Incident Response Strategy
While organisations strive to minimise their attack surface and implement measures to thwart attackers from targeting vulnerable points, it is an unfortunate reality that while no organisation plans to experience a security breach, security breaches do still occur. This document explores various methods to mitigate risks and fortify defenses. The [“Cyber Security Trends in 2023”](https://www.cobalt.io/blog/cybersecurity-statistics-2023) report highlights critical areas of concern, including social engineering attacks on personnel and the exploitation of zero-day vulnerabilities, which are inherently difficult to mitigate or prevent.
Consequently, organisations must possess the capability to detect intrusions, swiftly isolate compromised systems to prevent further harm, facilitate system recovery, and learn valuable lessons from the attack to bolster their defenses against future occurrences. This task can prove challenging, particularly for organisations lacking in-house expertise in disciplines such as memory analysis, threat hunting, malware analysis, and other specialised fields, which may be essential in effectively responding to and mitigating the impact of security breaches.
Detection and Estate Oversight
Within an organisation, this crucial function is commonly addressed through a combination of automation and the establishment of a dedicated Security Operations Center (SOC). The SOC plays a pivotal role in conducting proactive threat hunting and implementing vital processes, including the development of alert triggers that enhance the detection capabilities of specialised tools typically employed by the SOC. These tools encompass the following:
– [Security Information and Event Management (SIEM)](https://www.ibm.com/za-en/topics/siem): SIEM solutions consolidate and analyse security event data from various sources to provide comprehensive visibility into potential threats and incidents.
– [Security Orchestration, Automation, and Response (SOAR)](https://www.rapid7.com/solutions/security-orchestration-and-automation/): SOAR platforms streamline and automate security operations, allowing for efficient incident response, workflow orchestration, and collaboration amongst security teams.
– [Endpoint Detection and Response (EDR)](https://www.crowdstrike.com/cybersecurity-101/endpoint-security/endpoint-detection-and-response-edr/): EDR solutions focus on endpoint protection, enabling real-time monitoring, threat detection, and response capabilities to swiftly identify and mitigate potential security breaches on individual endpoints.
These tools, in conjunction with the expertise and vigilance of a SOC, significantly enhance an organisation’s ability to detect, analyse, and respond to security incidents promptly, thereby minimising potential damage and fortifying their overall security posture.
It is important to note that the adoption and utilisation of these security tools and the establishment of a comprehensive Security Operations Center (SOC) requires substantial investment. The expenses associated with acquiring, deploying, and maintaining such technologies, along with the recruitment and training of skilled security personnel, can impose a significant financial burden on organisations, particularly smaller ones with limited resources.
While the expense of implementing robust security measures may pose challenges for organisations, the potential consequences of a security breach can far outweigh the initial investment. It is crucial to carefully evaluate the specific needs and risk profile of the organisation to determine the most effective and cost-efficient approach to implementing these security measures.
Fortunately, organisations can explore the utilisation of open-source options to alleviate the financial burden associated with implementing robust security measures. Open-source security solutions offer the advantage of being freely available, enabling organisations to leverage community-driven development and support. These solutions can significantly reduce costs without compromising on effectiveness, making them an attractive choice for organisations seeking cost-efficient, yet robust, security measures.
There are currently a wide range of open-source options available for organisations to choose from. However, it is important to carefully evaluate these options, as some may prioritise meeting market demand over long-term sustainability, or require a large investment in customisation time to ensure they achieve their goal. There are several options that have stood the test of time and proven their reliability, below is a list of open-source options for consideration:
– [Elastic Stack](https://www.elastic.co/elastic-stack)
– [AlienVault OSSIM (also available as a commercial option)](https://cybersecurity.att.com/products/ossim)
Finally, it is worth noting that this list is not exhaustive, as there are numerous other open-source options available. However, for the purpose of this blogpost, a brief comparison will be provided between these kinds of open-source tools and their commercial counterparts.
In a similar vein to their commercial counterparts, these open-source options offer the capability to process logs for an organisation’s infrastructure estate, with many already including pre-defined detection rules. However, it is important to recognise that commercial solutions like [Splunk](https://www.splunk.com/en_us/products/enterprise-security.html) provide additional features beyond the standard requirements of a SIEM solution. For instance, advanced techniques, such as machine learning, are employed to mitigate false positives in generated alerts, potentially enhancing the accuracy and efficiency of the information provided.
Most of these solutions offer integration with popular tools such as [sysmon](https://learn.microsoft.com/en-us/sysinternals/downloads/sysmon) to gain greater insights regarding events on their endpoints. This will impact the sheer amount of information that needs to be aggregated into a centralised source to be used effectively. In some cases, this is included as part of the licensing fee for the commercial versions of these solutions.
Some solutions offer the functionality to aggregate data from Microsoft Defender Anti-Virus (AV). This integration allows organisations to harness the detection capabilities of Defender, providing defenders with enhanced insights, such as identifying instances where the AV may be disabled on a host. By incorporating this feature, organisations can gain valuable information to improve their overall security posture and promptly address any potential vulnerabilities or issues related to antivirus protection.
Some open-source solutions distinguish themselves by offering unique features that may not be readily available in their commercial counterparts. One notable example is the Wazuh SIEM solution, which provides integration with [Yara rulesets](https://github.com/InQuest/awesome-yara#rules). This functionality empowers defenders to create rules that enable faster identification of malicious files and network traffic on any of the endpoints within the estate.. By leveraging this capability, organisations can enhance their incident response capabilities and swiftly detect potential threats, bolstering their overall security posture.
