Incident Response

Why Incident Response?

Breaches cost companies time and money. The longer any vulnerabilities go unresolved, the more extensive damage to a company. For public companies, each breach affects stock evaluation in addition to consumer confidence. The goals of incident response are to:

Restore operations
Minimize losses
Fix vulnerabilities quickly and thoroughly
Strengthen security to avoid future incidents

ThreatFalcon Incident Response Process?

ThreatFalcon will incorporate the following points into clients Incident Response and tailor each step to fit their needs.

1. Preparation

2 . Identification

3 . Containment

Preparation begins with bringing together a computer security incident response team (CSIRT). Make sure there is team cohesiveness and cooperation. An IRP will only run smoothly if all team members can work together. During this stage, the CSIRT will codify cybersecurity policies in terms of how they relate to the IRP. For example, are there any compliance requirements that would affect the IRP process? Additionally, a risk assessment will help prioritize threats. IRP documentation will include roles, responsibilities, and processes.

Without the protocols and tools in place to identify irregular/fraudulent activity, an IRP will do a company little good. If monitoring or penetration testing tools identify a vulnerability or breach, the CSIRT will document the evidence, type, and severity of the attack. The identification step formalizes the who, what, where, how, and when of the attack. Documentation will also include an analysis of the “why” attack likely occurred. What was the attacker’s goal and did he/she reach that goal or only enact one phase of an attack?

As soon as a breach is identified the immediate concern focuses on containing it. An IRP should outline procedures for short term and long term containment. Short-term containment refers to isolating a system or rerouting traffic through a backup system, whatever it takes to halt the intrusion and restore normal operations. Long-term fixes are designed to rebuild the systems so it no longer has the vulnerability. This often takes significant time due to the design, testing, and bringing-online phases.

4 . Eradication

5 . Recovery

6 . Lessons Learned

Eradication targets the root cause of the breach, whether it be a worm or some other kind of malware. Eradication procedures will vary based on the attack. For example, if the authentication was the weakness, a company may consider using 2FA or even 3FA. Or, if it was an OS vulnerability, it should use a patch. The key is to fix the problem in such a way that it will not be a recurring issue.

During recovery, the CSIRT will bring affected systems or devices back online and determine how long those affected systems will be monitored at a higher level than usual. SANS recommends outlining a timetable for carefully bring devices/systems back online, how tests will verify functionality, and what tools will be used for monitoring, testing, and validating the systems.

Hindsight is a valuable thing; it allows you to look back and see the mistakes that led to the breach. Experts recommend conducting a review no later than two weeks after the incident (while details are still fresh in the mind). During this phase, documentation should be completed and any areas for improvement in the IRP should be noted.

Get in Touch with Us!