This document discusses the importance of having a structured incident response process and methodology. It outlines the SANS Six Step incident response methodology, which includes preparation, identification, containment, eradication, recovery, and follow-up. An example incident involving a worm at Example Corporation is provided to illustrate how having a structured response process allows the organization to more effectively identify, contain, and recover from the incident. The document emphasizes that response is an important part of the overall security prevention, detection, response model and that having a standardized methodology helps ensure all necessary steps are followed during an incident.
My incident Response from Techfair 2016 in Jersey. The talk explores how incident response could to comply with the requirements set out in the Jersey Financial Services Commission Dear CEO letter on cyber security.
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin
Outline:
Incident Response Process
Logs Overview
Logs Usage at Various Stages of the Response Process
How Log from Diverse Sources Help
Log Review, Monitoring and Investigative processes
Standards and Regulation Affecting Logs and Incident Response
Incident Response vs Forensics
Case Studies
Log Analysis Mistakes
Enterprise Class Vulnerability Management Like A Bossrbrockway
A fluid and effective Vulnerability Management Framework, a core pillar in most Enterprise Security Architectures (ESA), remains a continual challenge to most organizations. Ask any of the major breach targets of the past several years. This talk takes the recent OWASP Application Security Verification Standard (ASVS) 2014 framework and applies it to Enterprise Vulnerability Management in an attempt to make a clearly complicated yet necessary part of your organization's ESA much more manageable, effective and efficient with feasible recommendations based on your business' needs.
Enterprise Vulnerability Management: Back to BasicsDamon Small
Vulnerability Management is the lifecycle of identifying and remediating vulnerabilities in an organization's enterprise. A number of companies are starting to do this well, but in some cases, focus on advanced and emerging threats has had the unintended consequence of leaving Vulnerability Management unattended. Defense is actually hard work and people aren't doing it as well as they should! Considered in the context of asymmetric warfare, Blue Teaming is more difficult than Red Teaming. Coupled with the fact that most vulnerabilities do not actually suffer from advanced attacks and 0-days, Vulnerability Management must be the cornerstone of any Information Assurance Program.
The speakers, Kevin Dunn and Damon Small, will describe the key elements of a mature Vulnerability Management Program (VMP) and the pitfalls encountered by many organizations as they try to implement it. Dunn and Small will include detailed examples of why purchasing the scanner should be one of the last decisions made in this process, and what the attendee must do to ensure the successful defense of company assets and data. This session will cover:
- Vulnerability Management: What is it good for?
- What is it not good for?
- How do I make a real difference?
My incident Response from Techfair 2016 in Jersey. The talk explores how incident response could to comply with the requirements set out in the Jersey Financial Services Commission Dear CEO letter on cyber security.
FIRST 2006 Full-day Tutorial on Logs for Incident ResponseAnton Chuvakin
Outline:
Incident Response Process
Logs Overview
Logs Usage at Various Stages of the Response Process
How Log from Diverse Sources Help
Log Review, Monitoring and Investigative processes
Standards and Regulation Affecting Logs and Incident Response
Incident Response vs Forensics
Case Studies
Log Analysis Mistakes
Enterprise Class Vulnerability Management Like A Bossrbrockway
A fluid and effective Vulnerability Management Framework, a core pillar in most Enterprise Security Architectures (ESA), remains a continual challenge to most organizations. Ask any of the major breach targets of the past several years. This talk takes the recent OWASP Application Security Verification Standard (ASVS) 2014 framework and applies it to Enterprise Vulnerability Management in an attempt to make a clearly complicated yet necessary part of your organization's ESA much more manageable, effective and efficient with feasible recommendations based on your business' needs.
Enterprise Vulnerability Management: Back to BasicsDamon Small
Vulnerability Management is the lifecycle of identifying and remediating vulnerabilities in an organization's enterprise. A number of companies are starting to do this well, but in some cases, focus on advanced and emerging threats has had the unintended consequence of leaving Vulnerability Management unattended. Defense is actually hard work and people aren't doing it as well as they should! Considered in the context of asymmetric warfare, Blue Teaming is more difficult than Red Teaming. Coupled with the fact that most vulnerabilities do not actually suffer from advanced attacks and 0-days, Vulnerability Management must be the cornerstone of any Information Assurance Program.
The speakers, Kevin Dunn and Damon Small, will describe the key elements of a mature Vulnerability Management Program (VMP) and the pitfalls encountered by many organizations as they try to implement it. Dunn and Small will include detailed examples of why purchasing the scanner should be one of the last decisions made in this process, and what the attendee must do to ensure the successful defense of company assets and data. This session will cover:
- Vulnerability Management: What is it good for?
- What is it not good for?
- How do I make a real difference?
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
Abstract:
While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security.
Join AlienVault for this session to learn:
*The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated
*Vulnerability scores and how to interpret them
*Best practices for prioritizing vulnerability remediation
*How threat intelligence can help you pinpoint the vulnerabilities that matter most
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
This presentation covers the essential components of a successful Vulnerability Management program that allows you proactively identify risk to protect your network and critical business assets.
Key take-aways:
* Integrating the 3 critical factors - people, processes & technology
* Saving time and money via automated tools
* Anticipating and overcoming common Vulnerability Management roadblocks
* Meeting security regulations and compliance requirements with Vulnerability Management
Derek Milroy, IS Security Architect at U.S. Cellular Corporation, defined “vulnerability management” and how it affects today’s organizations during his presentation at the 2014 Chief Information Security Officer (CISO) Leadership Forum in Chicago on Nov. 19. In his presentation, “Enterprise Vulnerability Management/Security Incident Response,” Milroy noted vulnerability management has different meanings to different organizations, but an organization that utilizes vulnerability management processes can effectively safeguard its data.
According to Milroy, an organization should develop its own vulnerability management baselines to monitor its security levels. By doing so, Milroy said an organization can launch and control vulnerability management systems successfully. In addition, Milroy pointed out that vulnerability management problems occasionally will arise, but a well-prepared organization will be equipped to handle such issues: “Problems are going to happen … You have to work with your people. This can translate to any tool that you’re putting in place. Make sure your people have plans for what happens when it goes wrong, because it’s going to [happen] every single time.”
Milroy also noted that having actionable vulnerability management data is important for organizations of all sizes. If an organization evaluates its vulnerability management processes regularly, Milroy said, it can collect data and use this information to improve its security: “The simplest rule of thumb for vulnerability management, click the report, hand the report to someone. Don’t ever do that. There is no such thing as a report from a tool that you can just click and hand to someone until you first tune it and pare it down.”
