Incident Response

Enquiry Online & Avail Free Service

Incident Response

In order to define “incident response,” you first need to understand what constitutes a security incident. The Verizon report defines an incident as “a security event that compromises the integrity, confidentiality or availability of an information asset.” An incident could include an attack, that is, an intentional attempt to gain unauthorized access to damage or destroy a network. Or an incident could be a simple accident, such as an employee leaving a company laptop in a cab. An incident may or may not involve a breach, the theft of company information.

Cybersecurity incident response is a formal, organized approach for dealing with all kinds of security incidents. It usually involves an incident response plan (IPR), which lays out the steps that a company should follow after an incident occurs. These plans should include the incident response process for all of the most common types of incidents, including those listed below.

Examples of security incidents

  • Phishing.In a phishing attack, criminals send an organization’s employees a message (usually via email) that includes a malicious attachment. The bad news, according to Verizon, is that phishing attacks are on the rise and employees don’t know how to handle them. The median time between when attackers send out a phishing campaign and when the first recipient opens the message is just 1 minute and 40 seconds, and the median time for clicking on the malicious link is just 3 minutes and 45 seconds. Only 3 percent of phishing recipients reported the malicious email.
  • Stolen Credentials.The goal of many phishing or malware attacks is to obtain credentials that will allow an attacker to access the organization’s network. In many cases, however, the attackers don’t actually have to “steal” anything — they simply guess the correct password. According to the Verizon report, “63 percent of confirmed data breaches involved weak, default or stolen passwords.”
  • Malware. Malware is a broad category that includes any kind of malicious software. Examples include viruses, trojan horses, rootkits, adware and the increasingly common ransomware. Users can introduce malware into a network in a number of ways, for example, by clicking a malicious attachment in a phishing email, by visiting a malicious Web page or by connecting an infected USB drive or other device to the network.
  • Ransomware.An increasingly common attack vector, ransomware is a type of malware that demands that victims pay a fee in order to remove the malicious code, regain access to files that were encrypted by the ransomware or prevent something unwanted from happening, such as making a victim’s data public. According to Symantec’s Ransomware and Business 2016 Report, security vendors discovered one hundred new malware families last year alone, and the average ransom demand has climbed to $679.
  • Denial of service attacks.In a denial of service (DoS) attack, attacks flood a system, usually a Web server, with so much traffic that legitimate users can no longer access it. Hackers often mount DoS attacks for ideological reasons or to “punish” a person or organization for some activity. For example, last year attackers hit security blogger Brian Krebs with a DoS attack after he published a series of articles on DoS-for-hire services.
  • Web app attacks.Hackers attack organizations’ Web apps in a number of different ways, such as buffer overflows, SQL injection, cross-site scripting and, as already mentioned, DoS attacks. Verizon reported 5,334 incidents of Web app attacks last year, including 908 that resulted in data breaches. Financial services companies are a particularly popular target for Web attacks.
  • One of the hardest types of incidents to defend against, cyberespionage occurs when an unauthorized person attempts to infiltrate a system or network in order to gain access to secret information. Often these attacks are perpetrated by a company’s competitors or by nation-states. According to Verizon, “90 percent of cyberespionage breaches capture trade secrets or proprietary information.”
  • Loss of theft of devices.As mobile devices have become more common, organizations have experienced an increase in the loss or theft of devices that contain corporate information or that can access corporate networks. Many of these incidents do not result in data breach, but organizations often find it very difficult to distinguish between accidents and intentional theft carried out with the goal of infiltrating an organization’s networks.
  • Insider attacks.Organizations sometimes don’t pay enough attention to threats from their own employees or partners’ employees, but Verizon reported that there were 10,489 incidents of “insider and privilege misuse” last year. These attacks can be very difficult to detect and mitigate because insiders often have knowledge that helps them evade an organization’s security measures.

In order to define “incident response,” you first need to understand what constitutes a security incident. The Verizon report defines an incident as “a security event that compromises the integrity, confidentiality or availability of an information asset.” An incident could include an attack, that is, an intentional attempt to gain unauthorized access to damage or destroy a network. Or an incident could be a simple accident, such as an employee leaving a company laptop in a cab. An incident may or may not involve a breach, the theft of company information.

Cybersecurity incident response is a formal, organized approach for dealing with all kinds of security incidents. It usually involves an incident response plan (IPR), which lays out the steps that a company should follow after an incident occurs. These plans should include the incident response process for all of the most common types of incidents, including those listed below.

