Tag Archive for: Incident Response

Surviving the Worst-Case Scenario: Best Practices for Incident Response

There’s no way around it: Cyberattacks are escalating. According to data from the Identity Theft Resource Center (ITRC), the number of reported data breaches from January to September 2021 exceeded the total volume of breaches in 2020 by 17 percent — and with threat vectors such as ransomware and phishing on the rise, this number isn’t going anywhere but up.

What does this mean? It’s a matter of when, not if, when it comes to network compromise, and companies can no longer assume that security frameworks offer invincibility from evolving cyberattack trends. Instead, they need an approach designed to help them survive the work-case scenario — and come out stronger on the other side.

This is the role of robust cybersecurity incident response (IR) plans. Here’s what you need to know about how these plans work, where they can help, and what steps are necessary for effective implementation.

What is a Cybersecurity Incident Response Plan?

A cybersecurity incident response plan provides a framework for teams to follow in the event of a cyber incident or attack. Research firm Gartner defines an IR plan as something “formulated by an enterprise to respond to potentially catastrophic, computer-related incidents such as viruses or hackers.”

While there are no one-size-fits-all approaches to creating a cybersecurity incident response plan, common components include:

  • Creating an overall strategy to mitigate risk
  • Identifying potential threat vectors
  • Assigning specific tasks to team members
  • Testing the plan regularly to ensure effective operation.

It’s also worth noting that cyber incident response plans play a role in regulatory compliance. With companies now handling large volumes of financial, personal, and health information from various sources, alignment with compliance expectations requires companies to adopt the mandate of “due diligence.” That is, they must take every reasonable precaution to protect data at rest, in transit, and in use. While businesses can’t avoid every cyberattack, lacking due diligence can lead to legal and regulatory challenges. Robust incident response frameworks help ensure organizations are meeting current compliance goals.

How can a Strong Cyberattack Incident Response Plan Help Put the House Back Together?

A robust IR plan helps put your digital house back together by providing a pathway from initial incident detection to eventual remediation. This is critical because when incidents occur, panic and fear are common responses: Teams want to do everything they can to get networks back on track but simply throwing everything you have at the problem — all at once — often leads to process overlap and policy confusion.

By creating a cyberattack incident response plan that lays out a specific order of events when threats are detected and assigns key tasks to staff, teams can respond in unison when attacks occur. For example, one employee may be responsible for identifying the source of the threat, while another looks to quarantine the affected area. Other team members may be tasked with informing C-suite members about what’s happening and ensuring that backup data is safe from harm.

The Phases of an Incident Response Plan: Timing is Everything

Cyber incidents happen without warning and in real-time — they don’t wait for companies to ready their defenses and prepare for an attack. As a result, timing is everything. Businesses must be ready to respond at a moment’s notice when attacks occur to mitigate the overall impact and get systems back up and running ASAP.

To help streamline this process. The National Institute of Standards and Technology (NIST) defines four key phases:

  1. Preparation speaks to the actions taken before an attack occurs. These include regular network evaluations such as vulnerability scans and penetration tests, along with the deployment of protective tools such as encryption software, failover backups, and automated incident analysis tools.
  2. Next is detection and analysis. This includes determining primary attack vectors — such as emails, web applications, brute-force efforts such as DDoS or improper network usage by employees — along with identifying and analyzing signs of compromise such as network performance drops, antivirus warnings, or unusual traffic amounts.
  3. Containment, Eradication, and Recovery policies determine where attack data will be stored for analysis and debriefing, while eradication looks to remove malware code or breached user accounts once attacks are under control. Recovery focuses on bringing systems back online using a staged approach to ensure no threats remain.
  4. Finally, post-incident activity asks the question: What did we learn? By using data collected during the attack, companies can assess what information was needed sooner to improve response, what additional steps might speed recovery, and what steps they can take to prevent future incidents.

Top Tips for Managing Collateral Damage After an Attack

After attacks occur and incident response plans activate, it’s critical to manage collateral damage and get back on track. Five best practices include:

#1 Prioritize Visibility

The more you know, the better prepared you are to respond when attacks occur. By prioritizing network visibility, your team can discover what they don’t know and take appropriate action.

#2 Define Recovery Times

Recovery point objectives (RPOs) and recovery time objectives (RTOs) help set goals for getting back on track and provide a finite resolution to the IR process.

#3 Seek Out Answers

While successfully mitigating an attack offers business value, managing long-term collateral damage means looking for answers about what happened, why, and what can be done to prevent similar breaches in the future.

