Hackers will go to surprising lengths to infiltrate an organization’s network, typically using threat vectors such as email attachments, websites, and USB removable media as a starting point. Once your account credentials or machine has been compromised, an attacker will typically install a remote trojan or backdoor on your system that allows the attacker to maintain a presence inside the environment. Next, the intruder may attempt to establish a Command and Control (C2) channel, or connection, with a server outside the network giving the attacker the ability to use their keyboard to navigate inside your organization. From this point on, it’s just a matter of time – sometimes a couple of days – before the attacker can find a way to elevate their privileges and begin collecting, encrypting, extracting, or even destroying data in your organization. This attack scenario is commonly referred to as the kill chain. Briefly, the attack follows a basic pattern and proceeds from one step to the next to achieve the desired outcome.

picture explaining the kill chain scenarios

Now more than ever it’s imperative that organizations effectively protect their networks, systems, user identities, and applications. It is crucial for organizations to implement solutions to detect potential threats or suspicious behavior, and to know how to respond to a breach in their organization. In addition to implementing solutions to help protect against attacks, organizations should take a cue from the National Institute of Standards and Technology and invest time and effort in establishing an incident response program to best be prepared for the inevitability of an attack.

Implementing a security incident policy
The organizational preparation that is needed to effectively respond to a security incident is a complex undertaking involving substantial planning and resources. Organizations are advised to begin by formulating an incident response policy; the policy will be the foundation of your incident response program. Having a formal policy – documented in your company playbook – enables you to effectively plan and implement the procedures that will be necessary to achieve your desired state of security.

The incident response policy establishes the organizational structure for incident response, defines roles and responsibilities, and lists the requirements for reporting incidents. While policies will vary from one organization to the next, they should typically document things such as definitions of security events, incidents, and related terms; severity ratings of events and incidents; guidelines for external communications; guidelines for reporting and tracking incidents; and definition of roles, responsibilities, and levels of authority within the organization.

Implementing an incident response plan

An incident response plan provides a roadmap for implementing an incident response program based on the organization’s policy. The plan indicates both short- and long-term goals, including metrics for measuring the success of the program. Each organization needs a plan that meets its unique requirements, based on the organization’s size, structure, and functions. Among other things, an incident response plan should include elements such as a mission statement, strategies, and goals; senior management approval; selecting an incident response team model; training; emergency access accounts; and metrics for evaluating the effectiveness of the program.

Once an organization develops a plan and gains management approval, the organization should implement the plan and review it at least annually to ensure the organization is following their roadmap for maturing their capability, as well as fulfilling their goals for incident response.

Implementing standard operating procedures

To implement your plan, you should develop standard operating procedures that describe the specific processes, tools, and forms that will be used to address all aspects of the plan. Each procedure should include enough detail to maximize efficiency while minimizing errors. The operating procedures that are developed can also be useful as an instructional tool when training the incident response team. Common activities that should be documented include:

  • Incident reporting mechanisms, such as phone numbers, email addresses, online forms, and secure instant messaging systems that users can use to report suspected incidents.
  • At least one mechanism should permit people to report incidents anonymously
  • Issue tracking system for tracking incident information, status, etc.
  • Establishing relationships and lines of communication between the incident response team and other groups, both internal (e.g., legal department) and external (e.g., law enforcement agencies)

Creating an incident response kit

To ensure that you’re fully prepared in the event of an attack, it is recommended that you also create an emergency toolkit, sometimes referred to as a jump kit. A jump kit is typically a portable carrying case stored in a secure location that contains everything you would need in the event of a catastrophic event such as your infrastructure being taken offline. Among other things, a typical jump kit might include items such as:

  • Your incident response playbook
  • Contact information for incident response team members and other key personnel
  • Documentation for operating systems, applications, and antivirus products
  • Network diagrams and baselines of expected network, system, and application activity
  • A special-purpose laptop loaded with software necessary to perform malware analysis, encryption/decryption, and other actions that risk contamination
  • A device for creating reports, reading email, and performing other tasks unrelated to the hands-on incident analysis

Conclusion

To learn more about establishing a security incident response program, it is recommended that you review NIST Special Publication 800-61 Revision 2, Computer Security Incident Handling Guide.

But note, for any incident response program to be successful, organizations must also implement first-class solutions to help detect, protect, and respond to threats before, during, and after an attack. Microsoft has invested heavily in creating solutions to protect user identities and control access to resources, defend against advanced threats, recover quickly if attacked, protect sensitive information, and gain insight across your infrastructure using artificial intelligence and machine learning.

As a top Microsoft Gold partner, our team of highly skilled and experienced Cloud Architects can help you determine your current security posture and assist you with identifying solutions that will help you meet your security goals. If your organization is struggling to achieve these goals or you have questions about data security, please contact us for help.