Developing a Tailored Incident Response for All Types of Attacks

save
Share and earn Cybytes
Facebook Twitter Google+ LinkedIn Email

Does your IT security team react to a malware attack in the same way as they would a phishing attack? Do they proceed any differently when unauthorized user access occurs? How about a denial of service attack?

When organizations are hit by external cyberattacks or internal breaches, many IT security teams react in ad hoc fashion with a response plan oftentimes defined based on a limited view of what is going on and the resources they have available. They basically formulate their plan on-the-fly and hope they can limit the damage as much as possible.

Others proactively create a generic incident response plan—where they document the process, the required resources and key decision-makers. But such plans often fall short of success when considering the many different attack types, a few offered here as examples:

·   Malware ·  Virus ·   Elevation of Privilege
·   Unauthorized Access ·  Root Access ·   Phishing
·   Improper Usage ·  Denial of Service ·   Data Theft

To ensure sufficient mitigation that enables your business to limit the extent to which business assets, sensitive information and intellectual property are compromised—and to return IT operations back to normal as quickly as possible—specific workflows for each type of attack are required. Only then can the IT security team follow the most efficient incident response process applicable and gain access to the necessary resources at the right time—both in terms of investigation and repair as well as communication and decision-making along the way.

Ideally, the incident response workflow for each attack type should include all seven steps of the Incident Response Life Cycle—as defined by NIST1 guidelines:

  • Prepare: establish your incident response capabilities while preventing as many incidents as possible by ensuring systems, networks and applications are sufficiently secure.
  • Detect: determine when incidents occur as well as the type and extent of each attack.
  • Analyze: validate each incident and rapidly perform analysis to determine the scope of the problem.
  • Contain: shut down/disconnect/disable complete systems and/or functions before incidents overwhelm resources or expand the scope of their payload(s).
  • Eradicate: eliminate incident components and mitigate exploited vulnerabilities; then remediate still-exploitable vulnerabilities on non-affected systems to prevent similar incidents in the future.
  • Recover: restore systems and confirm normal functioning.
  • Post-Incident Handling: conduct a “lessons learned” engagement to improve security measures and your incident-handling process; update the response workflow(s) accordingly.

In the coming months, this blog series delves into each of these seven steps with details on which actions to take within each step and the resources from the business that need to be assigned to each step. The seven-step approach allows your company to prevent many attacks and mitigate those that occur so that business operations are not affected and/or return to normal as quickly as possible.

Just as importantly, the detailed workflows can help you deal with the things you might not otherwise plan for—a near certainty in today’s cyber threat environment.

For more information on developing incident response workflows for your business, visit www.incidentresponse.com. Stay tuned for additional posts in this blog series. 

  1. NIST Computer Security Incident Handling Guide: Special Publication 800-61 Revision 2.

The post Developing a Tailored Incident Response for All Types of Attacks appeared first on Cybersponse.

Share this post and earn Cybytes
Facebook Twitter Google+ LinkedIn Email
Follow
97 Followers
About CyberSponse, Inc.
CyberSponse Incorporated, a global leader in cyber security automation & orchestration, helps accelerate an organization’s processes, security operations teams and incident responders. The CyberSponse platform enables organizations to seamlessly integrate, automate and playbook their security tool stack, enabling better, faster and more effective security operations. With a global presence, offering an enterprise platform, Cybersponse enables organizations to secure their security operations teams and environments.

Our Revolution

We believe Cyber Security training should be free, for everyone, FOREVER. Everyone, everywhere, deserves the OPPORTUNITY to learn, begin and grow a career in this fascinating field. Therefore, Cybrary is a free community where people, companies and training come together to give everyone the ability to collaborate in an open source way that is revolutionizing the cyber security educational experience.

Cybrary On The Go

Get the Cybrary app for Android for online and offline viewing of our lessons.

Get it on Google Play
 

Support Cybrary

Donate Here to Get This Month's Donor Badge

 
Skip to toolbar

We recommend always using caution when following any link

Are you sure you want to continue?

Continue
Cancel