- See more at: http://www.argylejournal.com/chief-information-security-officer/enterprise-vulnerability-managementsecurity-incident-response-derek-milroy-is-security-architect-u-s-cellular-corporation/#sthash.Buh6CzLS.dpuf
Vulnerability Management: How to Think Like a Hacker to Reduce RiskBeyondTrust
Watch the full webinar recording here: https://www.beyondtrust.com/resources/webinar/vulnerability-management-how-to-think-like-a-hacker-to-reduce-risk/
This is the presentation from Security MVP, and CEO at CQURE, Paula Januszkiewicz's thought-provoking webinar on how to get inside the mind of a hacker to better manage risk and shore up organizational cyber-defenses.
Pen testing is not enough! And, while identifying, classifying, remediating, and mitigating vulnerabilities are all cornerstones of effective vulnerability management, in practice, they are often inadequately implemented.
Often, the best-designed strategies and VM implementations rely on experience.
Check out the presentation to get a taste of the webinar:
- Learn how to improve vulnerability identification and strengthen your systems
- Look over the shoulder of an expert, as Paula a demo of how to exploit systems and how (from the hacker perspective) you can learn to defuse such exploits!
Watch the webinar: https://www.beyondtrust.com/resources/webinar/vulnerability-management-how-to-think-like-a-hacker-to-reduce-risk/
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
You can tune in for the full webinar recording here: https://www.beyondtrust.com/resources/webinar/10-steps-to-building-an-effective-vulnerability-management-program/
In this presentation from the webinar by cyber security expert Derek A, Smith, hear a step-by-step overview of how to build an effective vulnerability management program. Whether your network consists of just a few connected computers or thousands of servers distributed around the world, this presentation discusses ten actionable steps you can apply whether its to bolster your existing vulnerability management program--or building one from scratch.
Is Your Vulnerability Management Program Irrelevant?Skybox Security
In this webcast, Scott Crawford from Enterprise Management Associates and Michelle Johnson Cobb of Skybox Security will discuss how to:
Link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks before exploitation.
Build a remediation strategy that addresses ‘unpatchable’ systems
Minimize change management headaches by anticipating unintended impacts due to system and application interdependencies.
Use metrics and key performance indicators (KPI’s) like remediation latency to track effectiveness of the vulnerability management program.
Is Your Vulnerability Management Program Keeping Pace With Risks?Skybox Security
To effectively reduce the risks of cyber attacks, comply with continuous monitoring requirements, and provide visibility to executives, organizations need to manage their vulnerabilities and associated risks continuously. This is required in order to match or exceed the daily rate of attacks.
Why bother to assess your risks every 90 days when new threats are unleashed every day?
See how you can:
• Transform vulnerability discovery from a ‘round robin’ schedule to continuous monitoring for vulnerabilities
• Prioritize vulnerabilities based on exploitability and potential business impact
• Focus remediation efforts and track progress to show a measurable reduction of risk
• Make vulnerability management an essential part of daily change management processes
These slides will include case studies, survey data, and best practices – ideal for IT security practitioners who are considering, or already implementing, next-generation vulnerability management to effectively and measurably mitigate risk.
Why Patch Management is Still the Best First Line of DefenseLumension
Today more than 2 million malware signatures are identified each month and traditional anti-virus defenses simply can’t keep up. Even the major anti-virus vendors have concluded that stand-alone anti-virus no longer provides an effective defense and that additional layers of security technology are needed to address the rising volume and sophistication of threats. View this presentation to learn:
• Why you can’t forget about older vulnerabilities
• How to reduce exposure from both OS and 3rd party application vulnerabilities
• The challenges with reliance upon “free” patching tools and native updaters
• Why you should consider patch management as the core of an effective depth-in-defense endpoint security approach
Vulnerability Management: What You Need to Know to Prioritize RiskAlienVault
Abstract:
While vulnerability assessments are an essential part of understanding your risk profile, it's simply not realistic to expect to eliminate all vulnerabilities from your environment. So, when your scan produces a long list of vulnerabilities, how do you prioritize which ones to remediate first? By data criticality? CVSS score? Asset value? Patch availability? Without understanding the context of the vulnerable systems on your network, you may waste time checking things off the list without really improving security.
Join AlienVault for this session to learn:
*The pros & cons of different types of vulnerability scans - passive, active, authenticated, unauthenticated
*Vulnerability scores and how to interpret them
*Best practices for prioritizing vulnerability remediation
*How threat intelligence can help you pinpoint the vulnerabilities that matter most
Planning and Deploying an Effective Vulnerability Management ProgramSasha Nunke
This presentation covers the essential components of a successful Vulnerability Management program that allows you proactively identify risk to protect your network and critical business assets.
Key take-aways:
* Integrating the 3 critical factors - people, processes & technology
* Saving time and money via automated tools
* Anticipating and overcoming common Vulnerability Management roadblocks
* Meeting security regulations and compliance requirements with Vulnerability Management
Derek Milroy, IS Security Architect at U.S. Cellular Corporation, defined “vulnerability management” and how it affects today’s organizations during his presentation at the 2014 Chief Information Security Officer (CISO) Leadership Forum in Chicago on Nov. 19. In his presentation, “Enterprise Vulnerability Management/Security Incident Response,” Milroy noted vulnerability management has different meanings to different organizations, but an organization that utilizes vulnerability management processes can effectively safeguard its data.
According to Milroy, an organization should develop its own vulnerability management baselines to monitor its security levels. By doing so, Milroy said an organization can launch and control vulnerability management systems successfully. In addition, Milroy pointed out that vulnerability management problems occasionally will arise, but a well-prepared organization will be equipped to handle such issues: “Problems are going to happen … You have to work with your people. This can translate to any tool that you’re putting in place. Make sure your people have plans for what happens when it goes wrong, because it’s going to [happen] every single time.”
Milroy also noted that having actionable vulnerability management data is important for organizations of all sizes. If an organization evaluates its vulnerability management processes regularly, Milroy said, it can collect data and use this information to improve its security: “The simplest rule of thumb for vulnerability management, click the report, hand the report to someone. Don’t ever do that. There is no such thing as a report from a tool that you can just click and hand to someone until you first tune it and pare it down.”
- See more at: http://www.argylejournal.com/chief-information-security-officer/enterprise-vulnerability-managementsecurity-incident-response-derek-milroy-is-security-architect-u-s-cellular-corporation/#sthash.Buh6CzLS.dpuf
Vulnerability Management: How to Think Like a Hacker to Reduce RiskBeyondTrust
Watch the full webinar recording here: https://www.beyondtrust.com/resources/webinar/vulnerability-management-how-to-think-like-a-hacker-to-reduce-risk/
This is the presentation from Security MVP, and CEO at CQURE, Paula Januszkiewicz's thought-provoking webinar on how to get inside the mind of a hacker to better manage risk and shore up organizational cyber-defenses.
Pen testing is not enough! And, while identifying, classifying, remediating, and mitigating vulnerabilities are all cornerstones of effective vulnerability management, in practice, they are often inadequately implemented.
