If you are a security professional, you know this day is coming. The day the security is breached. And you think you have all the relevant processes and procedures in place. Let’s zoom out a little bit. According to NIST, a security incident has five distinct phases: identification, containment, eradication, recovery, and post-mortem. However, when there is an incident, most security teams often jump straight to the eradication phase and skip the phases of identification and containment. When you ask why they do it, according to them it makes sense. The house is on fire, so the fire must be extinguished. But how can you kill a fire if you don’t know what you are dealing with?
During the identification phase, there are two main questions to be answered:
- What kind of attack pattern is used?
- Which assets/users/data are involved?
The answer to the first question is required to contain and eradicate the security incident successfully. While the answer to the second question is required to recover (to reverse the damage if possible) from the security incident.
Now the question is also if you always need to follow these five phases. In my opinion, you should always follow these five phases if the security incident is considered to be large. But large is a vague term but not as vague as you might think it is. In the corporate risk register, certain scales are used to identify the impact of risk (financial, production loss, etc.). If you apply the same scale to security incidents, you only need to agree with the Senior Management when a security incident is considered to be large.
But how can you determine what caused the security incident? The starting point of a security incident is typically an effect (service outage, disruption, etc.) of the security incident. The answer lies within the data the Security Operation Center has collected in their tooling. Based on the available data, you need to identify Patient Zero (initial point of compromise) and Moment Zero (initial moment of compromise). Patient Zero and Moment Zero are needed to determine the scope of what is affected by the security incident. And this might be bigger than the initially reported security incident.
Mind mapping is a useful technique during a large scale security incident investigation
Building the security incident timeline is not an easy task. You need to deal with a massive volume of data and information. Mind mapping is an effective technique to visualize all the dots. When something is visualized, it is typically more straightforward to connect the dots.
But having the tool in place to create a mind map is not enough. You also require tools to analyze the data. Several companies are offering a comprehensive solution for Digital Forensics and Incident Response (DFIR). These solutions can assist you during a large security incident dealing with information overload.
Once you have selected and implemented a DFIR platform, it is critical to ensure it is kept up-to-date and that everyone knows how to operate the various tools a DFIR platform offers.
Do you have implemented a DFIR platform?
Leave a Reply