Incident Response Planning
In light of the unprecedented growth in the cyber offense landscape, organisations must go beyond meeting daily security operational requirements and proactively plan for the seemingly inevitable security incidents. By doing so, organisations can effectively meet the ever-evolving standards set by their adversaries and bolster their own security posture. They can enhance their capacity to effectively respond to such incidents. In this regard, organisations need to be deliberate on implementing controls that fortify their environment, establish robust oversight mechanisms, and ensure effective communication channels, even in scenarios where standard communication methods, such as email, may be compromised. This strategic approach will enable organisations to strengthen their resilience and preparedness against potential security breaches and help to mitigate their impact.
Furthermore, it is crucial for organisations to establish efficient processes to respond promptly in the event that the services of a third-party incident response provider are required. Specifically, certain operations may need to be executed within accelerated timeframes compared to standard business circumstances. These operations include, but are not limited to:
– Account provisioning: Ensuring swift and secure access provisioning for authorised personnel involved in incident response activities.
– Evidence collection: Methodically gathering and preserving relevant digital evidence to facilitate forensic analysis and investigation.
– Redundancy options: Implementing backup systems or alternate infrastructure to maintain operational continuity and minimise disruptions during incident response.
By having these processes in place, organisations can minimise response times and effectively collaborate with external incident response teams to mitigate the impact of security incidents.
Redundancy in a cyber system refers to the implementation of multiple resources that serve the same function and can replace one another in case of primary system resource failure. According to Mike Thompson, this approach enhances the organisation’s resilience against the loss of networking infrastructure or data during incidents or crises. Redundancy measures are not only reactive but also anticipatory, aiming to proactively address potential attacks.
An essential aspect of a comprehensive cyber defense strategy is the incorporation of redundancy measures, particularly in organisations reliant on data ingestion and dissemination. This is commonly achieved through the implementation of a disaster recovery plan, which should be an integral part of every organisation’s cyber defense strategy.
Failure to implement redundancy measures can have severe consequences, as exemplified by the compromise of sensitive data through a ransomware attack. In such cases, organisations may be left with limited options, either accepting the repercussions of inadequate planning, or succumbing to paying threat actors for data decryption. Notably, ransomware groups have increasingly adopted structures similar to legitimate businesses, and the global cost to businesses is projected to exceed $250 billion in 2023.
Therefore, redundancy, specifically through a robust backup strategy and reasonable retention policies, become a necessity rather than a luxury. organisations can refer to resources like Ransomware.org for guidance on backup strategies in the event of such incidents. For instance, configuring multiple backup destinations with their own redundancy options allows for timely backups of critical data.
In the event of a server compromise and ransomware execution, servers with longer backup intervals may not have copied the encrypted data, providing an opportunity for data recovery. Additionally, maintaining golden images of mission-critical servers further strengthens the organisation’s position during negotiations with threat actors and reduces reliance on paying for data decryption.
Accountability measures play a crucial role in enabling organisations to trace the origin of an incident back to its source, effectively identifying the compromised entities involved, including:
– User accounts
– Workstations or servers
Without accountability, incident response becomes fundamentally impaired and lacks the necessary effectiveness to address security breaches adequately. Accountability serves as the cornerstone for tracing the origins of an incident, identifying responsible parties, and understanding the tactics employed by attackers. It enables organisations to assess the extent of the breach and implement appropriate containment measures. In cases where the threat originates from internal sources, accountability allows for the identification of suspects and the initiation of legal action, should it be necessary.
Roles and Responsibilities
Within the organisation’s comprehensive cyber defense plans, it is essential to establish a clear framework for roles and responsibilities in the event of an incident. This alignment ensures that all individuals involved understand their specific duties and can effectively respond to the situation. These roles encompass a range of responsibilities, from designated team leads who coordinate the organisation’s response efforts, to team members assigned with various tasks, such as engaging external incident response teams and establishing vital lines of communication.
Failure to establish these roles and responsibilities can impede critical processes, including timely provisioning of access and effective communication regarding investigator requirements, such as evidence collection. In the context of incident response, time is of the essence, and any advantages gained through well-defined roles and responsibilities can greatly benefit both the investigative team and the organisation as a whole. By streamlining these processes, organisations can optimise their response capabilities and maximise their chances of a successful resolution.
“Opportunity does not waste time with those who are unprepared.” – Idowu Koyenikan
In conclusion, it is imperative for organisations to recognise that cyber defense requirements should not be viewed as mere expenses, but as critical investments in risk management planning. Failing to implement robust security measures can result in losses that far outweigh the costs associated with implementing effective safeguards.
Fortunately, there are ways to mitigate many of these costs, thanks to the availability of open-source security solutions and alternative options such as third-party virtual SOC offerings. By leveraging these resources, organisations can significantly reduce the financial burden while maintaining the effectiveness of their security measures.
In the ever-evolving cyber defence and offense frontier, where our processes and data are exposed to potential threats, it is crucial to acknowledge the inherent risks associated with this exposure. It is incumbent upon us to take proactive steps to minimise these risks, while also being prepared to respond effectively in the event of an incident.
By adopting a comprehensive cyber defense strategy, organisations can bolster their resilience, enhance their incident response capabilities, and safeguard their assets. Embracing the principles of accountability, redundancy, and clearly defined roles and responsibilities, will fortify their defenses and ensure a swift and efficient response to any potential threats.