Often, the best-designed strategies and VM implementations rely on experience.
Check out the presentation to get a taste of the webinar:
- Learn how to improve vulnerability identification and strengthen your systems
- Look over the shoulder of an expert, as Paula a demo of how to exploit systems and how (from the hacker perspective) you can learn to defuse such exploits!
Watch the webinar: https://www.beyondtrust.com/resources/webinar/vulnerability-management-how-to-think-like-a-hacker-to-reduce-risk/
10 Steps to Building an Effective Vulnerability Management ProgramBeyondTrust
You can tune in for the full webinar recording here: https://www.beyondtrust.com/resources/webinar/10-steps-to-building-an-effective-vulnerability-management-program/
In this presentation from the webinar by cyber security expert Derek A, Smith, hear a step-by-step overview of how to build an effective vulnerability management program. Whether your network consists of just a few connected computers or thousands of servers distributed around the world, this presentation discusses ten actionable steps you can apply whether its to bolster your existing vulnerability management program--or building one from scratch.
Is Your Vulnerability Management Program Irrelevant?Skybox Security
In this webcast, Scott Crawford from Enterprise Management Associates and Michelle Johnson Cobb of Skybox Security will discuss how to:
Link vulnerability discovery, risk-based prioritization, and remediation activities to effectively mitigate risks before exploitation.
Build a remediation strategy that addresses ‘unpatchable’ systems
Minimize change management headaches by anticipating unintended impacts due to system and application interdependencies.
Use metrics and key performance indicators (KPI’s) like remediation latency to track effectiveness of the vulnerability management program.
Is Your Vulnerability Management Program Keeping Pace With Risks?Skybox Security
To effectively reduce the risks of cyber attacks, comply with continuous monitoring requirements, and provide visibility to executives, organizations need to manage their vulnerabilities and associated risks continuously. This is required in order to match or exceed the daily rate of attacks.
Why bother to assess your risks every 90 days when new threats are unleashed every day?
See how you can:
• Transform vulnerability discovery from a ‘round robin’ schedule to continuous monitoring for vulnerabilities
• Prioritize vulnerabilities based on exploitability and potential business impact
• Focus remediation efforts and track progress to show a measurable reduction of risk
• Make vulnerability management an essential part of daily change management processes
These slides will include case studies, survey data, and best practices – ideal for IT security practitioners who are considering, or already implementing, next-generation vulnerability management to effectively and measurably mitigate risk.
Why Patch Management is Still the Best First Line of DefenseLumension
Today more than 2 million malware signatures are identified each month and traditional anti-virus defenses simply can’t keep up. Even the major anti-virus vendors have concluded that stand-alone anti-virus no longer provides an effective defense and that additional layers of security technology are needed to address the rising volume and sophistication of threats. View this presentation to learn:
• Why you can’t forget about older vulnerabilities
• How to reduce exposure from both OS and 3rd party application vulnerabilities
• The challenges with reliance upon “free” patching tools and native updaters
• Why you should consider patch management as the core of an effective depth-in-defense endpoint security approach
Preparing for future attacks. Solution Brief: Implementing the right securit...Symantec
Recent malware incidents have shown how costly and damaging cyber attacks can be.
The Stuxnet worm is believed to have significantly affected Iranian nuclear processing, and was widely considered to be the first operational cyber weapon1. Shamoon was able to compromise and incapacitate 30,000 work stations within an oil producing organisation2. Another targeted malware attack against a public corporation resulted in the company declaring a $66 million loss relating to the attack3. Such attacks may not necessarily be successful, but when attackers do find their way inside an organisation’s systems, a swift, well-prepared response
can quickly minimise damage and restore systems before significant harm
can be caused.
In order to prepare such a response, organisations must understand how attacks can progress, develop a counteractive strategy, decide who will carry out which actions and then practise and refine the plan.
10 Tips to Improve Your Security Incident Readiness and ReponseEMC
This white paper covers why incident readiness and response often falls short in ten areas that span people, processes and technology. By tackling these shortcomings, organizations can reduce risk by with early warnings of potential problems.
This article will look at common mistakes that organizations make on the path to achieving vulnerability management perfection, both in process and technology areas.
Security operations center 5 security controlsAlienVault
An effective Security Operation Center provides the information necessary for organizations to efficiently detect threats and subsequently contain them. While eliminating the threats we face is an impossible goal, reducing the time it takes to respond and contain them is certainly achievable. Learn 5 security controls for an effective security operations center.
This paper discusses the question of optimizing security decisions in an organization, based on the information provided by the technical security infrastructure.
As the cybersecurity landscape continues to evolve and threat actor sophistication increases, it is ever more important that you not only have incident response processes in place but that you ensure they work consistently. And, of course, you should continuously iterate and improve over time.
Visit - https://www.siemplify.co/blog/testing-incident-response-processes/
An incident response plan (IRP) is a set of written instructions for.pdfaradhana9856
An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the effects of an information security event.Incident response plans provide instructions
for responding to a number of potential scenarios, including data breaches, denial of
service/distributed denial of service attacks, firewall breaches, virus or malware outbreaks or
insider threats. Without an incident response plan in place, organizations may either not detect
the attack in the first place, or not follow proper protocol to contain the threat and recover from it
when a breach is detected.
According to the SANS Institute, there are six key phases of an incident response plan:
1. Preparation: Preparing users and IT staff to handle potential incidents should they should arise
2. Identification: Determining whether an event is indeed a security incident
3. Containment: Limiting the damage of the incident and isolating affected systems to prevent
further damage
4. Eradication: Finding the root cause of the incident, removing affected systems from the
production environment
5. Recovery: Permitting affected systems back into the production environment, ensuring no
threat remains
6. Lessons learned: Completing incident documentation, performing analysis to ultimately learn
from incident and potentially improve future response efforts
It is important that an incident response plan is formulated, supported throughout the
organization, and is regularly tested. A good incident response plan can minimize not only the
affects of the actual security breach, but it may also reduce the negative publicity.
From a security team perspective, it does not matter whether a breach occurs (as such
occurrences are an eventual part of doing business using an untrusted carrier network, such as the
Internet), but rather, when a breach occurs. Do not think of a system as weak and vulnerable; it is
important to realize that given enough time and resources, someone can break into even the most
security-hardened system or network. You do not need to look any further than the Security
Focus website at http://www.securityfocus.com/ for updated and detailed information concerning
recent security breaches and vulnerabilities, from the frequent defacement of corporate
webpages, to the 2002 attacks on the root DNS nameservers[1].
The positive aspect of realizing the inevitability of a system breach is that it allows the security
team to develop a course of action that minimizes any potential damage. Combining a course of
action with expertise allows the team to respond to adverse conditions in a formal and responsive
manner.