#4 Leverage Active Backups

Multiple local and cloud backups can help get your systems back up and running. By logically segmenting them from operational networks, you can significantly reduce their risk of compromise and streamline the recovery process.

#5 Practice, Practice, Practice

As noted by the Open Web Application Security Project (OWASP), practice is paramount to ensure IR plans work as intended. From regular drills to simulated, unscheduled attacks, the more you practice your cybersecurity incident response plan, the better.

Surviving — and Thriving — After the Worst-Case Scenario

While the goal of cybersecurity planning is to help companies survive the brunt of an attack and come out the other side relatively unscathed, effective IR response offers actionable post-incident threat data to help enterprises reduce the risk of future attacks. Intelligent network modeling from RedSeal, meanwhile, provides the insight and integrations you need to take action and thrive in the wake of cyberattacks quickly.

By creating a comprehensive model of your network across cloud, hybrid and virtual environments, teams can quickly locate compromised devices, determine which assets are accessible, and take steps to stop attackers in their tracks. Integration with IBM QRader, Splunk Adaptive Response Initiative, and ArcSight, meanwhile, provides end-to-end situational awareness for improved response.

Survive the worst-case scenario — and come out better on the other side — with an in-depth cyberattack incident response plan. See how RedSeal can help. 

Top 10 Cyber Incident Response Mistakes and How to Avoid Them

Dark Reading | May 6, 2020

Automation can make a big difference in the efficacy and efficiency of an IR program. The trick is figuring out just the right level of automation to cut out the low-value manual work while still leaving the tasks better-suited to human judgment in the care of smart analysts.

“Some organizations underautomate and get lost in the slog because IR is hard,” says Dr. Mike Lloyd, CTO of RedSeal. “Others overautomate, not realizing that machine reasoning still falls short and is easily defeated by a human who knows they only need to beat a machine, not another human.”

The Importance of Speed in Incident Response


 

By RedSeal Federal CTO Wayne Lloyd

Have you seen CrowdStrike’s “Global Threat Report: Adversary Tradecraft and The Importance of Speed”?

Just released at RSA Conference 2019 this year, the key takeaway is that nation states and criminal organizations are increasing both the speed and sophistication of their cyber tactics. This isn’t a surprise, but the report presents more detail on just how little time we have.

CrowdStrike defines “breakout time” as “the window of time from when an adversary first compromises an endpoint machine, to when they begin moving laterally across your network.”

The report shows a more granular examination of breakout time by clocking the increasing average speed of major nation state actors, including the breakout speeds of Russia, China, North Korea, Iran, and others.

So what can you do?

According to the report, basic hygiene is still the most important first step in defending against these adversaries — including user awareness, vulnerability and patch management and multi-factor authentication.

The CrowdStrike report continues:

With breakout time measured in hours, CrowdStrike recommends that organizations pursue the ‘1-10-60 rule’ in order to effectively combat sophisticated cyberthreats:

  • Detect intrusions in under one minute
  • Perform a full investigation in under 10 minutes
  • Eradicate the adversary from the environment in under 60 minutes

Organizations that meet this 1-10-60 benchmark are much more likely to eradicate the adversary before the attack spreads out from its initial entry point, minimizing impact and further escalation. Meeting this challenge requires investment in deep visibility, as well as automated analysis and remediation tools across the enterprise, reducing friction and enabling responders to understand threats and take fast, decisive action.

RedSeal and the 1-10-60 Benchmark

A RedSeal model of your network – across on-premise, cloud and virtual environments — gives you the detail you need to quickly accelerate network incident investigation. You’ll be able to quickly locate a compromised device, determine which assets bad actors can reach from there – and get information to stop them. Since RedSeal’s model includes all possible access paths, you’ll see specific paths the network attacker could take to valuable assets. And, you’ll get specific containment options so you can decide what action to take — from increasing monitoring, to placing honey pots, to changing firewall rules, to simply unplugging the device — decreasing your network incident response time.

Network security incident response that used to take hours, if not days, to determine becomes available immediately.

Click here to learn more about RedSeal’s support of incident response teams and how it will improve your agency’s digital resilience.

RedSeal To Be Mega Sponsor at Splunk .conf2017 Showcasing RedSeal Adaptive Response App for Incident Response

Sunnyvale, Calif. – RedSeal, a leader in network modeling and cyber risk scoring, today announced it is a Mega sponsor of .conf2017: The 8th Annual Splunk Conference.  At booth M38, RedSeal will demonstrate how its network modeling and risk platform integrates with Splunk Enterprise Security (ES) to greatly accelerate incident investigation and containment. RedSeal became a member of the Splunk Adaptive Response Initiative in February 2017 and the RedSeal Adaptive Response App for Incident Response is currently available on Splunkbase.

