Understanding Incident Response Frameworks - NIST & SANS

The term Incident Response refers to the processes and policies an organization utilises in response to a cyber incident such as an attack or data breach. June21,2021 UnderstandingIncidentResponseFrameworks-NIST&SANS PrasannaKumar NISTFramework, Governance,Risk&Compliance, Monitoring,Detection&Response ThetermIncidentResponsereferstotheprocessesandpoliciesanorganizationutilisesinresponsetoacyberincidentsuchasanattackordatabreach.ThegoalofIncidentResponseistomitigatethedamageofanattacki.e.reducetherecoverytime,effort,costsandreputationaldamageassociatedwithacyberattackordatabreach.Apartfrommitigatingvariousconsequencesofacyberattack,theprocessofIncidentResponsecanhelporganizationspreventfutureattacksthatthreatentheirinformationsecurity.  EveryorganizationshouldhaveanIncidentResponseorIRplanthathelpsthemidentify,containandeliminatecyberattacks.IRplansoutlinewhatconstitutesanattackandprovideorganisationswithaclearguideonwhatstepsshouldbetakenifanincidentweretooccur.  IncidentResponseFrameworks ThepurposeofanIncidentresponseframeworkistoassistorganizationswiththecreationofstandardizedresponseplans.Theseframeworksarecommonlydevelopedbylargeorganizationswithasignificantamountofsecurityexpertiseandexperience.Twoofthemostwell-knownexamplesaretheIncidentResponseFrameworkscreatedbytheNationalInstituteofStandardsandTechnology(NIST)andtheSysAdmin,Audit,NetworkandSecurityInstitute(SANS).BelowisanoutlineofeachoftheseIncidentResponseFrameworks:  NISTIncidentResponseFramework TheNationalInstituteofStandardsandTechnology(NIST)wasfoundedin1901andisnowpartoftheU.S.DepartmentofCommerce.NISTisoneofthenation'soldestphysicalsciencelaboratories.AspartoftheircybersecurityinitiativestheycreatedanIncidentResponseFramework,whichquicklybecameoneofthemostpopularsolutionsfororganizationsaroundtheworld.Theframeworkprovidesorganizationswithdetailedstepsonhowtocreateanincidentresponseplan,formanincidentresponseteam,communicationproceduresaswellastrainingscenariosforemployees.  TheIncidentResponseCycle  NISTdefinesafour-stepprocessforincidentresponse,theprocessputsemphasisonthefactthatincidentresponseisnotalinearprocessthatstartswhenanincidentisdetectedandendswitheradicationandrecovery.Instead,incidentresponseisacyclicalactivity,aprocessofcontinuouslearningandimprovementtodiscoverhowtobetterdefendtheorganizationagainstcyberattacks. ThefourstepsofNISTIncidentResponse: #1Preparation  ThisinvolvesorganizationsdoingathoroughinventoryoftheirITinfrastructureincluding,networks,serversandendpoints,andevaluatingtheirimportance.ToevaluateimportanceorganizationsneedtojudgewhichITassetsholdcriticalorsensitiveinformation.Alongwiththis,organizationsneedtocreateabaselinefornormalactivitythroughmonitoring.Aspartofpreparation,securityteamsalsoneedtocreateaguideforhowtodealwithcommontypesofincidentsandidentifywhichtypesofincidentsrequirethoroughinvestigation.   #2DetectionandAnalysis  DetectioninvolvescollectingdatafromITsystems,securitytools,publiclyavailableinformationandpeopleinsideandoutsidetheorganization,andidentifyingsignsthatanincidentmayhappeninthefuture(precursors)anddatashowingthatanattackhashappenedorishappeningnow(Indicators). Analysisinvolvesidentifyingabaselineornormalactivityfortheaffectedsystems,correlatingrelatedeventsandseeingifandhowtheydeviatefromnormalbehavior. #3Containment,Eradication,andRecovery Thegoalofcontainmentistolimittheimpactofasecurityincident,withoutpropercontainmentincidentscanspreadacrossanorganisation'ssystemsandnetworks,givingunlimitedaccesstomaliciousactors.Anorganization’scontainmentstrategycandependonthelevelofdamageanincidentcancause,theabilitytocontinueservicingcustomers,theabilityofemployeestocontinueoperatingandthedurationofthesolution.Dependingonthesefactorsorganizationsmaydecidetoutiliseatemporarysolutionversusapermanentone.  