The incident response plan itself can be separated into four phases:
Immediate action to stop or minimize the incident
Investigation of the incident
Restoration of affected resources
Reporting the incident to the proper channels
Solution
An incident response plan (IRP) is a set of written instructions for detecting, responding to and
limiting the eff.
Real-time fallacy: how real-time your security really is?Anton Chuvakin
While the claims that "modern business works in real-time and so the security should too" are often heard from various vendors, it appears that few organizations are able to achieve that at the moment. This paper will look at the real-time requirements of the whole organization's security posture.
Cyber security lecture for University students, following and expanding on previously delivered presentation on Enterprise Security Incident Management. More in-depth, with the Security Incident lifecycle focus
Practical Guide to Managing Incidents Using LLM's and NLP.pdfChris Galvan
This is a project that was created to enable Cybersecurity Defenders in positions such as Forensics, Incident Response, SOC, and Threat Hunting to have a starting place to investigate logs across AWS, GCP, and and Windows Systems.
The last section includes 3 case studies and research done by Christian Galvan and Lawren Epstein on real world attacks to large companies.
Similar to Importance Of Structured Incident Response Process (20)
Future of SOC: More Security, Less OperationsAnton Chuvakin
"Future of SOC: More Security, Less Operations" was originally presented by Dr Anton Chuvakin in March 2024 at a virtual conference in Finland
The future of SOC looks less like its past. AI is part of the future, but engineering-led approach to SOC is more critical
Detection and Response of the future will be more heavily automated
SOC Meets Cloud: What Breaks, What Changes, What to Do?Anton Chuvakin
SOC Meets Cloud: What Breaks, What Changes, What to Do?
originally presented at Mandiant mWise 2023 by Dr Anton Chuvakin of Google Cloud Office of the CISO
Cloud changes everything (does it though?), including how we do threat detection and incident response in the SOC. As we continue to transform our attack surfaces, how do we make sure our detection and response are done "the cloud way"? There were also cases where both business and IT migrated to the cloud, but security was left behind and had to approach cloud challenges with on-premise tools and practices. How should a SOC born before cloud deal with cloud? What to watch for? What changes? What breaks? What stays the same?
Meet the Ghost of SecOps Future by Anton ChuvakinAnton Chuvakin
Meet the Ghost of SecOps Future by Anton Chuvakin
Meet the Ghost of SecOps Future
Today’s SOC has an increasingly difficult job protecting growing and expanding organizations. The landscape is changing and the SOC needs to change with the times or risk falling behind the evolution of business, IT, and threats.
But you have choices! Your future fate is not set in stone and can be changed: some optimize what they have without drastic upheaval, while others choose to truly transform their detection and response.
Join us as we show you a vision of what the SOC will look like in the near future and how to choose the best course of action today.
Originally aired at https://cloudonair.withgoogle.com/events/2023-dec-security-talks
Video https://youtu.be/KbQbuFAPY2c?si=0llv1v_CkVtvsyms
SOC Lessons from DevOps and SRE by Anton ChuvakinAnton Chuvakin
SOC Lessons from DevOps and SRE by Dr Anton Chuvakin - RSA 2023 Google Cloud sideshow presentation focused on using select DevOps and SRE lessons to make your SOC better
20 years of SIEM was prepared for the SANS webinar https://www.sans.org/webcasts/anton-chuvakin-discusses-20-years-of-siem-what-s-next/ and offers Anton's reflection on SIEM past and future
10X SOC - SANS Blue Summit Keynote 2021 - Anton ChuvakinAnton Chuvakin
Can We REALLY 10X the SOC? by Dr Anton Chuvakin
Many organizations promise to transform your security operations center (SOC) with technology, advice or their personnel. However, what does it take to really transform your SOC to be ready for future threats? Is this an impossible problem? Is this something that can be only done by well funded organizations? Let's explore these and other questions in this talk.
https://www.sans.org/cyber-security-training-events/blue-team-summit-2021/#agenda
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
End-User Case Study: Five Best and Five Worst Practices for SIEM
Implementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr.
Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of security
monitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEM
implementation will help maximize security and compliance value, and avoid costly obstacles,
inefficiencies, and risks
Five Best and Five Worst Practices for SIEM by Dr. Anton ChuvakinAnton Chuvakin
End-User Case Study: Five Best and Five Worst Practices for SIEM
Implementing SIEM sounds straightforward, but reality sometimes begs to differ. In this session, Dr.
Anton Chuvakin will share the five best and worst practices for implementing SIEM as part of security
monitoring and intelligence. Understanding how to avoid pitfalls and create a successful SIEM
implementation will help maximize security and compliance value, and avoid costly obstacles,
inefficiencies, and risks
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
LF Energy Webinar: Electrical Grid Modelling and Simulation Through PowSyBl -...DanBrown980551
Do you want to learn how to model and simulate an electrical network from scratch in under an hour?
Then welcome to this PowSyBl workshop, hosted by Rte, the French Transmission System Operator (TSO)!
During the webinar, you will discover the PowSyBl ecosystem as well as handle and study an electrical network through an interactive Python notebook.
PowSyBl is an open source project hosted by LF Energy, which offers a comprehensive set of features for electrical grid modelling and simulation. Among other advanced features, PowSyBl provides:
- A fully editable and extendable library for grid component modelling;
- Visualization tools to display your network;
- Grid simulation tools, such as power flows, security analyses (with or without remedial actions) and sensitivity analyses;
The framework is mostly written in Java, with a Python binding so that Python developers can access PowSyBl functionalities as well.
What you will learn during the webinar:
- For beginners: discover PowSyBl's functionalities through a quick general presentation and the notebook, without needing any expert coding skills;
- For advanced developers: master the skills to efficiently apply PowSyBl functionalities to your real-world scenarios.
State of ICS and IoT Cyber Threat Landscape Report 2024 previewPrayukth K V
The IoT and OT threat landscape report has been prepared by the Threat Research Team at Sectrio using data from Sectrio, cyber threat intelligence farming facilities spread across over 85 cities around the world. In addition, Sectrio also runs AI-based advanced threat and payload engagement facilities that serve as sinks to attract and engage sophisticated threat actors, and newer malware including new variants and latent threats that are at an earlier stage of development.
The latest edition of the OT/ICS and IoT security Threat Landscape Report 2024 also covers:
State of global ICS asset and network exposure
Sectoral targets and attacks as well as the cost of ransom
Global APT activity, AI usage, actor and tactic profiles, and implications
Rise in volumes of AI-powered cyberattacks
Major cyber events in 2024
Malware and malicious payload trends
Cyberattack types and targets
Vulnerability exploit attempts on CVEs
Attacks on counties – USA
Expansion of bot farms – how, where, and why
In-depth analysis of the cyber threat landscape across North America, South America, Europe, APAC, and the Middle East
Why are attacks on smart factories rising?
