response team (CSIRT) and a multidisciplinary threat management group. CSIRTs typically include technical professionals including security analysts who figure out what happened, extract relevant indicators and determine necessary remediation, in addition to security engineers who monitor the network for incidents and keep detection and log collection systems running, up-to-date with intelligence, and automated where possible.

The wider threat management group consists of leaders from throughout the organization. At a minimum, it should include representation from the information security group, IT, the operations team, legal, public relations and human resources. Some organizations will also choose to supplement both their CSIRT and threat management group with third-party consultants during an incident if needed. 

Effective processes

CSIRT team members should be seasoned IT professionals who come to the job with much of the expertise that they need. However, incident response related skills can always be developed, and they need to be kept fresh. It's important to provide CSIRT team members with access to opportunities for continuing education, and to assess CSIRT readiness through regularly scheduled exercises.

The most mature organizations not only have a CSIRT in place, but also have meaningful operational metrics they can use to measure whether the CSIRT is able to respond to incidents effectively. The time and effort required to identify, respond to and resolve each incident are important components of the overall cost of the incident to the organization.

It is also critical for incident response teams to have defined rules of engagement. For example, is your CSIRT permitted to interact with malicious hosts for the purpose of intelligence gathering? And in the event of an incident, can the CSIRT autonomously decide to pull infected systems off the network? These types of policies need to be clearly defined in advance so that unnecessary roadblocks do not get in the way of fast incident remediation.

Critical communications

Management team

While many security teams may not want to report bad news to the executive management team, sharing information with these individuals can be extremely valuable in strengthening management support for incident response efforts. Additionally, C-level executives are often targeted by phishing and other online scams, so it is critical for them to be aware of the various attacks facing their organization.

General public

One of the most significant negative consequences associated with security breaches is the impact they can have on the victim's reputation. In the event of a material exposure of customer data, it may be necessary for the organization to disclose facts about the breach to the general public. Having a pre-defined plan in place for exactly how and what to communicate is the key to success in this arena.

Industry peers

A thorough incident investigation should result in intelligence surrounding Indicators of Compromise (IoCs) for a specific attack. Putting this intelligence to work internally can enable continuous response and help detect subsequent attacks by the same adversary. Sharing it amongst industry peers can create tremendous value when it comes to our collective ability to fend off future attacks.

Key technologies

The specific incident response tools needed within your organization will vary based on your resources and business needs, but you should consider implementing Syslog collection with a SIEM, NetFlow collection, and collection of full packet captures. These technologies provide incident responders with a record of activity that enables real-time threat detection and may also contain key pieces of evidence and indicators that can be used to detect future breaches.

One other incredibly important tool that every incident response team needs is regular system and server backups. They provide a way to rapidly roll back the environment to a state prior to the compromise, and often they can capture evidence of the attack as well.

A properly equipped and trained incident response team should be able to contain breaches more rapidly, reduce their impact on the organization, and continuously apply its findings to protect the organization against future attacks. Creating and maintaining a strong incident response plan should be a top priority for all organizations.