Aftertheincidenthasbeensuccessfullycontained,organizationsarerequiredtoeradicatetheincident,thiscanbeachievedbyremovingallelementsoftheincidentfromtheenvironment.Forexample,identifyingallaffectedhosts,removingmalware,andclosingorresettingpasswordsforbreacheduseraccountsareexamplesoferadication.  Finally,oncethethreatiseradicated,restoresystemsandrecovernormaloperationsasquicklyaspossible,takingstepstoensurethesameassetsarenotattackedagain. #4Post-IncidentActivity AkeypartoftheNISTIncidentResponsemethodologyislearningfromincidentstoimprovetheoverallresponseprocess.Securityteamsneedtoaskquestionssurroundingtheincidentresponseprocesssuchas:Whathappened?Howwelldidwedealwiththeincident?Wereprocessesfollowedanddidtheysuffice?Whatwentwrongintheresponseprocess?Whatcanwedodifferentlynexttime?Etc.Theseareafewexamplesofquestionsthatcanbeaskedduringpost-incidentactivity,answerscanbeusedtoimprovetheprocess,adjustanorganization’sincidentresponsepolicy,plan,andproceduresaswellasfine-tuneresearchundertakeninthepreparationstageofthecycle.  SANSIncidentResponseFramework TheSANSInstituteisaprivateU.S.for-profitcompanyfoundedin1989thatspecializesininformationsecurity,cybersecuritytraining,andsellingcertificates.OneofthemaincontributionstheSANSInstitutehasmadetocybersecurityistheirIncidentResponseFramework,whichhasalsogarneredpraisefromorganizationsaroundtheworldforitscomprehensiveness.TheSANSInstitutepublisheda20-pagehandbookthatlaysoutastructured6-stepplanforincidentresponse.Belowisabriefsummaryoftheprocess. TheSANSIncidentResponseProcessconsistsoffivesteps: #1Preparation  Thisinvolvesorganizationsperformingreviewsovertheirsecuritypolicy,whichtypicallyinvolvesriskassessmentstoidentifyvulnerabilities,sensitiveassetsandareasoffocusintermsofsecurityincidents.InthisstageorganizationsalsoworktowardsformingaComputerSecurityIncidentResponseTeamorCSIRTinshort.  #2Identification  Inthisstage,securityteamsmonitorsystemsandnetworkstoidentifyanysuspiciousactivitytakingplaceduringdaytodayoperations,inthehopesofdiscoveringanyprematuresecurityincidents.Ifanincidentistobediscovered,securityteamsshoulddocumenteverything,e.g.thenatureoftheattackorit’sorigin.  #3Containment  IfanIncidentisidentifiedthenextstepthatfollowsiscontainment,securityteamsneedtoworktowardsisolatingtheattackandpreventingitfromspreading.Thiscaninvolvesegmentinganetworkunderattackaspartofshorttermcontainment.Onceshorttermmeasuresareinplace,securityteamscanfocusonlongtermsolutionsorfixeswhichmayinvolverebuildingentiresystems.  #4Recovery  Thisstepinvolvesbringingbackaffectedsystemsthatweretakendownovertheperiodoftheincident.Securityteamsshouldtestandmonitoraffectedsystemstoensurethatattacksdon’trepeatandthatnormalfunctionalityisachieved.   #5LessonsLearned Shortlyaftertheattack,teamsneedtolookbackandevaluatehowtheincidentwashandledandanalysehowtheincidentresponseprocesscanbeimprovedforfutureincidents.  NowthatyouknowaboutIRframeworks,youcantakealookatsomeofincidentresponsebestpracticesthatorganisationsshouldfollow. Doesyourcompanycurrentlyhaveanincidentresponseplaninplace?StickmanCyber'sexpertteamcanhelpreviewyourcurrentcybersecuritysetupandsetuptherightincidentresponseplanto secureyourbusiness. Similarposts ISO27001, NISTFramework, Governance,Risk&Compliance NISTFrameworkvs.ISO27001-HowtoChoose TheNationalInstituteofStandardsandTechnology(NIST)andtheInternational... PrasannaKumar March24,2021 NISTFramework, Governance,Risk&Compliance 6BenefitsofImplementingNISTFrameworkinYourOrganization TheNISTFrameworkisthegoldstandardonhowtobuildyourcybersecurityprogram.Now... PrasannaKumar March16,2021 Getnotifiedfornewcybersecurityinsights Subscribeforaweeklyround-upofthelatestincybersecurity-fromknowingthepotentialthreats,tobestpractices,toinsightsonhowtomanage,evolveandstrengthenyourcybersecurityposture-we'llshareitall.