Incident Response Introduction Flashcards
Incident Response Introduction
This section is intended to provide an introduction to incident response. Therefore (and with the purpose of presenting good practices in this field) we will make use of the NIST SP 800-61r2 incident response standard.
You will learn what incident response is, and will understand why the implementation of this kind of program is crucial in the defense of systems and response to cyber-attacks. And you will have the opportunity to examine a variety of methodologies (such as the Lockheed Martin Cyber Kill Chain, and MITRE’s ATT&CK Framework) that will allow you to understand not only the life cycle of computer attacks but also the importance of communication between organizations and security teams in the fight against cyber attacks.
What is Incident Response?
Forcepoint perfectly describes incident response as the following: “Incident response is the methodology an organization uses to respond to and manage a cyber attack.“
Security events happen every day, and will typically be dealt with by security analysts (often within a Security Operations Centre, or SOC) whereas security incidents will be handled by specialist incident responders. When a cyberattack is successful, the actions taken by security professionals to analyze, contain, and eradicate the threat are extremely important in order to limit the damage that the attackers can cause, and return operations to normal as quickly as possible to reduce the overall impact on the business. The NIST incident response lifecycle also includes a preparation stage, where security controls are considered and deployed to reduce the likelihood and impact of a successful cyberattack.
Incident response is a reactive approach and is closely aligned with disaster recovery efforts. Responding to these events in an organized manner with the right resources can save the business money by reducing recovery time and costs. By taking detailed notes and expanding on existing incident response plans and run-books, organizations can learn from their weaknesses to better defend against future attacks.
Large organizations will typically have their own dedicated team, often called a CSIRT – Computer Security Incident Response Team. This team isn’t just comprised of security professionals, it should also include general IT staff, and employees from departments such as HR, communications/public relations, legal, and C-suite level members. We’ll cover this in more detail in a future lesson.
Why is IR Needed?
Incident response benefits the wider business by reducing the impact of successful attacks and allowing business operations to remain as uninterrupted as possible. It’s impossible to completely prevent any incident from occurring, so incident response helps to minimize the impact. Successful cyberattacks can have a number of adverse consequences, such as data breaches, and events where information an organization stores is exfiltrated. Data breaches can cause immense damage in terms of lost customer trust and business, monetary losses from recovering damaged or infected systems, stock prices dropping, hiring external security teams to help contain the breach, and legal or regulatory fines such as those under legislation including the General Data Protection Regulation (for EU countries, or organizations that process data belonging to EU data subjects). Just to give you an example of how heavy GDPR and regulatory fines can be, we have composed a list of some recent breaches:
Uber fined £385,000 in November 2018 – read more.
Equifax fined £500,000 in September 2018 – read more.
Marriott proposed a fine of £99m in July 2019 – read more.
British Airways proposed a fine of £183m in July 2019 – read more.
Legal and regulatory fines can be too much for smaller organizations and can result in them shutting down or having to change how they operate, such as no longer allowing customers from within EU countries.
Incident response isn’t just about responding to data breaches, it involves responding to the aftermath of an attack such as:
Employee credentials being leaked online Database leaks Malware infections, such as ransomware A stolen employee laptop Website defacement An employee trying to smuggle sensitive data out of the company
Having written plans to follow if these occur helps to reduce the risk by responding and containing the threat appropriately. We will cover incident response plans in the Preparation: Incident Response Plan lesson in the next section.
And remember, if the cost of running an incident response team is less than the cost of a GDPR or other regulatory fine, then the business is saving money!