“Hmm, that’s strange.”
In the scientific community these words are thought of as the immediate precursor to the ‘Eureka’ moment when something amazing is discovered. In the information technology field, specifically in security, they usually mean something bad is happening.
So you’ve just seen something strange. Perhaps the logs on your VPN server show that a user who’s sitting right next to you has also just logged in from Hong Kong. Or someone on your customer service team notes that they can see an accounting file that no one should have access to. Or maybe that same accounting team is wondering why they can’t open anything and every folder on their shared drive contains the file ‘HELP_DECRYPT.TXT’. Something strange has definitely happened. Is that strange thing an incident? How do you decide? And what do you need to do in case you decide that it is?
The HIPAA security standard defines an incident as:
‘The attempted or successful unauthorized access, use, disclosure, modification, or destruction of information or interference with system operations in an information system.’ (HIPAA Regulation 164.304 – Definitions)
This is a fairly broad definition and could encompass almost any out of the ordinary event on an information system in your organization. So how do you know when it’s time to implement a full incident response plan?
The correct answer is that it’s always time to implement your incident response plan. But the nature of your incident could be such that the bulk of the response can be abbreviated. But you won’t know this until the investigation begins. That’s why you have to start every response the same way.
Incident Response Phases
Incident response is typically broken down into six phases; preparation, identification, containment, eradication, recovery and lessons learned. Most organizations mainly focus on containment, eradication, and recovery and completely skip lessons learned. That last phase is potentially one of the most important.
Preparation is as straightforward as making sure you have a trained incident response team, in your employ, on retainer, or at least someone’s business card.
An incident is initially identified in any number of ways, but the identification phase also includes the investigation of the depth of the potential compromise, its source, and its success or failure. Identification is done through review of log files. Lots and lots (and sometimes lots and lots and lots) of log files. The systems which were involved in the compromise are viewed forensically for additional evidence. Often looking through the hard drive and the memory stack at the time of the compromise. The important consideration at this point is not to disrupt any potential evidence of the incident. This is where a well-trained response team can be the difference. A well trained and equipped response team will be able to rapidly parse log files, review forensic images, and do so without damaging any evidence in the process.
Containment often happens concurrently with identification or immediately following. Damaged systems are removed from production, accounts which were compromised are shut down, the bleeding stops here.
Eradication is exactly what it sounds like. Removing and remediating any damage discovered in the identification phase. Normally done by restoring systems from backup and re-imaging workstation systems.
Recovery is the testing of the fixes in the eradication phase and the transition to normal operations. Vulnerabilities are remediated, compromised accounts have passwords changed or are removed altogether and replaced with other more secure methods of access. Functionality is tested and day to day business resumes.
6. Lessons Learned
The last phase is the one that many organizations skip, but it’s arguably the most important to prevent future incidents. Lessons Learned, reviewing the steps that were taken during each phase and improving both your incident response capability and your security footprint are the important take-aways from this phase.
Incident responses are best performed by persons trained and equipped for it, with familiar proven processes and full support from leadership within the business. With the advent of cyber-insurance it’s becoming more and more common for a full response to be required before settlement can be made.
If you have any questions about cyber incident response, or suspect you may be compromised, contact Infogressive today. We’re ready to help!