💈 💇🏼 👇🏿 Incident Response Platform class systems: application and main functions ⛈️ ⏱️ 💆🏻

Friends, in a previous publication we analyzed international documents on information security risk management, and in earlier articles we examined the basics of information security, discussed legislation in the field of personal data protection and critical information infrastructure . In this article, we move on to the practical plane and talk about IRP systems designed to simplify and automate the procedures for responding to information security incidents. Let's get started!

Introduction

As we know, at the moment, the number of IS incidents, especially in large companies, is quite large, and when they respond to them, the score is literally minutes. Moreover, not everyone can afford to hire a large number of highly qualified specialists.

The question arises: how to help IS analysts (primarily on L1 and L2) in responding to incidents and remove the routine burden of performing similar operations?

Imagine a situation where the SIEM system shows that there is a possible attack on the financial system of remote banking services. Attackers can steal money from company accounts any minute, and after that it will be difficult to return the money. Having seen such an incident, the SOC analyst must collect a large amount of supporting information, such as the name of the attacked server, the name of the financial system, clarify the name and contact details of the person responsible, and obtain additional information from him. If there is no doubt that this incident is a “combat” and not false positive, then the analyst needs to isolate the attacked server from the company’s network as soon as possible, block the compromised account,Report the incident to the manager and others in accordance with the communication matrix.

As you can see, there are a lot of tasks, and all of them should be completed within the strictly allotted time and KPI standards, for example, in 10 minutes. And just then, the Incident Response Platform (IRP), a system for automating the response to information security incidents, can come to the aid of our analyst. The IRP system helps to carry out a number of routine operations to collect additional information, take urgent actions to contain (English contain) and eliminate (English eradicate) threats, restore (English recover) the attacked system, notify interested parties, and also collect and structure data Information security incidents investigated. In addition, IRP allows you to robotize and automate the same type of actions of the IS operator-specialist, which he performs in response to information security incidents,which helps reduce the workload of the employee in terms of performing routine operations. Let us dwell in more detail on the tasks of responding to information security incidents performed by IRP systems.

IS Incident Response Processes

In order to understand how and where to correctly apply and implement IRP systems, we should see the process of responding to information security incidents in general and think about how to automate it. To do this, we turn to NIST SP 800-61 , Computer Security Incident Handling Guide . In accordance with it, the response to IS incidents consists of several interrelated processes:

Training
Detection
Analysis
Containment / Localization
Elimination
Recovery
Post-Incident Actions

Consider these processes in more detail in the context of the use of IRP-systems for their automation.

1. Preparation

The preparation phase is preliminary and one of the key. At this stage, all organizational work should be done so that the actions of the IS incident response team are documented and agreed upon. Response policies, procedures, and instructions should be as clear, detailed, and convenient as possible so that in the case of a high-priority incident, analysts of the response team have an accurate understanding of what should be done in a given situation. You should regularly conduct trainings to work out the steps defined in the written documents, as well as train the company personnel and the response team in the correct technical and organizational actions during the incident.

At the preparation stage, playbooks or runbooks are also created and configured - response scripts, according to which the response team and the IRP system will take predefined actions depending on the details of the incident. For example, in the event of a high-priority IS incident on a particularly critical system in accordance with the playbook, a response team member must contact the leader and the person responsible for the system, and the IRP platform must command to isolate this system from the company's network for further proceedings.

In addition, at the preparatory stage, you should provide the incident response team with all the necessary software and hardware (i.e., issue laptops, smartphones, install the necessary utilities on them), as well as take preventive actions to prevent incidents (protect the company’s network and devices, to establish information security tools, to train employees in the basics of information security). At this time, the IRP platform is tuned for effective use: IT systems and security tools are connected to it, which they will interact with in responding to incidents. As a rule, they provide the connection of those systems that are able to provide the specialist with additional information in the context of the incident, for example, information about the users affected by the incident (contact details, position, structural unit,authority) and devices (type of operating system, installed software, function performed). In addition, protection tools are connected that, as part of the incident response, will carry out tasks to contain and eliminate threats, for example, endpoint protection tools, firewalls and network management systems.

Thus, by the time an information security incident occurs, the company should be fully armed: response specialists and the IRP system should be in full combat readiness. This is a guarantee that even if an incident occurs, it can be quickly localized and its consequences will not be excessively destructive.

2. Detection

At the detection stage, one should determine the list of possible types of IS incidents and formulate a list of signs of possible incidents. Signs can be divided into precursors and indicators of information security incidents:

a precursor is a sign that an information security incident may occur in the future;
an indicator is a sign that an incident has already occurred or is occurring right now.