Cyber risk predictions
Axis of attacks – Europe
Systemic attacks in the Middle East
Download the full report from here:
https://sectrio.com/resources/ot-threat-landscape-reports/sectrio-releases-ot-ics-and-iot-security-threat-landscape-report-2024/
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Connector Corner: Automate dynamic content and events by pushing a buttonDianaGray10
Here is something new! In our next Connector Corner webinar, we will demonstrate how you can use a single workflow to:
Create a campaign using Mailchimp with merge tags/fields
Send an interactive Slack channel message (using buttons)
Have the message received by managers and peers along with a test email for review
But there’s more:
In a second workflow supporting the same use case, you’ll see:
Your campaign sent to target colleagues for approval
If the “Approve” button is clicked, a Jira/Zendesk ticket is created for the marketing design team
But—if the “Reject” button is pushed, colleagues will be alerted via Slack message
Join us to learn more about this new, human-in-the-loop capability, brought to you by Integration Service connectors.
And...
Speakers:
Akshay Agnihotri, Product Manager
Charlie Greenberg, Host
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
Assuring Contact Center Experiences for Your Customers With ThousandEyes
Importance Of Structured Incident Response Process
1. Importance Of Structured Incident Response Process
Anton Chuvakin, Ph.D., GCIA, GCIH, GCFA
WRITTEN: 2004
Example..................................................................................................................1
Introduction.............................................................................................................2
SANS Six Step Incident Response Methodology...................................................4
Incident Response Tools........................................................................................6
Example Corporation – Worm Incident Revisited...................................................7
Common Mistakes of Incident Response.............................................................10
Conclusion............................................................................................................12
Glossary................................................................................................................13
DISCLAIMER:
Security is a rapidly changing field of human endeavor. Threats we face literally
change every day; moreover, many security professionals consider the rate of
change to be accelerating. On top of that, to be able to stay in touch with such
ever-changing reality, one has to evolve with the space as well. Thus, even
though I hope that this document will be useful for to my readers, please keep in
mind that is was possibly written years ago. Also, keep in mind that some of the
URL might have gone 404, please Google around.
Example
Right around lunchtime, a helpdesk operator at Example Corporation -- a
medium-sized manufacturing company – receives calls from several users all
reporting computer failures and slow network response. Example Corporation’s
security infrastructure includes firewalls, intrusion detection systems, anti-virus
software and operating system logs, all technology investments from the “boom”
years. The helpdesk operator opens a new trouble ticket in Remedy, describing
the users’ problems and recording the machines’ hostnames. Other unrelated
support issues continue to pile up and the operator’s attention is directed
elsewhere.
Meanwhile, the worm, which caused the above laptop problems, continues to
spread throughout Example’s network. The malicious software made its way into
Example after being brought in by one of the sales people who often plugs his
laptop into untrusted networks, such as hotels and customer environments,
outside the company. With most of the Example’s security monitoring capabilities
deployed in a DMZ and on a network perimeter, the remainder of Example’s
vulnerable corporate assets are largely unguarded and unwatched. Thus, as the
worm wends its way around Example’s enterprise, the company security team is
not even aware of a developing disaster.
Page 1
2. Soon, network traffic generated by the worm has increased dramatically, as more
machines become infected and start spewing copies of the same worm. When
the infection reaches critical levels and starts to affect the performance of
monitored servers, the security team is notified by a flood of pager alerts… chaos
ensues. While some try installing anti-virus updates other apply firewall blocks
(preventing not only worm scanning, but also the download of updates) and yet
others try to scan for vulnerable machines that contributes to the network-level
denial-of-service.
After hours of uncoordinated activities, most of the worm-carrying machines are
discovered and the re-infection rate is brought under control. A management
requested investigation begins and computer forensic consultants are brought in.
However, what remained of the initial infection evidence was either destroyed or
extremely hard to find due to “mitigation” activities that were implemented. No
one remembered the original Remedy incident recorded by the helpdesk
operator since the helpdesk system was not deemed relevant for security
information. The investigation was able to conclude only that the malicious
software was brought in from outside the company -- the specific initial infection
vector was never determined.
The financial and technological damage is easy to see. And yet, the recurring
security incident described above shows what happens when companies lack a
central point from which to manage security incidents.
Introduction
Security professionals learn to constantly chant the mantra “prevention-detection-
response.” Each of these three components is known to be of crucial importance
to the organization’s security posture. However, unlike detection and prevention,
the response is impossible to avoid. While it is not uncommon for the
organizations to have weak prevention and nearly non-existent detection
capabilities, response will have to be there since the organization will often be
forced into response mode by the attackers (be it the internal abuser,
omnipresent “script kiddie” or the elusive “uber-hacker”) or their evil creations
(viruses, worms and spyware). The organization will likely be made to respond in
some way after the incident has taken place. Even in cases where ignoring the
incident that happened might be the chosen option, the organization will implicitly
follow a response plan, even if as ineffective as to do nothing.
In light of this, being prepared for incident response is likely to be one of the most
cost effective security measures the organization takes. Timely and effective
incident response is directly related to decreasing the incident-induced loss to the
organization. It can also help to prevent an expensive and hard-to-repair
reputation damage, which often occurs following the security incident. Several
industry surveys have identified that public company's stock price may plunge
Page 2
3. several percent as a result of a publicly disclosed incident
(http://www.securityfocus.com/news/11197). Incidents that are known to wreak
catastrophic results upon the organizations may involve malicious hacking, virus
outbreaks, economic espionage, intellectual property theft, network access
abuse, theft of IT resources and other policy violations.
Most of us in the security industry are already familiar with the traditional
challenges we face every day… too much security data to sift through, too many
false alarms to deal with, and not enough budget or resource to handle an ever-
growing number of security incidents. One additional and often overlooked
challenge involves the security management process itself. Largely ignored in
many of today’s IT enterprises, a clearly defined, documented, and repeatable
incident management process defined in an incident response plan is
fundamental to ensuring fast and accurate handling of security incidents.
Even if an explicit incident response plan is lacking, after the incident occurs the
questions such as these might be asked by the company management:
• What to do now?
• How to put it the way it was?
• How to prevent recurrence?
• How we should have prepared?
• Should we try to figure who is responsible?
Answering these questions requires knowledge of your computing environment,
company culture and internal procedures, implemented technical security and
policy countermeasures. Effective incident response fuses together technical and
non-technical resources, bound by the incident response policy, procedures and
plans. Such policy should be continuously refined and improved, based on the
organization's incident history, just as the main security policy should be.
To build an initial incident resolution management framework one can use SANS
Six Step incident response methodology. This approach was originally developed
for US Department of Energy, adopted elsewhere in the US government and
then popularized by the SANS Institute
(http://www.sans.org/rr/whitepapers/incident/)
The methodology includes the following six steps:
1. Preparation
2. Identification
3. Containment
4. Eradication
5. Recovery
6. Follow-Up
Page 3
4. SANS Six Step Incident Response Methodology
Overall, the SANS methodology allows an organization to give structure to the
otherwise chaotic incident response workflow. The steps of the SANS
methodology are both clearly defined and easy to follow, and most importantly,
work in the high-stress post-incident environments for which they were designed.
