Coordinated Response
Services and tools for incident response management

Incident Response – 3 Big Mistakes

Dark Readings identifies 3 Big Mistakes in Incident Response, May 13, 2013.

By recognizing and avoiding these common mistakes, Kelly Jackson Higgins provides a quick set of best practices backed by interviews with security experts. The article should be in every Response Teams must-read library. A response plan should identify the practices to avoid these mistakes:

  1. Assuming It’s an APT; don’t confuse expectations with facts.
  2. Not Monitoring Traffic; beyond detection, supports investigation.
  3. Focusing Only on the Malware; eradication is important, but so investigation.

Assuming It’s an APT

Not all attacks start with an Advanced Persistent Threat. Apply an objective lens to the data. Look for a 2 stage attack: (1) Phishing, (2) Command and Control.

Not Monitoring Traffic

The article makes a good point. Monitoring is not just for protection and detection. When a breach or intrusion is discovered, audit records provide clues as to what happened, when, and what may be ex-filtrated. Not monitoring, even insufficient monitoring increases potential impact.

Focusing Only on the Malware

Containment and eradication are important, but determining outcomes – data theft, sabotage, other long-term damage – may be more important.

Avoid Tunnel Vision

This was not called out as a 4th mistake, but the article led with an example of a team that was focused on the malware and missed a shift to control of an administrative tool. The admonition to “avoid tunnel vision” applies more broadly than just “focusing on malware”.
The example also identified a good practice. An outside firm reviewed the outcome of the incident and discovered the control shift – the true intent of the attack.

Coordinated Response

Coordinated Response can help to broaden your view and t0 improve your incident response plan.

Risk Assessment and Incident Response

Align your Incident Response plan with your information security risk assessment.

An effective risk assessment, regardless of the technique employed, identifies impact areas and potential impact levels. Then, given the probabilities an attack, risk strategies are defined: avoid the risk; mitigate the risk; share the risk; accept remaining risk.

Ultimately, unless you choose to avoid the risk, some residual risk is accepted. Then, when an unlikely incident occurs, an incident response plan is the last line of defense.

Risk Assessment – Incident Response – Impact Assessment

The key to an effective impact assessment rests with two key questions:
• What areas of your business are at risk when an incident occurs?
• How do you measure the impact?

These two questions are first asked during the risk assessment – the theoretical question: what if? When an incident occurs, they are asked again, only it is no longer in theory. What areas of your business are affected? To what level?

Impact Areas

While most organizations evaluate the financial impact, the majority view reputational impact as the more important. Other areas to measure include operational impact and legal impact. If your organization is regulated, you might measure legal impact, policy impact, and regulatory impact as separate areas.

Impact Levels

For each impact area, it is important to provide metrics or descriptions that differentiate the impact level. Low, medium, and high are not enough as impact measures. Without metrics different people assign different meanings to the terms low, medium, and high.

An Incident Response Plan Review

It’s worth stressing that the impact component of the risk assessment can and should be used during the Incident Impact Assessment. The Response Team measures adverse impact to determine the needed response.

With this information the response team makes informed decisions on what resources to apply and what actions to take. Refer to our Response Management Framework for added insight.

Let us help you with a response plan review that considers your information security risk assessment.