By: Tom Skoog, Cybersecurity & Data Management Practice Leader
Last month, we introduced the concept and importance of Incident Response Plans as part of overall cybersecurity. As stated previously, The National Institute of Standards and Technology (NIST) has developed a framework all incident response plans should consider, including:
- Detection & Analysis
- Containment & Eradication
- Post Incident Activity.
Last month, we discussed the importance of one portion of the Preparation stage and specifically, the Response Plan and Strategies based on the type of incidents (e.g., data breach, ransomware, system crash, etc.). “What are you going to do if X happens”? Some other aspects of the Preparation stage include: Policy, Communication, Documentation, Team, Training, and Tools.
Ransomware Incident Response Plan – Detection & Analysis
This month we are focusing on the next phase of the response plan which is Detection and Analysis. This encompasses having the proper technology, people, and process to detect when incidents occur and then analyzing the criticality of the incident.
- Technology – used to review large audit files and logs created by your various technology assets and correlate incidents across those technologies
- People – who are skilled in understanding the criticality of incidents and the proper response action to identified incidents
- Process – to ensure that all stakeholders are properly involved in the decision processes
Multiple “incidents” occur within your systems daily. Not all incidents are necessarily cybersecurity-related. Other incidents may include a CPU processing interruption, an application that is hung up because something is cached that should be cleared, memory is filling up, etc. However, when security incidents do present themselves, they are typically recorded in a series of system logs either in your firewall, on your servers, in your email system, in your operating systems (server or workstation) from your anti-virus software, or other detection technologies you may have implemented.
The challenge with identifying incidents in these logs manually is you must review reams of output to find a needle in the haystack. What may appear as an innocuous incident from one source (e.g., someone messed up their password on their workstation a couple of times), may in fact be tied to incidents in other logs and indicates a cyberattack.
More organizations are moving to installing detection software known as Security Incident and Event Management (SIEM) tools. They are then establishing a Security Operations center to monitor the SIEM 24 hours a day, 7 days a week. Most companies outsource this activity to third-party organizations that specialize in system and network monitoring. They have expertise using SIEM technologies in correlating incidents across your network and systems and have expertise in filtering out “false positives” and alert you to only those incidents that pose a risk to the confidentiality or availability of your data or systems.
When establishing your detection and analysis capabilities, consider the following elements and include them in your incident response plan.
- Monitoring all sensitive IT systems and infrastructure elements (firewall, switches, storage area network, etc.)
- Analyzing events from multiple sources including log files, error messages, and alerts from security tools
- Identifying an incident by correlating data from multiple sources and reporting it as soon as possible.
- Notifying Cybersecurity Incident Response Team members and establishing communication with a designated command center (i.e., senior management, IT operations)
- Documenting everything incident responders are doing as part of the attack—answering the who, what, where, why, and how questions
The next article in the series will discuss the third phase of the incident response plan, Containment and Eradication: how do you keep the incident from spreading to other portions of your network and how do you get rid of it?
If you would like to discuss incident response planning in more detail, reach out to Tom Skoog, Cybersecurity and Data Management Practice Leader at firstname.lastname@example.org.