The Life Cycle of Incident Response comprises six distinctive stages, where the first and most comprehensive one is Preparation. This stage sets the foundation for the entire incident response procedure, and it’s essential to ensure an efficient response to any security incidents that may emerge.
Once an incident is identified, the Identification stage begins, marking the commencement of the incident response process. Nonetheless, it’s crucial not to overlook the significance of the Preparation phase, as it’s where the majority of the labor takes place. In this blog entry, we’ll concentrate on the weightiness of the Preparation stage and scrutinize techniques to equip for potential security incidents.
Incident Response Step 1 – Preparation
The initial stage of responding to incidents is known as the Preparation phase, which is a pivotal component in managing security incidents efficiently. It is imperative to comprehend that certain assaults cannot be prevented, and malevolent actors can often evade endpoint security software. Hence, it is vital to have a comprehensive and resilient incident response blueprint in place to limit the negative impact of a security incident on the organization.
To prepare for potential security incidents, it is inadequate to depend solely on the notifications provided by security tools. Personalized detections must be developed specifically for the organization’s environment, and guides and protocols must be created around them. These customized detections should undergo rigorous testing in simulated attacks and tabletop exercises to ensure they operate effectively.
By implementing these measures, organizations can promptly identify and respond to security incidents, facilitating the continuation of normal operations as soon as possible. Furthermore, it is crucial to scrutinize and upgrade the incident response plan regularly to ensure it remains effective and applicable to current threats.
Incident Response Alert Engineering
You should be looking for ways to detect an advanced adversary. For example, let’s say your network is mostly Windows and some Linux. Any use of Putty outside of the Linux admins would be odd right? Gary in accounting isn’t SSHing into the Ubuntu server…ever. Make an alert that detects all Putty use, make exclusions for the weird Linux admins.
Now you have a really good alert that probably won’t fire unless something odd is happening, or there is something malicious. In either case, you want to investigate. Below are listed some common tasks when conducting alert engineering:
- Create custom alerts
- Review existing alerts and enable if they are legitimate
- Hunt for suspicious activity and tune alerts
- Investigate alerts for false positives
- Tune alerts
- Watch twitter and/or other social media outlets for news about emerging threats and tools
- Research new attack methods and build more custom alerts and detections
Custom alert ideas:
- Alert on WinSCP usage
- Alert on rclone usage
- Powershell usage by non-IT
- Command line usage by non-IT
- netcat, whoami, netstat, or any admin command or tool run by non-IT user
The fact is that users are NOT using these commands. IT admins and bad guys are. Exclude the IT admins and you’ll detect the bad guys. Will you get false positives? Yeah, probably. Who cares? Tune them out so they stop. False positives will happen, and they are usually easy to spot. So, tune it out, and eventually, the alert won’t fire much, and it will detect out-of-the-ordinary things.
Make actionable alerts. If you are going through the trouble of building or enabling an alert, when it fires, you have to do something. If there is no action to take, there is no reason for the alert. Even if the action is tuning, that is fine. Ideally, your action will be to investigate. Then you rely on your playbooks to determine your next steps. Your playbooks then need to align with your alerting and your overall response process. If you find yourself receiving an alert that you cannot take any action on, review if the alert is still valuable.
Additional information: Alert engineering is an essential aspect of incident response, as it allows organizations to detect and respond to potential security threats effectively. By creating custom alerts and tuning them to detect suspicious activity, organizations can minimize the impact of security incidents and reduce the risk of data breaches. It is also crucial to stay up-to-date with emerging threats and attack methods to ensure that the organization’s alerting and detection mechanisms remain effective. Additionally, by creating actionable alerts and aligning them with playbooks and response processes, organizations can ensure a prompt and effective response to any security incidents.
Effective exclusion engineering holds just as much weight as alert and detection engineering. While occasional false positives might be tolerable, constant alerts necessitate the creation of exclusions that do not compromise the integrity of the detection system. Therefore, it is recommended to concentrate on the exclusions during the initial alert creation phase, since this requires an in-depth understanding of the alert.
