2. Existing preventative steps. Even though you have detected a threat, have you actually contained it using existing tools or security devices? Detection does not mean protection. Hundreds of alerts may be received weekly, but is there a way to verify that existing protection layers have been effective or are going to be effective? The only way to know is to dive deeper into the context of the threat.
3. Context awareness of the incident. There are two core context considerations – internal and external. Internal context includes understanding the affected systems’ potential impact and priority as it relates to individuals or departments within an organization; external context includes understanding the infection vectors and their origination from outside sources. If an attack has reached internal systems, can you confirm whether it was the CFO’s PC or a machine in the mail room? Manually pulling user or indicators of compromise (IOC) data from each potentially infected system may be necessary to confirm that an infection has occurred. How quickly security teams can build this picture is a critical component of response time.
4. Contain. Armed with rich threat context, security analysts can make sure sensitive data sources, key personnel, or entire departments are treated with high priority and receive an elevated response. Protective actions can include limiting communications, blocking IPs and domains, network segment isolation, increased logging, additional scans and more. One key aspect of containment is to prevent the exfiltration of data and further communication with external command and control servers. This key step often involves the update of block lists for dozens if not hundreds of devices often from multiple vendors. Automating enforcement updates provides the best assurances, however, if the update is done manually, verify that all necessary updates to all devices have been completed. It just takes one out-of-date device to allow additional exfiltration of intellectual property or to allow an infection to spread.
5. Confirm. Next is to evaluate that enforcement is in place. Are all enforcement devices really updated and providing protections? The IT security should maintain an audit trail of all responses over time. In a large-scale environment, ensuring up-to-date enforcement of current and newly added devices can be subject to human error if the audit trail is maintained manually and updates are performed manually. Remember that enforcement is subject to priorities influenced by internal and external context. This means that after high priority internal systems and networks are secured, there may be another round of analysis and enforcement needed for incidents deemed a lower priority.
6. Block list management. Understand all the objects, rules, and lists in place. Large networking environments mean large enforcement lists and potentially complex policies. These must be organized, shared with the security team, and managed centrally to limit duplicate efforts and ensure consistent security. When responding to frequent or complex security events, your network is only as strong as its weakest link, make sure to double check lists, rules, and object updates to ensure consistency.
7. Test everything. Everything should be tested more than once to be sure both automation and manual processes are properly in place. Remember that even if you don’t test, there are more than enough hackers and penetration testers out there to test your systems for you. At a minimum, perform a conformance test and plan larger regression tests every quarter.