Following the steps is as easy as selecting and appropriately customizing the
procedures for each case at hand. Using the SANS pre-defined procedures
assures that an incident response workflow will become relatively painless and
the crucial steps will not be missed. Additionally, such a system will facilitate
both training and collaboration between various response team members, who
can share the workload for increased efficiency.
Finally, integrating the SANS methodology into an overall incident response
planning assures today’s IT organizations that they have a comprehensive
approach in-place to tackle security incidents. It also demonstrates compliance
with industry “best practices”, which is sometime associated with regulatory
compliance. Having a repeatable incident management process is highlighted in
several recent regulations, such as HIPAA.
Let’s spend just a moment reviewing a few key features of the SANS Six Step
Incident Response methodology:
The Preparation stage covers everything one should do before handling the first
incident. It involves both technology issues, such as preparing response and
forensics tools, learning the environment, configuring systems for optimal
response and monitoring, as well as business issues -- such as assigning
responsibility, forming a team and establishing escalation procedures.
Additionally, this stage covers the steps necessary to increase a company’s
security posture and thus decrease the likelihood and damage from future
incidents. Security audits, patch management, employee security awareness
program and other security tasks all serve to prepare the organization for incident
action. Building a culture of security and a secure computing environment also
serves as incident preparation.
Specifically, establishing a real-time system and network security event
monitoring program will help to receive early warnings about the hostile activities
as well as collect evidence after the incident. Providing a single view into your
security infrastructure goes a long way towards being more prepared and
equipped to deal with the incidents as they occur as well as cleaning up in the
aftermath. Single evidence storage allows performing sophisticated data
analysis, leading to better awareness of threats and vulnerabilities.
Identification is what happens first when an incident is suspected or detected.
Determining whether the observed event does in fact constitute an incident (as
Page 4
5. defined above) is of crucial importance. Careful record keeping is very important,
since such documentation will be heavily used at later stages of the response
process. One should record everything that was observed in relation to the
incident, whether online or in the physical environment. During this stage, it is
important that people responsible for incident handling maintain the proper chain
of custody (explained here http://en.wikipedia.org/wiki/Chain_of_custody as
“document or paper trail showing the seizure, custody, control, transfer, analysis,
and disposition of physical and electronic evidence.”). Contrary to popular
opinion, this is important even when the case is never destined to end up in
court. Following established and approved procedures will help the investigation
that is internal to the company.
Various security technologies play a role in incident identification. For example,
firewall, IDS, server and application logs reveal evidence of potentially hostile
activities, coming from both outside and inside the protected perimeter. Logs are
often tantamount in finding the party responsible for those activities. Security
event correlation is essential for high quality incident identification, due to its
ability to uncover patterns in incoming security event flow. Collecting various
audit logs and correlating them in near real-time goes a long way towards making
the identification step of the response process less laborious. Additionally,
incident identification is greatly helped by “qualifying” the IDS and other alerts
using other environment context, such as system and application vulnerabilities,
running applications as well as business value.
Containment is what keeps the incident from spreading and thus incurring
higher financial or other loss. During this stage, the incident responders will
intervene and attempt to limit the damage, such as by tightening network or host
access controls, changing system passwords, disabling accounts, etc. While
completing the above steps, one should make every effort to keep all the
potential evidence intact, balancing the needs of system owners and incident
investigators. The backup of affected systems is also essential at this step. This
is done to preserve the system for further investigation as well as remediation.
The important decision on whether to continue operating the affected assets
should be made by the appropriate authorities during this stage.
Automated containment measures, such as firewall blocking, system
reconfiguration or forced file integrity checks, and the use of intrusion preventions
solution (in the inline mode) can also be used, if driven by event correlation and
more intelligent analytics. However, automated containment will likely become
widely accepted in the future.
Eradication is the only stage when the factors leading to the incident are
eliminated or mitigated. Such factors often include system vulnerabilities, unsafe
system configurations, out-of-date protection software or even imperfect physical
access control. Also, the non-technology controls such as building access
policies or key card privileges might be adjusted at this stage. In the case of a
Page 5
6. hacker-related incident, the affected systems are likely to be restored from the
last clean backup or rebuilt from the operating system vendor media with all
applications reinstalled.
Time is most critical during the eradication stage. The first response should
satisfy several often conflicting criteria, such as accommodating the system
owners requests, preserving evidence, stopping the spread of damage while
complying to all the appropriate organization's policies.
Recovery is the stage where the organization's operations return to normal.
Systems are restored and configured to prevent recurrence and are returned to
regular use. To insure that the newly established controls are working, the
organization might want to maintain increased monitoring of the affected assets
for some period of time.
Return to production is always a critical step. If done too early, there is a
significant risk of recurrence; if done too late, it risks upsetting the business
owners. Thus, it should be clearly documented in the incident procedures during
the preparation stage.
Follow-Up is an extremely important stage of the incident response process.
Just as the preparation stage above, proper incident follow-up helps to ensure
that lessons are learned from the incident and that the overall security posture
improves as a result. Additionally, follow-up is important in order to prevent the
recurrence of similar incidents. Additionally, a report on the incident is often
submitted to the senior management. It covers the actions taken, summarizes
the lessons learned and also serves as a knowledge repository in case of similar
incidents in the future.
Follow-up steps often need to be distributed to a wider audience than the rest of
the investigation process. Enterprise-wide security knowledge base helps to
address this challenge. It will ensure that IT resource owners will be more
prepared to combat future threats. To optimize the distribution of incident
information, one can use various forms and templates, prepared in advanced for
different types of incidents. Properly sanitized past incident cases should also be
added to an organization-wide security knowledge base, in addition to the
industry security resources and vulnerability knowledge. Such materials can later
be used for training new incident responders as well as broader IT audience. A
summary of suggested actions might also be sent to the senior management.
Incident Response Tools
While people and processes are important, tools is what completes the security
triangle. When the incident is suspected, the response team will need the tools to
verify its status, assess damage that was incurred as well as can be occurred
and then proceed to contain and recover from the incident. This involves a wide
Page 6
7. range of tools from intrusion detection to forensics and vulnerability
management. Backup tools should also not be overlooked. Tools helpful for
incident management can be organized as such:
Tools Common uses during incident response
Evidence collection System and security logs, audit trails, disk
and storage images, email and other communication
Data analysis and Correlation, searching and reporting,
forensics forensics discovery activities
Collaboration Incident team communication, workflow,
team management
Backup Evidence preservation, “known good”
configuration retention, user data recovery
Documentation Actions logged for audit and improvement,
reporting, incident team performance
measurement, lessons learned, future team
training
Some tools are helpful in more than one of the above category. For example, a
Security Information Management (SIM) solution often holds most of the
evidence from the scene of the information security incident. Incident handling is
a natural SIM product functionality aimed at gathering and organizing security
event data around incidents and also enforcing proper response workflow in
order to facilitate effective and prompt response to security incidents.
