Incident Response Steps and Frameworks for SANS and NIST

SANS stands for SysAdmin, Audit, Network, and Security. They're a private organization that, per their self description, is “a cooperative ... Categories: All blogs Securityessentials AT&TAlien Labsresearch Categories All blogs Securityessentials AT&T AlienLabsresearch AT&TCybersecurity Blog IncidentResponseStepsandFrameworksforSANSandNIST January3,2020 | ElishaGirken WhatisIncidentResponse?  Incidentresponseisaplanforrespondingtoacybersecurityincidentmethodically.Ifanincidentisnefarious,stepsaretakentoquicklycontain,minimize,andlearnfromthedamage. Noteverycybersecurityeventisseriousenoughtowarrantinvestigation.Events,likeasingleloginfailurefromanemployeeonpremises,aregoodtobeawareofwhenoccurringasisolatedincidents,butdon’trequiremanhourstoinvestigate.Yourcybersecurityteamshouldhavealistofeventtypeswithdesignatedboundariesonwheneachtypeneedstobeinvestigated.Fromthere,youshouldhavecustomizedincidentresponsestepsforeachtypeofincident. TheImportanceofIncidentResponseSteps Adatabreachshouldbeviewedasa“when”not“if”occurrence,sobepreparedforit.Underthepressureofacriticallevelincidentisnotimetobefiguringoutyourgameplan.Yourfutureselfwillthankyouforthetimeandeffortyouinvestonthefrontend. Incidentresponsecanbestressful,andISstressfulwhenacriticalassetisinvolvedandyourealizethere’sanactualthreat.Incidentresponsestepshelpinthesestressing,highpressuresituationstomorequicklyguideyoutosuccessfulcontainmentandrecovery.Responsetimeiscriticaltominimizingdamages.Witheverysecondcounting,havingaplantofollowalreadyinplaceisthekeytosuccess. TheTwoIndustryStandardIncidentResponseFrameworks Introducedinnoparticularorder,NISTandSANSarethedominantinstituteswhoseincidentresponsestepshavebecomeindustrystandard. NIST NISTstandsforNationalInstituteofStandardsandTechnology.They’reagovernmentagencyproudlyproclaimingthemselvesas“oneofthenation’soldestphysicalsciencelaboratories”.Theyworkinall-things-technology,includingcybersecurity,wherethey’vebecomeoneofthetwoindustrystandardgo-tosforincidentresponsewiththeirincidentresponsesteps. TheNISTIncidentResponseProcesscontainsfoursteps: Preparation DetectionandAnalysis Containment,Eradication,andRecovery Post-IncidentActivity IncidentResponseService Helpsyoudevelopaplantoquicklyrespondtoattacksandmitigatetheimpactofincidents. Learnmore SANS SANSstandsforSysAdmin,Audit,Network,andSecurity.They’reaprivateorganizationthat,pertheirselfdescription,is“acooperativeresearchandeducationorganization”.ThoughmoreyouthfulthanNIST,theirsolefocusissecurity,andthey’vebecomeanindustrystandardframeworkforincidentresponse. TheSANSIncidentResponseProcessconsistsofsixsteps: Preparation Identification Containment Eradication Recovery LessonsLearned   TheDifferenceBetweenNISTandSANSIncidentResponseSteps Withtwoindustrystandardframeworks,there’sachanceyou’refamiliarwithonebutnottheother.Solet’sdoawalk-throughoftheirsimilaritiesanddifferences.First,here’saside-by-sideviewofthetwoprocessesbeforewediveintowhateachstepentails. Placedside-by-sideinalistformat,youcanseeNISTandSANShaveallthesamecomponentsandthesameflowbutdifferentverbiageandclustering.Let’swalkthroughwhateachofthestepsentailtogetintothenuanceddifferencesoftheframeworks. Forconsistency,NISTstepswillalwaysbepresentedontheleftandSANSontherightduringthestepsside-by-sidecomparisons. Step1)Preparation=Step1)Preparation