“We made the decision to be a Mega sponsor of .conf two years in a row to reinforce the importance of integrating network context with existing security applications,” said CEO and Chairman of RedSeal Ray Rothrock. “The integration of  RedSeal’s network modeling and risk scoring platform with Splunk’s analytics-driven security platform provides security professionals with real-time visibility into the blast radius, potential attack paths and associated at-risk assets for an Indicator of Compromise.”

RedSeal’s Vice President of Product Management, Kurt Van Etten, will present a session titled Accelerate Incident Investigation with RedSeal and Splunk Adaptive Response Actions at .conf2017 on Thursday, September 28th. During the session, attendees will learn how RedSeal’s integration with Splunk ES leverages  the Splunk Adaptive Response framework to provide immediate answers to the following investigation-relevant questions:

  • What is the compromised device? Where is it physically and logically located?
  • What other critical assets can the threat access?
  • Can an untrusted network reach the compromised device?
  • What are the exact firewalls and rules you must modify to contain the threat?

.conf2017 will feature more than 200 technical sessions, including more than 80 customer presentations, and is expected to attract IT, security and business professionals from across the globe who know the value of their data. The conference will be held September 25-28, in Washington, DC at the Walter E. Washington Convention Center in Washington, DC, with three days of optional education classes through Splunk University, September 23-25, 2017.

.conf2017 attendees will learn how to gain Operational Intelligence from machine-generated data by improving customer experience and service delivery, enhancing IT performance, shipping better code faster, providing timely business insights or reaching new levels of security in their organization. With 85 of the Fortune 100 in attendance, it’s the best place to learn how leading companies are using Splunk. Attendees will share best practices, discover new features and ways to implement Splunk software to gain insights from their data. Register for .conf2017. At the conference, follow us on LinkedIn and Twitter  or follow the conference itself @splunkconf (all conversations tagged #splunkconf17).

About RedSeal

RedSeal’s network modeling and risk scoring platform is the foundation for enabling enterprise networks to be resilient to cyber events and network interruptions in an increasingly digital world. RedSeal helps customers understand their network from the inside, out – and provides rich context, situational awareness and a Digital Resilience Score to help enterprises measure and ultimately build greater resilience into their infrastructure. Government agencies and Global 2000 companies around the world rely on RedSeal to help them improve their overall security posture, accelerate incident response and increase the productivity of their security and network teams. Founded in 2004, RedSeal is headquartered in Sunnyvale, California and serves customers globally through a direct and channel partner network.

Splunk, Splunk>, Listen to Your Data, The Engine for Machine Data, Splunk Cloud, Splunk Light and SPL are trademarks and registered trademarks of Splunk Inc. in the United States and other countries.

Accelerate Incident Response and Investigations

Knowing which hosts are involved in a security incident is critical information for anyone who is an incident handler. The quicker the attackers and their targets can be identified the quicker the incident can be stopped. Collecting this information from a plethora of systems and log sources can be difficult and time consuming. Compounding the problem even further Forrester reported that “62% of enterprise security decision makers report not having enough security staff[1].” Lack of resources and time spent verifying devices instead of dealing with the threat right away contribute to the damage done by threat actors.

For an incident response team to perform their job effectively, on top of understanding and responding to threats, they need to understand the network. This includes all entrances to a network, the route information flows through their network, the critical systems needed to run their business, the location of the critical systems within their network, and an understanding of how the attack can spread once the network is compromised. Understanding the network and the topology is the foundation of any good incident response team. How do you protect and contain an outbreak if you don’t understand how it spreads? The network is the medium in which it spreads.

Allowing your incident response team to access the RedSeal appliance will drop your “average time to achieve incident resolution” and “time to containment” KPIs. RedSeal ingests all network device configurations and will show the paths information takes, where the attacks are coming from, and where the targets exist within your network. RedSeal simplifies locating devices by parsing through the NAT, VPN, and Load Balancer configuration files with only a few clicks of the mouse. In a matter of minutes, the incident response team will be able to find where both the target and the attacker exist on the network as well as the path the attack traffic is taking. Otherwise, in most situations, incident response must parse through and follow routing tables manually or engage the network team to get an understanding of the path.

