In part one and two of this blog series, we have discussed considerations and strategies your organization can use to solidify the Preparation and Detection and Analysis phases of NIST Special Publication 800-61, Guide for Computer Security Incident Handling. As we move further down the path in the incident response process, we will uncover the key considerations and action items your organization can consider, ensuring that you are able to efficiently contain, eradicate, and ultimately recover from a cyber incident.
Containment: Limiting the Damage
Once you have successfully identified and analyzed the incident or threat, the next step is containment. This phase focuses on preventing further damage and reducing the incident's overall impact on the organization. Key considerations for effective containment include:
Isolate Affected Systems: Immediately isolate compromised systems to prevent any further lateral movement or spread of the incident. This may involve disconnecting affected devices from the network or implementing additional segmentation to contain the threat. Segmentation may not be limited to the affected systems, depending on the scope of the incident, it may be necessary to segment sensitive or critical assets to prevent further access.
Access Control: Restrict access and privileges for users and accounts threat may be involved or have been potentially compromised due to the incident. This may also include disabling accounts, resetting passwords or revoking multifactor authentication sessions. Restricting access controls can help to limit the actions potential threat actors are able to carry out while the organization works on eradication.
Communication: Establish clear communication protocols and escalation requirements to engage with relevant stakeholders, including internal teams, senior leadership, and external partners. During this phase, it is critical to ensure the proper stakeholders are involved and are included in the decision-making process.
Eradication: Getting Down to the Root Cause
Now that your organization has established that the incident has been contained, we can move on to the eradication phase, where we are looking to figure out the root cause of the incident and implement a plan of action to prevent any further compromise. Key considerations for effective eradication include:
Patching and Remediation: Identify and patch vulnerabilities that may have been exploited by the threat actor to allow the incident to occur. In some cases, a patch may not exist or is not able to be applied. In this scenario, sufficient compensating controls will need to be implemented. These instances should be documented in a risk register and periodically reviewed.
Malware Removal: If malware is involved, a full scan of all organizational systems will need to take place to uncover all instances of the malware to plan for proper removal. Ensuring that the organization's systems are clean before restoring normal operations is vital to preventing any further infection or spread of malware. In some cases, this may require a complete rebuild of infected systems to ensure complete removal.
Forensic Analysis: Conduct a detailed forensic analysis to understand the tactics, techniques, and procedures (TTPs) being utilized by the threat actor. This information is valuable for improving future incident response capabilities. Organizations should evaluate the forensic capabilities of internal resources and determine if the skill set, or even available tool sets, to sufficiently perform this task exist. If not, a third-party forensic capability should be established and documented within the Incident Response Plan (IRP).
Recovery: Getting Back to Normal
The final phase of NIST 800-61 is recovery, where the organization focuses on restoring back to normal operations. Key considerations for successful recovery include:
Data and System Restoration: Restore data from clean backups to ensure that the organization's operations can resume without the risk of reintroducing the incident. In some cases, a full system tear down and rebuild may be required before restoring data from backups. During the restoration phase, proper testing should take place to ensure the data restored for backup is valid and ready to use.
Post-Incident Review: Conduct a thorough post-incident review to assess the effectiveness of the incident response process. Identify areas for improvement and update incident response plans accordingly.
Training and Awareness: Provide training for employees to enhance their awareness of security threats and incident response procedures. Using the lessons learned from the incident is a great way to keep the user base informed of current threats and how to remain vigilant to protect against them.
Key Takeaways and Action Items:
Improve Detection Capabilities: Continuous improvement in advanced threat detection tools and monitoring systems is necessary for timely incident detection. In some cases, this may require an additional investment in technology or resources in manpower.
Establish Clear Communication Channels: Communication during an incident needs to be transparent and efficient throughout the incident response process to ensure a coordinated and effective response. Continuous testing of the IRP, as we discussed back in part one of this blog series, is a great way to ensure communication requirements are properly established.
Prioritize and Plan for Rapid Containment: Timely containment of the incident minimizes the potential impact and limits the damage that can be caused by the threat. If not already in place, consider developing playbooks or checklists for first responders to utilize to help facilitate a quick containment process.
Focus on Root Cause Elimination: While eradicating the incident is an important step, without knowing the root cause your organization may be susceptible to a similar attack in the future. This may require third-party expertise to understand the full scope of the incident.
Learn and Improve: Regularly review and update incident response plans based on post-incident assessments, ensuring continuous improvement and adaptability to evolving threats. Members of the incident response team should remain aware of any changes or updates to protocols as they are implemented.
Conclusion:
By following the guidelines outlined in NIST 800-61 during the Containment, Eradication, and Recovery phases, organizations can improve their overall resilience, minimize the impact of incidents, and strengthen their cybersecurity defenses. In a world where the threat actors are always looking for a way to advance their capabilities, organizations need to continuously improve to combat them.
Click here to read part one, part two, and part four.
For more information on how K logix can enhance your Incident Response program, please contact info@klogixsecurity.com.
Subscribe
Stay up to date with cyber security trends and more