Preparationiskeytorapidresponse.Webeatthisdrumearlierwhendiscussingtheimportanceofhavingincidentresponsesteps. ThisstepissimilarforbothNISTandSANS.Inthisstepyoucompilealistofallyourassets,includingbutnotlimitedto:servers,networks,applications,andcriticalendpoints(likeC-levellaptops).Afteryou’vecompiledyourassetlist,rankthembylevelofimportance.Thenmonitortheirtrafficpatternssoyoucancreatebaselinestobeusedforcomparisonslater. Createacommunicationplan,withguidanceonwhotocontact,how,andwhenbasedoneachincidenttype.Don’tforgettogetbuy-infromeveryoneonthiscontactlisttopreventhiccupsorfingerpointinglater. Determinewhichsecurityevents,andatwhatthresholds,theseeventsshouldbeinvestigated. Thencreateanincidentresponseplanforeachtypeofincident.Itcanbeimprovedthroughsecurityeventsimulations,whereyouidentifyholesinyourprocess,butitwillalsobeimprovedafteractualevents(moreonthatlater).Thepointis,getaprocessinplace. Step2)DetectionandAnalysis=Step2)Identification Again,thisstepissimilarforbothNISTandSANS,butwithdifferentverbiage. Atthispointintheprocess,asecurityincidenthasbeenidentified.Thisiswhereyougointoresearchmode.Gathereverythingyoucanonthetheincident.Thenanalyzeit.Determinetheentrypointandthebreadthofthebreach.Thisprocessismadesubstantiallyeasierandfasterifyou’vegotallyoursecuritytoolsfilteringintoasinglelocation. Step3)Containment,Eradication,&Recovery=Steps3-5)Containment.Eradication.Recovery. HereiswhereNISTandSANSkind-ofpartwaysintheir similaritiesbeforeagreeingagainonthefinalstep.NISTviewstheprocessofcontainment,eradication,andrecoveryasasingularstepwithmultiplecomponents.SANSviewsthemastheirownindependentsteps. Containmentaimstostopthebleeding.Hereiswhereyoupatchthethreat’sentrypoint. Eradicationaimstoremovethethreat.Ifthethreatgainedentryfromonesystemandproliferatedintoothersystems,you’llhavemoreworkonyourhandshere. Recoveryaimstogetthesystemoperationalifitwentdownorsimplybacktobusinessasusualifitdidn’t. Step4)Post-IncidentActivity=Step6)LessonsLearned NISTandSANSareinagreementagainintheirlaststep,ifnotinverbiage,inspirit. Thisstepprovidestheopportunitytolearnfromyourexperiencesoyoucanbetterrespondtofuturesecurityevents.Temptingasitmaybetoskip,withyourneverendingto-dolist,thisstepisstronglyrecommended. Takealookattheincidentwithahumblebutcriticaleyetoidentifyareasforimprovement.Thengoaddthoseimprovementstoyourdocumentation. Noprocessisperfectforabsolutelyeverypossiblescenario.Somescenarioscan’tevenbefathomeduntilthey’veoccurred.Thethreatlandscapeisalsoever-evolvingsoyourincidentresponseprocesswillnaturallyneedtheoccasionalupdate.Remember,yourfutureselfwillthankyou. TheIncidentResponseStepsPoll InaninformalTwitterpollonapersonalaccount,oneofusgotcuriousandaskedpeoplewheretheirincidentresponseguidancecomesfrom.Checkouttheresult: Whilenotastatisticallysignificantpoll,69%ofrespondentsuseNISTorSANS.Notsurprisingsincethey’reindustrystandards,butitscratchedourcuriosityitch. WhichIncidentResponseStepsFrameworkisBetter? Ah,tobedefinitelytoldananswer.Nosuchchancehere.Itreallydoescomedowntopersonalpreference.Doesitmakemoresensetoyoutobreakcontainment,eradication,andrecoveryintotheirownstepsorkeepthemgroupedinasinglestep?Letyouranswertothatquestionguideyoutotherightchoice. Botharepopularandhavesupporters.Regardlessofwhichyouchoose,bothNISTandSANShaveincidenthandlingchecklistsavailabletogetyoustarted.Justremembertocustomizethemtoyourspecificneedsandcompany’senvironment...andbeforeyou’reinthemidstofanincidentresponse. Ifyou'dliketofurtherexploreincidentresponse,checkoutourfreeInsider'sGuide. Sharethiswithothers Tags:incidentresponse,incidentresponseandmanagement,sans,nist,ir Featuredresources INDUSTRYREPORT AT&TCybersecurityInsights™Report: 5GandtheJourneytotheEdge  Learnmore SELFASSESSMENT Benchmarkyourcybersecuritymaturity  Explore Getprice Freetrial Weusecookiestoprovideyouwithagreatuserexperience.Byusingourwebsite,youagreetoourPrivacyPolicyandWebsiteTermsofUse.