In a previous post we discussed the importance of having an Incident Response (IR) process and our preference is one that runs Preparation, Identification, Containment, Eradication, Recovery and Lessons Learned (PICERL). In this post, we are going to be looking a bit more into the Preparation phase of IR.
Lots of people overlook this phase because it isn’t “dynamic” and doesn’t have the technical excitement of other phases, but the reality is you are either preparing for an incident or responding to an incident. What matters is how you spend your time in this phase. If you use this time well, every incident you deal with will be better managed with a significantly improved outcome. However, if you waste this time, every incident will be significantly harder, more costly and cause greater impact. Really the choice is yours!
Fail to Prepare, Prepare to Fail
It really is that simple.
There is a lot of work to do in this phase, even though some will think it is a case of Incident Responders not doing their job. The exact activity will be organisation specific but there are some key activities everyone should follow. If you are looking for even more succinct guidance, FireEye, a world leading IR company, have an excellent article on IR Preparation.
When we assist an organisation in building an IR capability, we focus on technical and non-technical elements of preparation. This allows defenders to have realistic goals – if you are new to this, it can seem like an insurmountable hurdle – and allows management to have good visibility of progress towards a continuously improving target.
Remember, you never finish the Incident Response Cycle. You remain in preparation, striving to get better until there is an incident. Then you respond, learn from it and improve your preparation for the next one.
Attack Surface Reduction. Also referred to as “system hardening” or “vulnerability management” and lots of other terms. This is the ongoing process of trying to minimise the entry points for an attacker. It is also looking at your internal systems, making sure that an attacker who gets in cant easily move around. Typical activities here include patching, turning off unnecessary services and account management. If you are fortunate enough to have a dedicated IR team, they should work closely with your SOC or IT Service Management teams to limit the scope of attacks.
Monitoring. If you can’t see an attack, you can’t respond. It isn’t good enough to think monitoring is in place, you need to check this. Check:
- The right things are logged
- That the right alerts fire
- The right people see the alerts
- People know what to do with the alerts
All of this is essential to give your IR team a fighting chance. This is a good thing to use a Red Team for, or an external security consultancy to give you some assurance.
Documentation. This is essential. Your policies set the benchmark for how and when IR will work. Good documentation will help a stressed incident manager make the right decision under pressure. It should be readily available, remember your IT systems may be compromised, and easy to follow. While every organisation’s needs differ, you should look to cover the following points:
- Authorisations. What is an incident manager authorised to do? Also, what are responders authorised to do?
- Requirements. Are there timescales you want the IR team to adhere to? Do you need “court-ready” evidential collection? Decisions like this must be made in advance.
- Communications Plan. Establish who needs to be told. Plan how people can communicate if normal systems are compromised. Decide who would be responsible for notifying a regulator if needed. Likewise, set a process for reporting to customers/clients/suppliers. After that, establish how frequently are updates provided and who gets them.
- IR Processes. Help your responders out by giving them good guides. For example, give step by step instructions on how you want RAM captured. Similarly, instructions for dealing with phishing help focus the mind. However, ensure that your IR team are flexible to deal with the unknown.
- Environmental information. Most importantly, you need to document your environment. In other words, have a network diagram and CMDB for example. This means your team can quickly understand the impact. Also, it allows them to know who to call for assistance.
Practice. The saying “practice makes perfect” is accurate. Also, it is really important for IR preparation. Incident responders need to practice. Practice includes activities like external CTFs, Competitions or in-house exercises. You can practice rarely-used skills in a CTF. Conversely, you learn your environment with an in-house exercise. This is all good. However, avoid giving your responders “busy” work or “BAU” tasks. Responders need to be ready to drop everything.
Preparation really does matter
To summarise, and repeat a phrase, if you fail to prepare, you really need to prepare to fail. Preparation is a critical step of the incident response cycle. You are in this phase whenever you are not actively responding to an incident. As a result, you should make the most of it.