Another challenge incident response teams face is overlooking subnets and devices, especially in large and complex organizations. RedSeal will shine light onto forgotten devices and subnets. Again, with a few clicks of a mouse, RedSeal will analyze the configurations and report if there is a direct connection from untrusted zones to these devices. Once found, the devices can be hardened against threats and appropriate decisions can be made to take them offline, upgrade, or migrate them to a more protected area of the network.

An incident response team’s main goal is to keep the level of impact to an organization down to an acceptable level. It is the time between detection and containment that has the biggest impact on mitigating the severity of the incident and data loss. Stopping the threat faster, before it spreads, also means fewer resources spent in recovering from the impact of the incident. RedSeal reduces the amount of time incident response spends identifying targets, moves the team to stopping the incident faster, and improves your organization’s resiliency against attacks.

[1] Forrester “Breakout Vendors: Security Automation and Orchestration.”

To learn more about how RedSeal can accelerate your incident response, watch our animated video, or contact us.

Does Your Company have a DFARS NIST 800-171 Time Bomb?

On December 30, 2015, the U.S. Department of Defense (DoD) published a three-page interim rule to the Defense Federal Acquisition Regulation Supplement (DFARS), revising its earlier August 2015 interim rule on Safeguarding Covered Defense Information.

This new interim rule is a ticking time bomb that gives government contractors a deadline of December 31, 2017 to implement all of the requirements of the National Institute of Standards and Technology’s (NIST) Special Publication (SP) 800-171-Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations —  or lose their contracts.

The NIST Special Publication 800-171 provides federal agencies with requirements for protecting Controlled Unclassified Information (CUI) when:

  • The CUI is resident in non-federal information systems and organizations
  • The information systems where the CUI resides are not used or operated by contractors of federal agencies or other organizations on behalf of those agencies
  • There are no specific safeguarding requirements for protecting the confidentiality of CUI prescribed by the authorizing law, regulation, or government wide policy for the CUI category or subcategory listed in the CUI Registry.

Cybersecurity and compliance teams at government contractors are searching for technology to automate the necessary, but taxing process of implementing the mandated controls and remaining compliant on an ongoing basis. Organizations are finding that it is one thing to implement the 800-171 controls once, but quite another to implement and monitor them continuously.

RedSeal has a history of support for federal government cybersecurity initiatives. The company’s innovative software platform is installed in numerous DoD, intelligence, and civilian organizations for the purpose of continuous monitoring. At the highest level, RedSeal delivers three core security controls: visibility, verification, and prioritization.

RedSeal’s cybersecurity capabilities align with many of the controls in NIST 800-171. RedSeal supports a total of 26 controls in 7 of the 14 NIST 800-171 security requirements families; at a high level RedSeal supports 800-171 control areas as follows:

NIST CONTROL AREA REDSEAL SUPPORT
Configuration Management Continuous validation of actual system configurations versus desired state across multi-vendor infrastructure.
Risk Assessment & Incident Response Prioritization of vulnerabilities for efficient and effective remediation and response.
Network Security Architecture & Access Control Network map and situational awareness for risk assessment and systems categorization and segmentation validation.
Security Assessment and Continuous Monitoring Analysis of actual, deployed information flow architecture and continuous comparison with desired architecture and policy.
Planning, Program Management and Acquisition Inventory, audit and analysis of network security architecture for legacy, new deployments, and acquired systems.

 

With RedSeal, federal system integrators can significantly reduce the cost and time associated with enforcing compliance against SP 800-171 by automating assessment of many of the SP 800-171 controls. Certain controls have traditionally been difficult to automate, and therefore resource intensive to maintain and audit. However, RedSeal’s unique technology automates and prioritizes these difficult controls, greatly decreasing resource requirements while improving the quality of the control.

The federal government is placing a greater sense of urgency on real-time situational awareness and continuous monitoring to improve the efficiency and effectiveness of responses to emerging security threats, and is now including government contractors in that effort.  By implementing RedSeal, organizations can lower the cost of compliance, increase situational awareness, and improve control activity efficacy in an operationally efficient manner.

Will you defuse this bomb in time?

For more information on how RedSeal can assist with NIST 800-171 controls, please contact Matt Venditto, mvenditto@redseal.net or download a more detailed datasheet on NIST 800-171 here.

RedSeal Joins Splunk Adaptive Response Initiative at RSA 2017

RedSeal and Splunk Combine Forces to Deliver Automated and Continuous Response, Optimize Analytics-Driven Security and Improve Operational Efficiency

SUNNYVALE, Calif. & SAN FRANCISCO – RedSeal, the leader in network modeling and cyber risk scoring, and Splunk Inc., provider of the leading software platform for real-time Operational Intelligence, today announced that RedSeal has joined the Splunk® Adaptive Response Initiative. Powered by a growing list of leading cybersecurity technology vendors, Adaptive Response is a best-of-breed security initiative that leverages end-to-end context and continuous response to improve security operations with an adaptive security architecture. The announcement was made at the 2017 RSA Security Conference.