In order to guarantee the alert’s efficacy, conduct extensive investigations of prior incidents to determine if the alert would have been triggered. Broaden the time range of your investigation and pinpoint the specific events that would activate the alert. Failure to engineer exclusions properly could overwhelm your alert system with notifications, resulting in alert fatigue and negligence.
However, exclusions should only be made with extreme caution. Exclude only events or actions that you completely comprehend and are certain are not malevolent. Inappropriate exclusions can render the alert impotent and allow perpetrators to carry out their operations undetected.
Constructing Playbooks
In the contemporary and intricate realm of security threats, the inevitability of experiencing a security incident is not a question of if, but rather a question of when. Consequently, it is of utmost importance to create bespoke playbooks as a preemptive measure. Although the playbooks do not necessarily have to be overly elaborate, they can be invaluable if executed correctly.
To initiate the process of crafting a playbook, begin by formulating it based on the alerts that have been collated. If a noteworthy detection that requires further investigation has been identified, record the process in a playbook to facilitate repetition. Start by documenting straightforward procedures that are frequently performed, such as phishing emails. However, the playbook shouldn’t stop there. Consider taking into account other suspicious activity, including DNS or Active Directory logs, behavioural or VPN alerts, and many more.
Within the playbook, elucidate the entire process of how an incident undergoes the Incident Response (IR) stages, from start to finish. It is crucial to simplify the documentation so that even a novice analyst can comprehend the contents and understand what needs to be done. Furthermore, it is crucial to emphasize the use of your unique tools or custom scripts to expedite the process.
By creating well-structured playbooks, the time taken to respond to an incident can be reduced, and the impact on the organization can be minimized. Moreover, consistency and precision in the response can be ensured. However, it should be noted that playbooks need to be reviewed, tested, and updated continuously as the environment evolves and new threats emerge.
Corporate Security Policies
In the incident response preparation phase, it is crucial to have security policies in place to ensure that everyone involved in incident response knows what to do and how to do it. Security policies help define roles and responsibilities, establish guidelines for communication and reporting, and outline the steps that need to be taken during an incident.
Having clear and concise policies ensures that the response process is effective, efficient, and consistent. This can be particularly important in larger organizations where multiple teams or departments may be involved in incident response. Without security policies, incident response efforts can become disjointed, confusing, and ineffective, which can lead to extended downtime, increased costs, and potential legal or regulatory repercussions.
Test Your Security Tools
Testing and validating security tools and alerts are indispensable components of the incident response preparation phase. This stage involves the meticulous verification of proper log placement, complete deployment of EDR on all hosts, and thorough correlation and triage of telemetry data. In order to ascertain the effectiveness of the setup, it is crucial to configure alerts that can promptly notify any abnormalities in system functions.
Furthermore, it is imperative to conduct red team testing to verify the accuracy of tool detection and alerts, as well as the efficiency of any automated processes. The lack of attention to these crucial components can lead to catastrophic repercussions in the event of an incident. Table top exercises can be employed to test the preparedness and effectiveness of the system, whereas Atomic Red Team provides a highly technical approach to thoroughly testing tools and telemetry.
Conclusion – Are you prepared for a security incident?
In conclusion, the preparation phase is a crucial stage in incident response that sets the foundation for successful incident handling. It involves several important steps, such as building custom playbooks, conducting routine testing and validation of security tools and alerts, developing security policies and guidelines, and providing adequate training and awareness to personnel.
By investing time and effort in these activities, organizations can improve their incident response capabilities and reduce the impact of security incidents on their operations. Additionally, it is important to continuously evaluate and update the incident response plan to ensure it remains effective in the face of evolving threats and organizational changes. By taking a proactive and comprehensive approach to incident response preparation, organizations can better protect their assets and reputation in the face of cyber threats.