Specifically, a SIM can
• Facilitates the effective handling process
• Integrates evidence storage and analysis
• Enforces proper access control to evidence
• Enables team collaboration
• Simplifies resolution monitoring and reporting
• Makes security measurable
In general, it establishes a single control point of the security response
capabilities by combining the major potential evidence storage with the
investigative platform.
Other tools that an incident team needs to be very familiar with include disk
image forensics tools, covering the whole lifecycle from making a forensics copy
of the suspect’s workstation to final evidence presentation to an internal authority
or law enforcement. Those tools do require significant training, especially if used
for cases where court trial is likely.
Example Corporation – Worm Incident Revisited
Page 7
8. A network helpdesk operator receives calls from several users – all reporting
computer failures and slow network response. Using a newly established
process, a trained team and right tools, an incident case is opened according to
the plan and user complaints from that department are summarized and
presented to all relevant parties, including the security team contact. The affected
machines together with the information on their owners are also added to
corresponding case fields. The operator then assigns the case to the security
event monitoring team, as mandated by his instructions, derived from the incident
plan.
Upon receiving the assignment through the case management system, a
monitoring team member run several queries searching for suspicious events to
and from the affected machines – all as part of the incident identification
procedure defined by the company. He discovers that a network IDS has
detected an email worm being transmitted from outside the environment. The
monitoring team member shares the incident case with the security analyst team,
running the intrusion detection, so they can verify the impact of the IDS events,
based on the affected asset business role and importance. Many events
reported by the anti-virus systems running on some of the user's desktops were
also reported from the affected IP addresses. As a next step, an analyst selects a
Containment procedure from the knowledge base, which involves quarantining
the infected machines by applying a firewall rule to prevent the spread of the
worm. The procedure is added to the incident case and then implemented.
Next, it is necessary to clean the infected PCs. The Mitigation procedure
involves installing and running full scan using a freshly updated copy of anti-virus
software. The security engineering team together with security analyst team
verifies compliance of the newly installed anti-virus system with the company's
anti-virus policy.
The recommended Follow-up procedure includes a mandated company-wide
desktop anti-virus deployment from a dedicated server. The procedure is then
submitted for management approval and, once approved, the remediation team
assures that the anti-virus software is pushed out to all company desktop PC’s
and the incident case is closed.
Here is another example of how a company with a well-tuned incident response
process handles an attack against the web server.
A security analyst on duty received an email notification when a correlated event
on a successful attack was triggered by SIM solution. An analyst has discovered
that a real-time correlation rule was matched by a series of events directed
against the auxiliary web server.
By logging into their SIM and running a report, the analyst has found out that the
triggered rule aims to detect high-severity attacks against the web server, which
Page 8
9. are preceded by the reconnaissance activity, such as a server version query. The
web server was first probed for its type and version and later attacked by a
known exploit detected by the network intrusion detection system. The company
security monitoring procedure mandated that such be investigated.
Thus, the analyst clicked on the correlated event in the corresponding report and
chose to add it to a new incident case. He then added a note saying that he
received an email notification and started the investigation in accordance with the
security procedure.
After the case was registered by the system, the analyst proceeded to investigate
the related events. He opened the report to view the raw security events that
triggered the correlation. Such events included probes against multiple servers
followed by an attack. He looked at the attack details and found out that the IDS
signature for the exploit matched the server type and the operating system. He
added all the related events to the incident case as well.
Further, he run an query to look for more traces of the same attacker’s IP
address (the source) in the event database. Multiple entries indicative of
scanning, denied connections on the firewall and TCP port 80 attempts across
the enterprise were discovered. The report results were also added to the
incident case.
At that stage it was obvious that a consistent attack was in progress. The note
was added to the case Identification section saying that the incident is confirmed
and several servers might have been impacted.
The analyst then searched all events involving the attacker web server. No
suspicious activity has originated from it. However, since the server was not a
business critical asset, it was possible to take it offline for investigation. This
decision was recorded in the Containment section of the incident case and the
server was taken offline.
The detailed server investigation that followed has not revealed any signs of a
successful compromise. However, the server logs contained evidence of a
multiple failed exploit attempts. The server was also found missing several critical
patches. Their lack was apparently not detected by the attacker. It was decided
to patch the server before the regular maintenance window and to return it
online. It was also decided to increase the logging level on the server. The
respective note was made in the Mitigation section of the incident case and the
above steps were performed.
After the server was returned into operation, the analyst has assigned the case to
the incident manager who had the authority to review the performed steps and to
close the case. The manager added several notes to the follow-up section, which
Page 9
10. suggested that servers in that subnet be scanned for vulnerabilities more often.
The case was then closed.
Common Mistakes of Incident Response
While many organizations are on the path towards organizing their incident
response, many pitfalls lay in wait for them on the path to incident management
nirvana. This section summarizes several mistakes that companies make in their
security incident response.
# 1 Not having a plan
The first mistake is simply not creating an incident response plan before incidents
start happening. Having a plan in place (even a plan that is not well-thought)
makes a world of difference! Such plan should cover all the stages of incident
response process from preparing the infrastructure to first response all the way to
learning the lessons of a successfully resolved incident.
If you have a plan, then after the initial panic phase, ('Oh, my, we are being
hacked!!!') you can quickly move into a set of planned activities, including a
chance to contain the damage and curb the incident losses. Having a checklist to
follow and a roster of people to call is of paramount importance in a stressful
post-incident environment.
To jump-start the planning activity one can use a ready-made methodology, such
as SANS Institute 6-step incident response process, covered above. With a plan
and a methodology your team will soon be battle hardened and ready to respond
to the next virus faster and more efficiently. As a result, you might manage to
contain the damage to your organization.
# 2 Failing to increase monitoring and surveillance
The second mistake is not deploying increased monitoring and surveillance after
an incident has occurred. This is akin to shooting yourself in the foot during the
incident response. Even though some companies cannot afford 24/7 security
monitoring, there is no excuse for not increasing monitoring after an incident has
occurred.
At the very least, one of the first things to do after an incident is to crank up all
the logging, auditing and monitoring capabilities in the affected network and
systems. This simple act has the potential to make or break the investigation by
providing crucial evidence for identifying the cause of the incident and resolving
it. It often happens that later in the response process, the investigators discover
that some critical piece of log file was rotated away or an existing monitoring
feature was forgotten in an 'off' state. Having plenty of data on what was going
Page 10
11. on in your IT environment right after the incident will not just make the
investigation easier, it will likely make it successful.
