Skip to main content
Fachgebiete
Automobil + Motoren Bauwesen + Immobilien Business IT + Informatik Elektrotechnik + Elektronik Energie + Nachhaltigkeit Finance + Banking Management + Führung Marketing + Vertrieb Maschinenbau + Werkstoffe Versicherung + Risiko
DE
EN
Bücher
Zeitschriften
Themenseiten
Organisationspsychologie Projektmanagement Marketing Smart Manufacturing
Weitere Formate
Podcasts Webinare Technik Webinare Wirtschaft Kongresse Veranstaltungskalender Awards
Jetzt Einzelzugang starten
Zugang für Unternehmen
Referenzkunden
SLX-Digitalkonferenz: Zukunftswerkstatt 2024

Mehr Umsatz mit Top-Kontakten

Am 7. Mai erfahren Sie, wie Vertriebsteams Leadgenerierung, Leadnurturing und Leadstrategien effizient steuern können.
Erweiterte Suche
Anmelden
nach oben

2018 | Buch

The Significance of Incident Response Kapitel lesen Erstes Kapitel lesen

Cybersecurity Incident Response

How to Contain, Eradicate, and Recover from Incidents

verfasst von: Eric C. Thompson

Verlag: Apress

Enthalten in: Springer Professional "Wirtschaft+Technik" , Springer Professional "Technik" , Springer Professional "Wirtschaft"

Einloggen, um Zugang zu erhalten
insite
SUCHEN

Über dieses Buch

Create, maintain, and manage a continual cybersecurity incident response program using the practical steps presented in this book. Don't allow your cybersecurity incident responses (IR) to fall short of the mark due to lack of planning, preparation, leadership, and management support.

Surviving an incident, or a breach, requires the best response possible. This book provides practical guidance for the containment, eradication, and recovery from cybersecurity events and incidents.

The book takes the approach that incident response should be a continual program. Leaders must understand the organizational environment, the strengths and weaknesses of the program and team, and how to strategically respond. Successful behaviors and actions required for each phase of incident response are explored in the book. Straight from NIST 800-61, these actions include:

Planning and practicing

Detection

Containment

Eradication

Post-incident actions

What You’ll Learn

Know the sub-categories of the NIST Cybersecurity Framework

Understand the components of incident response

Go beyond the incident response plan

Turn the plan into a program that needs vision, leadership, and culture to make it successful

Be effective in your role on the incident response team

Who This Book Is For

Cybersecurity leaders, executives, consultants, and entry-level professionals responsible for executing the incident response plan when something goes wrong

