Having an Effective Cyber Response Plan
THE RESPONDERS OF INTERNET PROTOCOL RESOURCES, LAYER 9B
The Responders Explained:
The following (3) three steps are extremely important:
Step#1. Getting the right people involved and coordinating your efforts is key to any successful response.
A company must identify a central point of contact or leadership team that not only has the responsibility, but also has the authority to act. The leadership role must be established to perform the day-to-day analysis of the situation and make key decisions. A central point of contact should be established and be at the highest level in executive management or have the backing of executive management. What are your escalation procedures, such as contacts and notification groups?
Step #2. Containing the problem while investigating the incident: (Containment Mode)
• A determination of the nature of the incident (what happened). Is the attack ongoing or is it hours/days old?
• Network topology – provide a current and functional understanding of the organization’s network and flow of data.
• Security setup and configuration (Cloud Service Provider logs, IDS, log servers, router configurations, etc.) Brief overview of inventory of computer systems and network components.
• ID - Physical & logical topology of your network, objective of attack, view volatile, flow, stored logs, Data at rest, in use and in motion, capture logs, PCAP, NetFlow.
• Access control – who has access to systems and by what means?
A data breach contains three (3) basic components
1. How did they get in? (Has your system been accessed or is it infected modified)?
2. How did they move through your network and what did they take or alter? (move, change or alter)
3. How did they exit your system?
Step #3. Collecting and reporting the facts:
A cybercrime case is no different than any other criminal case when it comes to prosecution. You must have evidence of the crime. The investigation will only go as far as the victim company can take it. To capture and prosecute criminals, trace evidence of the crime must be located, captured, and documented in a forensically sound manner. Having a sound log management system in place is key to stopping criminals from infiltrating your system, restricting their access within your system, and preventing them from exfiltrating data out of your system. Most importantly, proper log management provides trace evidence if a crime occurred. In the world of computer security, controlling the flow of data in and out of your network includes the authorization, authentication, and auditing of your system. Firewalls, data-loss prevention systems, intrusion detection systems and access control list all work great if they are configured and managed properly. Logs must be preserved so that any actionable investigative leads or trace evidence can be found and documented.
THE CYBER ECOSYSTEM MAP