Another side benefit, is that increased logging and monitoring will allow the
investigators to confirm that they indeed have followed the established chain of
custody
#3. Being unprepared for a court battle
The third mistake is often talked about, but rarely avoided. Some experts have
proclaimed that every security incident needs to be investigated as if it will end
up in court. In other words, maintaining forensic quality and following the
established chain of custody needs to be assured during the investigation.
Even if the case looks as if it will not go beyond the suspect's manager or the
human resources department (in the case of an internal offense) or even the
security team itself (in many external hacking and virus incidents), there is
always a chance that it will end up in court. Cases have gone to court after new
evidence was discovered during an investigation, and, what was thought to be a
simple issue of inappropriate Web access became a criminal child pornography
case.
Moreover, while you might not be expecting a legal challenge, the suspect might
sue in retaliation for a disciplinary action against him or her. A seasoned incident
investigator should always consider this possibility.
In addition, following a high standard of investigative quality always helps since
the evidence will be that much more reliable and compelling, if it can be backed
up by a thorough and well-documented procedure.
#4. Putting it back the way it was
The fourth mistake is reducing your incident response to "putting it back the way
it was". This often happens if the company is under deadline to restore the
functionality. While this motive is understandable, there is a distinct possibility
that failing to find out why the incident occurred will lead to repeat incidents, on
the same or different systems.
For example, in the case of a hacking incident, if an unpatched machine that
was compromised is rebuilt from the original OS media, but the exploited
vulnerability is not removed, the hackers are very likely to come back and take it
over again. Moreover, the same fate will likely befall other exposed systems.
Thus, while returning to operation might be the primary goal, don’t lose sight of
the secondary goal: figuring out what happened and how to prevent it from
happening again. It feels bad to be on the receiving end of the successful attack,
Page 11
12. but it feels much worse to be hit twice by the same threat and have you defenses
fell in both cases.
Incident response should not be viewed as a type of "firefighting" although you’d
fight plenty of fires in the process. It can clearly help in case of a fire, but it can
also help prevent fires in the future.
#5. Not learning from mistakes
The final mistake sounds simple, but it is all too common. It is simply not learning
from mistakes! Creating a great plan for incident response and following it will
take the organization a long way toward securing the company, but what is
equally important is refining your plan after each incident, since the team and the
tools might have changed over time.
Another critical component is documenting the incident as it is occurring, not just
after the fact. This assures that the "good, the bad and the ugly" of the handling
process will be captured, studied and lessons will be drawn from it. The results of
such evaluations should be communicated to all the involved parties, including IT
resource owners and system administrators.
Ideally, the organization should build an incident-related knowledge base, so that
procedures are consistent and can be repeated in practices. The latter is very
important for regulatory compliance as well and will help satisfying some of the
Sarbanes-Oxley requirements for auditing the controls to information.
Conclusion
While the above cases are simplistic in nature they readily show the need for any
security management system to have not only an incident response plan but also
an integrated incident handling system to ensure complete and effective
response planning deployment. Having a highly efficient plan helps organizations
save money by limiting the impact on core business from security incidents and
increasing the efficiency of existing security infrastructure investments. Overall,
the SANS process allows one to give structure to the otherwise chaotic incident
response workflow. It defines the steps that will then be followed under incident-
induced stress with high precision.
In fact, many of the above steps may be built from the pre-defined procedures.
Following the steps will then be as easy as selecting and sometimes customizing
the procedures for each case at hand. Incident handling workflow will become
more streamlined and the crucial steps will not be missed and documented
properly. Using pre-defined procedures also helps train the incident response
staff on proper actions for each process step. The automated system may be
built to keep track of the response workflow, to suggest proper procedures for
various steps and to securely handle incident evidence. Additionally, such a
Page 12
13. system will facilitate collaboration between various response team members,
who can share the workload for increased operational efficiency.
What is even more important, monitoring incident resolution activities allows the
organization to implement effective security metrics. It is one thing to count
number of alerts or events flowing from various sensors, but to take security
assessment to the next level one needs to measure the performance of the
whole security process, involving both people (such as security team members
working on the incident cases) and technologies.
ABOUT THE AUTHOR:
This is an updated author bio, added to the paper at the time of reposting in
2009.
Dr. Anton Chuvakin (http://www.chuvakin.org) is a recognized security expert in
the field of log management and PCI DSS compliance. He is an author of books
"Security Warrior" and "PCI Compliance" and a contributor to "Know Your Enemy
II", "Information Security Management Handbook" and others. Anton has
published dozens of papers on log management, correlation, data analysis, PCI
DSS, security management (see list www.info-secure.org) . His blog
http://www.securitywarrior.org is one of the most popular in the industry.
In addition, Anton teaches classes and presents at many security conferences
across the world; he recently addressed audiences in United States, UK,
Singapore, Spain, Russia and other countries. He works on emerging security
standards and serves on the advisory boards of several security start-ups.
Currently, Anton is developing his security consulting practice, focusing on
logging and PCI DSS compliance for security vendors and Fortune 500
organizations. Dr. Anton Chuvakin was formerly a Director of PCI Compliance
Solutions at Qualys. Previously, Anton worked at LogLogic as a Chief Logging
Evangelist, tasked with educating the world about the importance of logging for
security, compliance and operations. Before LogLogic, Anton was employed by a
security vendor in a strategic product management role. Anton earned his Ph.D.
degree from Stony Brook University.
Glossary
Security event is a single observable occurrence as reported by a security device
or application or noticed by the appropriate personnel. Thus, both IDS alert and
security-related helpdesk call will qualify as security events.
Security incident is an occurrence of one or several security events that have a
potential to cause undesired functioning of IT resources or other related
Page 13
14. problems. Thus, that limits our discussion to information security incidents, which
cover computer and network security, intellectual property theft and many other
issues.
Incident response (or IR) is a process of identification, containment, eradication
and recovery from computer incidents performed by a responsible security team.
It is worthwhile to note, that the security team might consist of just one person,
who might only be a part-time incident responder. However, whoever takes part
in dealing with the incident consequences implicitly becomes part of the incident
response team, even if such team does not exist as organization’s part.
Incident case is a collection of evidence and associated workflow related to a
security incident. Thus, the case is a history of what happened, what was done
with evidence supporting both items above. It might include various documents
such as reports, security event data, results of audio interviews, images files and
other etc.
Incident report is a document prepared as a result of an incident case
investigation. Incident report might be cryptographically signed or have other
assurances of its integrity. Most incident investigations will result in the report
submitted to appropriate authorities (either internal or outside the company),
which might contain some or even all data associated with the case.
It is worthwhile to note that the term evidence is used throughout the chapter
indicates any data discovered in the process of incident response.
Page 14