Inhaltsverzeichnis

Frontmatter
Chapter 1. The Significance of Incident Response
Abstract
Effective incident response forms the criteria used to judge cybersecurity programs. Effective protection and detection measures do not matter if the response to an event falls short. Within days of an announcement, news articles criticizing an entity’s response can negatively influence public opinion. Sizable data breaches elicit scrutiny that can last for years. Target became a prime example of this when it suffered a breach in 2014, and Equifax reinforced this fact in 2017. Criticism for not communicating news of the breach and possessing all the answers nagged both entities early in the response process. Equifax’s subsequent missteps beyond communication issues caused the incident response process to appear ineffective. These perceptions survive long after breach recovery has occurred.
Eric C. Thompson
Chapter 2. Necessary Prerequisites
Abstract
Prior to building the incident response program, specific capabilities must exist. At a minimum, these should include adoption of a chosen framework; an understanding of the assets the entity must focus on protecting; documentation of the risks to the confidentiality, integrity, and availability of the assets; and assurance that all fundamental protective capabilities exist. Examples of these capabilities include
  • Access-control processes and restriction of elevated privileges
  • Protection from misuse of data in motion, in use, and at rest
  • Hardening of hardware, based on established standards
  • Understanding and management of vulnerabilities
  • Existence of communication and control network protections (firewalls, etc.)
Eric C. Thompson
Chapter 3. Incident Response Frameworks
Abstract
Initiating the construction or assessment of the incident response program requires a blueprint. Leveraging leading practices lessons learned from others shortens the incident response learning curve. The National Institute of Standards and Technology (NIST) publishes many documents available for cybersecurity practitioners, specifically, the NIST (SP) 800-61 Computer Security Incident Handling Guide. The guidance in this document addresses the incident response elements required to build a plan and team. This approach removes the guesswork and prevents the program from becoming purely technical in nature. Cybersecurity events and incidents are not just cybersecurity problems but also business problems. Although NIST SPs are designed to ensure compliance by federal agencies, they are considered best practices and often adopted by industry.
Eric C. Thompson
Chapter 4. Leadership, Teams, and Culture
Abstract
Successful cybersecurity programs are built by strong leaders, developing strong teams and a well-defined culture. Culture contributes to the team purpose and facilitates the behaviors the team exemplifies daily, causing it to succeed. Urban Meyer put it best in his book Above the Line, in which he states that leadership is the difference maker. Cybersecurity programs and incident response teams need strong leadership. The challenges for these groups are many, and leaders guide teams through challenges.
Eric C. Thompson
Chapter 5. The Incident Response Strategy
Abstract
The incident response plan forms the blueprint and strategy for responding to events and incidents. It contains the purpose, scope, definitions, and elements of incident response. Roles and responsibilities, definitions and escalation steps are common elements addressed in the incident response plan. The purpose presents the team with the “why” behind the plan. Why does the cybersecurity team care about planning for events and incidents? And why will time and money be invested in improving the entity’s ability to successfully respond to incidents? The scope of the plan highlights the authorization given the incident response team to take necessary steps when dealing with events. Taking systems offline until confirmation that nothing malicious occurred will not be popular if business operations are interrupted. Roles and responsibilities dictate who is on the response team and how he or she is expected to act when events are investigated. Definitions are important as well. What is an event, incident, or breach? Outlining these in the plan takes the guesswork and, it is hoped, the debate out of the process. This is particularly important when events are present. Debating these definitions in the early stages wastes precious time.
Eric C. Thompson
Chapter 6. Cyber Risks and the Attack Life Cycle
Abstract
Preparing to handle incidents requires thoughtful planning—planning beyond creating an incident response plan, playbooks, and annual or semiannual testing. With limited time and resources, it makes sense to focus attention on areas in which cybersecurity events are likely to occur. Knowing where to focus is derived by answering the following questions:
  • What risks invite attackers into the network?
  • What attack vectors are likely to be used?
Eric C. Thompson
Chapter 7. Detection and Identification of Events
Abstract
Incident response begins with the detection and identification of events. Detection, a function found in the NIST Cybersecurity Framework, should be deployed based on risks identified and potential attack patterns of known threats. Many of the capabilities discussed in this chapter play roles in other elements of incident response. Several provide automated detection and identification. Automation is desirable when it lowers costs, increases efficiency, and is more reliable than manual processes. A significant use case for automation exists when technology correlates and detects behavior patterns and activity not always seen easily with the human eye. Considering the vast amounts of data produced by entities these days, detection requires automated means to support information security and incident response teams. As nice as automation is, automating everything is not possible, and some form of manual controls must also exist.
Eric C. Thompson
Chapter 8. Containment
Abstract
Containment comes after identifying an event and concluding that action is required to limit its impact. Entities must understand the fundamentals of containment, the steps necessary to gather information on the event’s characteristics, and how to identify the population of affected systems and users and quarantine those systems until the situation is resolved and business is back to normal. These actions are undertaken by internal resources or outside experts. A strategy built around objectives drives containment. The common approach is to identify the symptoms, quarantine the systems, and get back to business as soon as possible. Some approaches seek to confirm attribution to specific attack groups and monitor the attacker’s movements. Another strategy is to quickly identify all affected systems and prepare each for eradication. There may be some cases in which following an attacker’s movements is prudent, but for many organizations, the risk of observing and not acting is high.
Eric C. Thompson
Chapter 9. Eradication, Recovery, and Post-incident Review
Abstract
Eradication is the process of removing all the remnants of a cyberattack. This commences once systems known to be compromised are available to be taken offline, so that eradication can occur. Removing files and reversing registry and configuration changes malware and attackers made during the attack are addressed. Once all the affected machines are identified and isolated and forensic backups are completed, the company can address weaknesses exploited by the attackers. These vulnerabilities are patched, and insecure configurations repaired. In some cases, reimaging machines is the best course of action to ensure that the presence of the attack is removed. This is often true when rootkits are involved. Once completed, systems can be brought back online. As systems are restored, the environment is monitored for indicators of the attack reemerging. If indicators resurface, incident responders go back to the drawing board and use playbooks to address containment through recovery again. The final phase is to conduct the post-incident review for lessons learned. These meetings are necessary to discuss what went well during the response to ensure that good behavior continues and that improvements needed secure the effective operation of the program.
Eric C. Thompson
Chapter 10. Continuous Monitoring of Incident Response Program
Abstract
An important characteristic of program maturity is continuous monitoring by management. This means leaders of the program establish performance indicators, aligned with management’s expectations, and these indicators are reviewed regularly. In the Program Review for Information Security Assurance (PRISMA), these actions are captured in the measured and managed categories. Metrics are developed, and management reviews performance of the program, to confirm that it meets the organization’s needs. The National Institute for Standards and Technology (NIST) special publication (SP) 800-137 was created to outline how federal agencies should develop continuous monitoring. These guidelines are useful for developing continuous monitoring inside any organization, and it is especially important for monitoring the performance of the incident response program. The key pieces of continuous monitoring include
Eric C. Thompson
Chapter 11. Incident Response Story
Abstract
Following is an incident response story. The principals are an initial response team (IRT); a supplemental initial response team (SIRT), which the Chief Information Security Officer (CISO) and Vice President (VP) of Infrastructure join when events are escalated; the IT and extended initial response team (EIRT), in addition to the CIO and General Counsel; and, finally, an Executive Team that becomes involved once it has been determined that an incident has occurred and business impacts are probable. The team, once alerted to the initial incident, is expected to follow the plan, execute specific playbooks, and communicate internally.
Eric C. Thompson
Chapter 12. This Is a Full-Time Job
Abstract
Cybersecurity, information security, whatever the title in an organization, is a large program made up of several smaller programs. Each has its own objectives and a defined strategy to meet those objectives. The incident response program is no different. Incident response seeks to identify, contain, eradicate, and recover from information security events as quickly as possible, avoiding adverse impacts to the business assets and processes targeted. The leader of the program constructs a strategy for meeting the objectives and deploys resources accordingly.
Eric C. Thompson
Backmatter
Metadaten
Titel
Cybersecurity Incident Response
verfasst von
Eric C. Thompson
Copyright-Jahr
2018
Verlag
Apress
Electronic ISBN
978-1-4842-3870-7
Print ISBN
978-1-4842-3869-1
DOI
https://doi.org/10.1007/978-1-4842-3870-7