Examples of security incidents

  • Phishing.In a phishing attack, criminals send an organization’s employees a message (usually via email) that includes a malicious attachment. The bad news, according to Verizon, is that phishing attacks are on the rise and employees don’t know how to handle them. The median time between when attackers send out a phishing campaign and when the first recipient opens the message is just 1 minute and 40 seconds, and the median time for clicking on the malicious link is just 3 minutes and 45 seconds. Only 3 percent of phishing recipients reported the malicious email.
  • Stolen Credentials.The goal of many phishing or malware attacks is to obtain credentials that will allow an attacker to access the organization’s network. In many cases, however, the attackers don’t actually have to “steal” anything — they simply guess the correct password. According to the Verizon report, “63 percent of confirmed data breaches involved weak, default or stolen passwords.”
  • Malware. Malware is a broad category that includes any kind of malicious software. Examples include viruses, trojan horses, rootkits, adware and the increasingly common ransomware. Users can introduce malware into a network in a number of ways, for example, by clicking a malicious attachment in a phishing email, by visiting a malicious Web page or by connecting an infected USB drive or other device to the network.
  • Ransomware.An increasingly common attack vector, ransomware is a type of malware that demands that victims pay a fee in order to remove the malicious code, regain access to files that were encrypted by the ransomware or prevent something unwanted from happening, such as making a victim’s data public. According to Symantec’s Ransomware and Business 2016 Report, security vendors discovered one hundred new malware families last year alone, and the average ransom demand has climbed to $679.
  • Denial of service attacks.In a denial of service (DoS) attack, attacks flood a system, usually a Web server, with so much traffic that legitimate users can no longer access it. Hackers often mount DoS attacks for ideological reasons or to “punish” a person or organization for some activity. For example, last year attackers hit security blogger Brian Krebs with a DoS attack after he published a series of articles on DoS-for-hire services.
  • Web app attacks.Hackers attack organizations’ Web apps in a number of different ways, such as buffer overflows, SQL injection, cross-site scripting and, as already mentioned, DoS attacks. Verizon reported 5,334 incidents of Web app attacks last year, including 908 that resulted in data breaches. Financial services companies are a particularly popular target for Web attacks.
  • One of the hardest types of incidents to defend against, cyberespionage occurs when an unauthorized person attempts to infiltrate a system or network in order to gain access to secret information. Often these attacks are perpetrated by a company’s competitors or by nation-states. According to Verizon, “90 percent of cyberespionage breaches capture trade secrets or proprietary information.”
  • Loss of theft of devices.As mobile devices have become more common, organizations have experienced an increase in the loss or theft of devices that contain corporate information or that can access corporate networks. Many of these incidents do not result in data breach, but organizations often find it very difficult to distinguish between accidents and intentional theft carried out with the goal of infiltrating an organization’s networks.
  • Insider attacks.Organizations sometimes don’t pay enough attention to threats from their own employees or partners’ employees, but Verizon reported that there were 10,489 incidents of “insider and privilege misuse” last year. These attacks can be very difficult to detect and mitigate because insiders often have knowledge that helps them evade an organization’s security measures.

Incident response process

What does an incident response team do? The SANS Institute has identified six steps in the incident response lifecycle:

  1. In this phase, organizations set up their policy, response plan, communication, documentation, team, access controls tools and training.
  2. This phase involves detecting unusual activity and determining whether or not it qualifies as a security incident.
  3. Once you determine that an incident has occurred, your next step should be to prevent any additional damage.
  4. Next, you should remove any malicious code and repair any damage caused to your systems and networks.
  5. After the problem has been eliminated, organizations should bring the affected systems back online slowly and carefully, taking steps to make sure that the incident won’t reoccur immediately.
  6. Lessons learned.Finally, after systems are operating normally again, the team should document the incident and look for ways to harden systems against similar attacks.

Setting up an incident response team

Every organization is different, so the exact mix of personnel on your incident response team will vary depending on your size, industry, likely security threats and other factors. The SANS Institute recommends that you consider including people from the following groups within your organization:

  • Upper level management
  • Information security
  • IT
  • IT auditing
  • Security (the people responsible for physical security at your location)
  • Legal
  • Human resources
  • Public relations
  • Financial auditing

Top tips for maintaining an incident response team

  • Provide clear guidelines on what constitutes a security incident.Everyone needs to understand which sorts of events require a response from the team and which do not. Some incidents, such as a major data breach, may require you to mobilize the entire team, while others, such as a lost laptop, could be handled by one or two people. Make sure those details are documented so that there isn’t any confusion when an incident (or potential incident) occurs.
  • Define team member roles and responsibilities.You should also carefully document what each person will do in response to each type of incident. Getting everything in writing minimizes the chances that a key task will slip through the cracks.
  • Train your team regularly. Make sure your incident response team is up to date on the latest attack vectors and the steps necessary to counter them. That means scheduling training sessions where you go over new security trends and review your incident response plan.
  • Establish and use internal and external communication tools. In the midst of a security incident, you may not have access to all of your usual communications methods. For example, if an intruder has gained access to your internal collaboration platform, you may not want to use that collaboration platform to alert team members, because that would tip off the hacker. A security incident might also be accompanied by a power outage or a loss of cell service that would make it impossible to use some forms of communication. For these reasons, you should establish multiple methods of communication and specify in your plan when to use each.

About Us

The 18-year history of L A Technologies Pvt.Ltd is one that speaks of the evolution of a company by a visionary, Mr. Lawrence Albert, and of its employees, who have helped businesses and governments apply information technology to achieve new levels of competitiveness and success.

Branch

© Copyrights 2010. All rights reserved. by / L A Technologiesindia.com