This is part 2 of a 2-part blog series on how Incident Response is changing. Here's part one.
The changing threat landscape forced an evolution in incident detection & response (IDR) that encompasses changes in tools, process, and people. While in 2005 we could get away with basic detection and a “pave and re-image” approach, 2016 sees us needing complex detection methodologies enabled by powerful software and hardware to enable experts to drive the IDR lifecycle.
One of my go-to analogies to help people understand the need to evolve cyber IDR programs is to point to the evolution of banks (yes, the paper money kind!). in the early days, you just needed a bandana to hide your identity and a six-shooter to be handed the cash. Banks could reasonably protect money using basic safes, little physical protection, and a tough sheriff in town. Today, the serious bank robber is an expert in electronics, locks, and deception. Banks have evolved to create layers upon layers of physical security, monitoring, alarms, and SWAT teams to help protect the valuables. That is exactly what happened between 2005 and 2016 in the IDR space, but we need to continue to evolve.
When we look at the areas of importance for modern IDR programs, we speak of: preparation, detection, validation, response, containment, and recovery. Let's now examine these based on our 2005-to-2016 timeline.
Breach preparation in 2005 vs. 2016
In 2005, very little was done to proactively secure the attack surface as the focus was mostly on availability of systems and speeding business processes. Very few organizations proactively conducted breach response exercises, and even fewer thought that a cyber attack against them was a concern.
In 2016, the best IDR programs have:
- Implemented defense in depth principles in their network infrastructure
- Cataloged, organized, and restricted their data following least privilege principles
- Actively managed their exposure through attack surface management
- Rehearse technical, coordination, and communication aspects of breach detection and response
Incident detection and validation in 2005 vs. 2016
The nature of the changes in incident detection and validation come from the changes in the number of organizations processing data of value to attackers, the expanding number of determine attackers, and the motivations behind the breaches. In 2005, most organizations didn't have to worry much about being the victim of a targeted breach using unknown vulnerabilities, malware, and tools.
In 2016, you don't even need to have valuable data to experience a targeted breach, you just need to promote ideologies that are different than the bad guys'. In 2016, the best IDR programs have:
- Technology to detect threats across the entire ecosystem from the endpoint (including mobile devices) to the cloud based services and applications outside of the network walls
- Technology to validate machine driven threat detection on the endpoint and the network
- Threat detection methodologies that include tailored and timely threat intelligence, behavior analytics, and data analytics
- Subject matter expertise that covers attacker methodology, malware analysis, endpoint analysis, network analysis, data visualization, and automation
- Defined and rehearsed processes for threat detection, validation, and escalation
- Metrics to measure and improve performance
Breach response in 2005 vs. 2016
One of the best aspects of breach response is that there is no typical day at the office. Attackers are constantly learning new techniques, creating new tools, devising new ways of persisting in victim environments. As such, incident response is in a constant state of change as investigative techniques adapt to attacker techniques.
In 2016, the best IDR programs have:
- Technology that enables detailed analysis of endpoint, network, and logs
- Subject matter expertise that covers forensics analysis, incident management, incident coordination, and incident communications (in addition to the expertise from the incident detection and validation section)
- A breach response plan that covers all aspects of response activities ranging from technical analysis to restoring normal business operating processes
Breach containment and recovery in 2005 vs. 2016
The last, and least prepared for, aspect of IDR is how quickly can you contain a breach and restore normal business operating processes. In 2005, computers were a critical component of business, but today, they're a critical component of our entire lives. In 2005, containing a threat most often required removing a system from the network and recovery was difficult due to storage capacities and older technology.
In 2016, containing a threat can be done remotely, help desk teams have system imagine processes and data restoration processes that can return a user's machine in a day. In 2016, the best IDR programs have:
- Technology to contain threats at the endpoint, on the network, and in the identity management system
- System imaging and data backup/restore processes for servers and workstations
- A tested and rehearsed disaster recovery program
The IDR industry is no different from any other industry (including law enforcement) aimed at thwarting criminals. We evolve based on the threat that we are facing. Today that threat has a massive footprint, cutting edge technology, and the ability to adapt to any challenge they encounter. As such, our approach to IDR must implement programs that are flexible and adaptive to keep up.