Incident response (IR) is a key process designed to provide context, priority, and ultimately, closure for the events associated with an attack. When enterprise defenses falter, an IR process should give the information security (IS) team enough information to efficiently clean up the mess from a breach. A good IR process reveals the attackers and their motives; a great IR process will consistently prevent serious damage while efficiently conserving enterprise time and resources.
If, however, an IR plan has not been properly designed and implemented, all that will be minimized is the enterprise’s awareness of what is really taking place. In other words, if an enterprise is hoping its malware detection and intrusion detection systems (IDS) will provide the indicators of compromise (IOC) required to meet its IR needs, it had better pray that the malware designed to bypass those detection tools hasn’t already walked away with confidential information.
IR must focus on the breach rather than the attack: IR must establish what is trying to get out, not what is trying to get in. Although the IR process for malware attacks is well understood, breach investigations are often unpredictable and time consuming. Do all incidents require a response of some sort? Absolutely. However, the type of response that is elicited (i.e., its immediacy and its intensity) depends on the level of criticality assigned to an incident. A response might be as simple as having the operations team clean up a malware infection, or it could require an all hands on deck approach to stop information from leaking out through the hole in the perimeter that was created by the malware. A great IR that is listening for the right IOC could be the difference between just another day at the office or having to publicly disclose that information has been lost (and then pay the fines associated with this data loss).
The brief Does it Matter, or Was it Just Noise? explores how traditional IR processes have followed malware detection trends; it also discusses why the current processes need to change and how they can change. By following guidelines within the brief, IS teams could save an enterprise from unwanted front-page headlines, and this should be music to any executive team’s ears.
Follow us on Twitter (@NSSLabs) to keep informed as new research is released.