Just as firefighters and emergency physicians train to save lives, companies should prepare and train to protect themselves and respond to security incidents. This is increasingly important given the rapidly evolving threat landscape, with targeted cyber attacks by motivated, determined threat actors.
Given this environment, organizations are challenged to evaluate the adequacy of their staff, processes, and technologies to protect, detect, respond and contain incidents caused by advanced attackers.
The following are some questions that organizations should consider:
Preparation is key to implementing an effective protection and response capability. Based on Mandiant’s experience responding to hundreds of security incidents, including the most critical headline-making breaches, organizations should focus on 6 essential capabilities:
governance, communications, visibility, intelligence, response and metrics.
Does your security organization have the right people, and is it properly organized to respond effectively to security incidents? Are roles and responsibilities clearly defined and documented? Does your staff have the necessary skills, experience, and training? Having an adequately staffed, well-trained security organization is a key component for developing a mature security posture.
Formal and informal communication mechanisms allow effective knowledge transfer between internal staff, internal areas, relevant service providers, and external entities. A good communication plan not only allows rapid escalation and provides accurate and truthful information but it also ensures that information flows are only to the appropriate people and organizations. For example, incorrect or incomplete information provided to the public or the press may cause a significant negative impact and could significantly damage brand and customer confidence.
Does your organization have incident response specialists? Do you have communications and legal experts as part of a communications plan? Are roles and responsibilities clearly defined? When was the last time you tested your incident response communications plan?
Good visibility into your network activity is essential for detecting the potential activities of advanced attackers, much of which are commonly undetected by traditional security tools such as antivirus or a firewall. Monitoring everything is not feasible, nor is it recommended. Therefore, the organization’s ability to identify and monitor critical assets and components involved in the processing, storage, and transmission of sensitive information is essential.
Having the capability to detect the presence of advanced persistent threats (APTs) with a minimum of false positives is critical to effectively analyze those alerts. Many organizations receive lots of noise from their SOC or SIEM tools, which negatively impacts visibility since the security team simply cannot analyze hundreds or thousands of alerts per day.
Most organizations prioritize intelligence to get familiar with the identity, motivations, tactics, techniques, and procedures (TTPs) of the attackers. Having good intelligence about attacker identities, motivations and TTPs is key to developing strong capabilities to prevent, detect and respond.
When breaches occur, speed of response is critical to mitigating damage to the organization. Having a response plan developed is not enough; you need to test the plan on a regular basis. In addition, it is also highly recommended that organizations have an incident response retainer in place with a cyber security-consulting firm that specializes in responding to advanced attacks. A retainer allows a company to establish the terms and conditions for providing services in event of a suspected or confirmed breach. This can significantly reduce response time, and reduce the impact of the incident by responding to and containing the incident quickly.
Companies should use effective cost-benefit metrics to monitor the health and effectiveness of incident response processes and how they contribute to the achievement of information security business goals and objectives. Continuing to assess your effectiveness by using metrics is an essential part to ensure your IR response capabilities are being tested and maintained.
Organizations should look to evolve their approach to security from a compliance-based reactive program to a proactive, business risk-focused program with advanced threat protection. This will help to close the gap between the organization’s capabilities and the attacker's capabilities, reducing the risk of compromise.
Recommendations for evaluating and strengthening your organization’s security posture and becoming breach-ready include:
Analyze your security system