Incident response is like tracking down a perpetrator

Find out what is necessary as you respond to a breach

1 incident response police tape crime death
Credit: Thinkstock
What is incident response?

Incident response is like investigating a real burglary. You look for evidence of the intruder at the crime scene, find his targets and his getaway car, and repair any holes. Discover any cuts in your chain link fence. Take a few steps back for more perspective. Find the intruder’s targets. What assets are near the compromised fence? Investigate in both directions to find the intruder's target and getaway car. Fix the fence. Resolve any issues and patch vulnerabilities.

Larry Zulch, President and CEO of Savvius, walks us through the crime scene.

Incident response
Credit: Thinkstock
Most common incident response problems

Very few incident response investigations go 100 percent smoothly. Some of the most common problems include the incident response/security staff are not adequately trained to handle breaches or the organization is “shellshock” or in paralysis. Incident response teams are some time without the right organizational representation and lack network or resource visibility. There can also be insufficient skills or tools to perform packet-based network forensics and no process in place to identify and store “suspicious” packets for later investigation.

Incident response
Credit: Thinkstock
… if your team isn’t well prepared, support them!

Understand and accept that breaches will happen. Conduct regular tabletop exercises. Do scenario-based walkthroughs every quarter and allocate budget toward IR and detection.

 

Incident response
Credit: Thinkstock
Solve organizational “shock”

Don’t let shock paralyze the organization when a breach is discovered. Have an action plan ready, and focus on mitigating and resolving the breach. Maintain internal communication is key – 
keep all IT security staff 
and other stakeholders informed.

 

5 team meeting group planning
Credit: Thinkstock
Make sure your IR team includes:

Make sure your incident response team includes members of the following departments: HR, PR, Legal, Administration, IT and IT security, corporate security and senior management. Don’t leave any teams out in the cold. Consistent communication and sharing of expertise are critical.

 

Incident response
Credit: Thinkstock
Representation of organizational footprint

Get an accurate representation of your digital enterprise now! A network map should include entry points, exit points, etc. Ensure that IT has the tools it needs. Ensure that IT security has the tools it needs.

 

7 forensics microscope research science
Credit: Thinkstock
Perform network and packet forensics

Security analysts are good at correlating events over short periods, as long as data is available. Now we need to become better at correlating events over long periods of time, which is how long it takes most breaches to be discovered. Have experts on speed dial. Have tools that can store “suspicious” packets for long periods.

RELATED: 9 steps for a successful incident response plan

Computer forensics follows the bread crumbs left by perpetrators