This is the second in a three-part series about the important elements of a threat-centric security capability.
The first part of the series focused on the people and skills needed to effectively detect and respond to threats. This second part focuses on the processes that need to be in place in order to respond proactively to threats within an environment. These processes must take into account the changing threat landscape.
Traditional attacks have typically been based on a single technique (DDoS, virus, trojan, file-based) which was consistent across all platforms. Today’s rapidly evolving threats are far more advanced and use more non-linear techniques such as memory-based malware. These attacks will be far more continuous and varied, involving threat actors with specific goals. A more holistic approach is needed, which revolves around deterrence, detection,
These attacks will be far more continuous and varied and will involve threat actors with specific goals. A more holistic approach is needed, which revolves around deterrence, detection, response and reporting.
In the deterrence phase, it’s important that everyone in the organization understands what is being delivered, the necessary changes that will need to take place for the correct tooling to be deployed, and the correct reporting process in case an incident occurs and they need to appropriately engage the right teams in an expedient manner.
A good place to start for preparation is the Center for Internet Security Critical Security Controls. These controls are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks and prioritize and focus on a smaller number of actions with high pay-off results.
Examples of these controls include hardening your host environments, implementing patch management and user/account monitoring. Further details can be found at the Center for Internet Security website.
While this list is by no means exhaustive — and organizations may have their own custom policies and procedures — the items on the list represent the minimum defenses an organization should have in place so their security operation center will be able to perform in a threat-centric manner.
Now that you have your environment prepared using the best practices outlined above, your security operation center is ready for action. Keep in mind the Key Incident Response Steps:
- Preparation: gather and learn the necessary tools, become familiar with your environment.
- Identification: detect the incident, determine its scope and involve the appropriate parties.
- Containment: contain the incident to minimize its effect on neighboring IT resources.
- Eradication: eliminate compromise artifacts, if necessary, on the path to recovery
- Recovery: restore the system to normal operations, possibly via reinstall or backup.
- Wrap-up: document the incident’s details, retail collected data and discuss lessons learned.
In the detection phase, it’s crucial to not only monitor both systems and networks, but to do so in a more proactive manner. The sophisticated attacker will know how to get around traditional methods of defense.
The threat-centric approach will need to be able to detect changes in behavior at both the network and host level. Real-time threat intelligence is key here, along with proactive cyber hunting to detect these changes in behavior. For those looking for more information with respect to detection procedures, this initial security incident questionnaire is a great place to start.
In the response phase, it’s essential that the security operations center personnel be able to proactively respond when threats are observed in the environment. All too often, this step is left to a chain of decision making that is either incomplete or takes too long, ultimately allowing the attacker to succeed.
Speed is essential here. The security operations center must have the ability to immediately respond to threats in the environment through pre-approved actions. These actions should be agreed to by the stakeholders and the operations center. Exceptions to the pre-approved action should be documented and known by operations center personnel.
Finally, proper reporting is essential. This reporting will typically be one of three types — flash, weekly and monthly.
As soon as an incident occurs, a flash report should be issued to the organization’s stakeholders within 90 minutes of incident. This report will provide details of the activity in the environment that enabled the analyst to determine the threat and its severity. Flash reports are dynamic in nature, and updated in real-time as much as possible.
Weekly reports should detail the threats seen in the environment and their criticality. Monthly reports should summarize what was detailed in the weekly reports as well as provide forward-looking threat intelligence to enable stakeholders to view potential future threats to their environment and adjust the deterrence, detection and response processes to reduce risk of compromise.
Stay tuned for part three of this series, which will focus on the tools used by the security operations center.
Do you have questions about threat-centric security capabilities, or want to learn more about the processes your security operations center should adopt to be threat-centric? Visit Rackspace to find out more about our managed security services and the ways we help businesses stay secure.