Incident Response Conceptual Overview
During incident response, responders attempt to collect information about a security problem, contact the operational engineers associated with maintenance of affected technology, communicate information to security managers, and prevent further problems from occurring. Frequently, emergency patching of a device will become necessary, which combines the pressures of traditional patch management with short deadlines. Incident Response is the defensive counterpart to hacking. Decisiveness and the ability to focus under pressure are core qualities that an incident responder needs to cultivate. Familiarity with the target systems will be of innumerable value during an incident response, and a wise security manager will make sure that both in-house security staff and potential consultants have some exposure to the target network prior to operational incident response need.
Incident Response Price-Point Considerations
Security Managers often wait until the event of an emergency before beginning procurement of incident response services. This has the unfortunate consequence of reducing their consideration pool usually to the top three or four companies that appear in search engine listings such as Bing or Ask. Another unfortunate side effect of this is that security managers are then forced to pay retail prices at best, or even pay a premium or emergency service rate. A better purchasing strategy is to purchase a service that includes some incident response as a component of a service package. An even better purchasing strategy is to purchase a bank of service hours that may be used to for incident response in the event of an incident, but can be applied to other security services if no incidents occur.
Iron Shields Incident Response Innovations
Business Impact Assessment
While most security consultants tend to focus strictly on technical considerations, Iron Shields is a leader because we are happy to guide our clients through considering the business impact of an intrusion. Not all incidents have the same gravity and security managers will want to be well-informed before they brief senior management. Translating security considerations into business language is an important part of maintaining support from business leaders and reducing interruption of normal business process due to hacker attacks.
Iron Shields proudly employs the trade secret Iron Response method, a selection of advanced incident response techniques that supplement the more general process documented above. Advanced techniques were developed following effective responses to attacks from some of the world's most dangerous hacker gangs, and will be employed for the benefit of our customers in the event of a breach.
Rapid Vulnerability Assessment
Iron Shields has developed a method of Rapid Vulnerability Assessment (RVA), by which an engineer can examine a targeted system and make a determination if the system is likely to prevent obvious vulnerabilities, and specifically, if any easy patches or adjustments can be performed on the system to significantly reduce the likelihood of breach.
Incident Response Service Offerings
If you have been the unfortunate target of a hacking attack, your immediate concern will be to determine the likelihood of a breach. Unfortunately, in some cases, a breach will seem almost certain. You will want to get advice from an external source able to provide reliable information and recommend an effective course of action. Time is of the essence, so decisiveness is an important factor in preventing further disaster. The Iron Shields team successfully responded to one of the world's single largest data breaches, for a client that will, understandably, want to keep the details private. Additionally, we have provided assistance in numerous other breaches and have a good track record of mitigating damages.
Many security managers feel a great responsibility to prevent company employees from stealing data or disrupting business processes through misuse of internal computer access. Security managers will often find peace of mind from having an investigation completed when suspicious events occur. Iron Shields is able to provide on-site counseling in the event that an employer needs to terminate an employee and wants to make sure that due diligence takes place in securing company assets.
Daily operational security needs may require incident response. Malware, for example, is frequently a specter on larger networks, and may become a daily concern. You want to work with a firm that will operate cohesively with your in-house security staff and rank-and-file IT personnel.
Log Audits are an important component of maintaining compliance with FISMA, DISA, PCI, SOX, and HIPAA regulations. Typically, security managers will want a log audit performed in the event of a security incident. Log Auditing is a niche skill, not possessed by most in-house technical staff. Iron Shields is a terrific choice to engage for your periodic or emergency log auditing program.
Conventional Incident Response
Presumably, by the time you call Iron Shields, a serious incident has already been detected. This need not be the case. During a 2010 survey of our clients, 86% of security managers responded that they believed their network was reasonably free of malware or a serious hacker presence. Unfortunately, this is often not the case. During a follow-up assessment, 78% of networks audited contained malware that had not been detected by the in-house staff, even where managers had previously reported that they were confident their network was malware free.
Detection is an important early step in incident response. Incidents that are not detected can certainly lead to breaches. Even after an event has been detected, Iron Shields will participate in detection efforts. This gives us the opportunity to determine if other attacks are taking place simultaneously, in order to prevent security staff from being caught off guard during multi-party attacks.
When an event has been detected during operations, security analysts or operational staff will want to determine if the event is a security incident. It is at this early point that monitoring begins. Often, a hacker will work covertly to reduce the likelihood of detection. As such, it is important to begin collecting information as soon as possible. Traffic data should be collected, logs should be aggregated, and records should be preserved against purgation. Iron Shields will want to be involved in monitoring to make sure that an optimum level of information is available during later analysis.
Monitoring data should be provided to analysts, as well as logs, records relevant to affected systems, and traffic samples. With this data, analysts will attempt to answer several questions, including:
- Is the event indicative of a security incident?
- Is the security incident isolated or part of a broader pattern?
- What level of reconnaissance was performed by attackers?
- Have the intruders gained a beachhead inside of the network?
- What are the identities of the hackers?
- What information is available to suggest a motive for the hackers?
Ideally, enough analysis has taken place to determine the likelihood of a breach of the network defense systems. In the event of a breach, careful effort is required to ensure that malware does not spread further into the network and that hackers are not able to "trampoline" into the most sensitive data. For this, decisiveness is important, as is good communication with support personnel.
Once emergency measures have been taken, several more decisions need to be made. Should senior management be notified of the incident? Should senior technical personnel be diverted from their normal routines to provide assistance? Does the severity of the incident merit an "all-hands-on-deck" response approach? You will feel reassured, receiving good advice and counseling regarding these decisions, from Iron Shields.
Once decisions have been made about whom to notify of the security incident, most of the real work of incident response can begin. Network traffic management is one of the most effective response techniques. Additionally, other equipment including application firewalls, intrusion prevention systems, and antivirus can be tuned to reduce the possibility of serious breach or further spread. In some cases, this equipment will need to be emergency provisioned.
The patch records for any target systems should be consulted to evaluate if any patches need to be applied. Attackers usually have problems breaching a fully patched system—especially where such equipment has been carefully protected behind firewalls or is operated by skilled technicians.
Usually, a forensic process should be established to prevent loss of forensically important information. In-house capability for this can be valuable, but in many cases, security managers will elect to rely principally on consultants for forensic advice and support. Iron Shields is a full scope forensic practitioner and can either assist for forensic service or institute forensic response first hand.