Following its unveiling at the 2016 RSA Security Conference, the Adaptive Response Initiative now includes over 20 participating vendors as members. With this extensive network, organizations can use Splunk Adaptive Response to further interact with data, extract and share new insights, gain more context and invoke actions across key security and IT domains. Ultimately, this allows customers to detect threats faster, make analytics-driven decisions and improve operational efficiencies within their Security Operations Center (SOC).

“Our increasingly digital world underscores the need for enterprise networks to be resilient to cyber events and network interruptions. Improved security posture and accelerated incident recovery are central to achieving this goal,” said Ray Rothrock, CEO of RedSeal. “By combining Splunk’s centrally positioned analytics-driven security platform with RedSeal’s network modeling and risk scoring platform, we are thrilled to help security professionals around the world gather even more context to detect threats quicker and deliver a more automated and continuous response against advanced attackers.”

While many organizations employ a layered, multi-vendor approach to security, most individual solutions are not designed to work together outside of the box. Splunk Enterprise Security (Splunk ES), working in conjunction with technologies like RedSeal’s network modeling and risk scoring platform, extends analytics-driven decision-making and improves detection, investigation and remediation times by centrally automating retrieval, sharing and response.

“We created the Adaptive Response Initiative so organizations could efficiently combat advanced attacks while utilizing their existing security architectures. Members like RedSeal are key to the success of Adaptive Response,” said Haiyan Song, senior vice president of security markets, Splunk. “Together we will solve this very challenging problem facing every enterprise.”

 

About RedSeal

RedSeal puts power in decision makers’ hands with the essential network modeling and risk scoring platform for building digitally resilient organizations. RedSeal’s Digital Resilience Score, modeled after a creditworthiness score, measures how prepared an organization is to respond to an incident and quickly rebound. The company’s platform adds value to existing network devices by working with them and building a network model. With this, customers can improve their security posture, accelerate incident response, and improve the productivity of their network and security teams. RedSeal’s customers are Global 2000 corporations and government agencies that depend on the most sophisticated security. Founded in 2004, RedSeal is headquartered in Sunnyvale, Calif. and serves customers globally through a direct sales and channel partner network.

Shadow Brokers Turn Out the Lights

The Shadow Brokers are turning out the lights. On their way out they dumped another suite of alleged National Security Agency hacking tools.  Unlike last time, where the released exploits focused on network gear from vendors such as Cisco and Fortinet, these tools and exploits target Microsoft Windows operating systems.  Most of the sixty plus exploits are already detected by antivirus vendors, such as Kaspersky, and it is a safe bet that all antivirus vendors will detect them shortly.

In Shadow Brokers’ farewell post, they say they are leaving the account open for someone to deposit 10,000 bitcoins — the equivalent of $8.2 million — to obtain the entire cache of alleged NSA hacking tools. To date, no one has paid the requested amount.  With such a high price it has been speculated that the Shadow Brokers never seriously expected anyone to pay. This leads some to believe they are associated with a nation state who is trying to cause headaches for US spy agencies and the administration.

What can be done to protect your systems from these tools and exploits?  Basic security practices of course.  Keep your systems up to date with patches and operating system releases.  Practice your usual good cyber hygiene such not clicking on links in emails.  Be conscientious about what you plug into your home or business computers as a lot of malware can spread through external hard drives and USB sticks.

Also, it is imperative to have good backups and test your backups.  Many times after a breach occurs, organizations find out too late that they’ve never tested their restore procedures to verify they have good backups. Or, they learn that their backups have been infected with malware from previous backups of compromised systems.

Have an incident response plan in place and practice your incident response plans regularly. Having a plan is great. But you need to practice to make sure your team can execute your plan. Plans without practicing is the equivalent of a firefighter knowing it takes water to put a fire out, but not knowing how to get the water off of the fire truck and onto the fire.

Know your network; and consider using RedSeal.   Even if you don’t use us, knowing your network will lead to greatly enhanced resilience and enable your incident responders to keep business and mission critical systems online and functioning during an incident.  Security is not sexy, despite what Hollywood depicts. There is no silver bullet that will magically make your network impervious.  It takes hard work and continuous effort to build and maintain resilient networks.  So, do you know yours — completely?