Examples of information security incident precursors can be a fixed Internet scan of the company's open web server ports or vulnerability detection in some IT system. Examples of information security incident indicators can include the appearance of messages from protection tools (antivirus, firewall, etc.) about a possible attack, unauthorized deletion or modification of data, the appearance of errors and malfunctions in the operation of IT systems. Attention should be paid to anomalies in network traffic: unexpected bursts of a certain type of traffic (for example, DNS) may indicate malicious activity. The atypical user behavior should also be analyzed: a remote connection after hours from an unusual location can be a sign of an account being compromised. For,in order to maximize the use of the IRP system at the detection stage, you should integrate the IRP platform with the SIEM system: this bundle will provide a “seamless” transfer of precursors and incident indicators from IT systems and company security equipment via SIEM directly to the IRP system, which will allow it quickly detect incidents and take adequate measures to respond to them in the future.

3. Analysis

During the incident analysis phase, the main burden rests with the analyst’s experience and expertise - he will have to decide whether the recorded incident was “combat” or whether it was a false positive. Identification and initial processing should be carried out (triage, English triage): to determine the type of incident and categorize it. Next, indicators of compromise (IoCs) are determined, the possible scale of the incident and the components of the infrastructure affected are analyzed, a limited forensic survey is carried out to clarify the type of incident and possible further response steps.

At this stage, the IRP platform will provide invaluable assistance because it can provide important contextual information related to the incident. Here is an example: the SIEM system reports that the company’s web server was attacked, and the vulnerability used only applies to Windows. The analyst, looking at the IRP console, will immediately see that the attacked web server is running on Linux, therefore, the attack could not be successful. Another example: an anti-virus system on one of the laptops reported a virus infection and the subsequent access to certain IP addresses. The analyst, using the data of the IRP system, will see that a similar network activity is also observed on several other devices in the company’s network, which does not mean a single virus, but a massive infection.The incident will be given a higher priority status, it will be escalated in accordance with the escalation matrix, and additional resources will be directed to its elimination. The IRP platform will help to record all the actions carried out as part of the response, as well as automate the communication and escalation of the incident.

4. Containment / localization

At the stage of containment (or localization) of an incident, the main task is to quickly minimize the potential damage from an IS incident and provide a time window for making a decision on eliminating the threat. This can be achieved, for example, by quickly turning on more stringent prohibitive rules on the firewall for an infected device, isolating the infected host from the local network of the company, disconnecting some of the services and functions, or, finally, completely shutting down the infected device.

At this stage, information about the incident obtained at the analysis stage is used, as well as information about what function the IT asset affected by the incident performs, because, for example, shutting down a critical server can lead to more significant negative consequences for the company than simply restarting a non-critical service on it. In this situation, the IRP platform will again tell you what functions the server performs, how and when it can be turned off or isolated (provided that this information was entered in the IRP at the preparation stage). In addition, in the playbooks of the IRP system, the containment scenarios applicable for each specific type of incident should also be included in the preparation phase. For example, in the case of a DDoS attack, it may not make sense to turn off the attacked servers,and in case of virus infection within one network segment, you can not isolate devices in another segment. At the containment stage, an analysis of the attack details is also carried out: which system was first attacked, what tactics, techniques and procedures the attackers used, which team servers are used in this attack, etc. The indicated information will be collected by the IRP system: integration with cyber intelligence sources (Eng. Threat Intelligence feeds) and specialized search engines (for example,integration with cyber intelligence sources (Eng. Threat Intelligence feeds) and specialized search engines (e.g.integration with cyber intelligence sources (Eng. Threat Intelligence feeds) and specialized search engines (e.g.VirusTotal , Shodan , Censys , etc.) will give a clearer and more enriched picture of the incident, which will help to deal with it more effectively. In some cases, it may also be necessary to obtain forensic data for subsequent computer forensics, and the IRP platform will help to collect such information from the attacked devices.

5. Remedy

At the stage of eliminating the incident, active steps are already taken to remove the threat from the network and prevent a re-attack: malware is removed, hacked accounts are changed (they can be temporarily blocked, the password can be changed or, for example, renamed), updates and patches for exploited vulnerabilities are installed, changed Security settings (for example, to block the IP address of crackers). The indicated actions are performed for all entities affected by the incident - both for devices, and for accounts, and for programs.

It is extremely important to carefully eliminate the vulnerabilities that were used by cybercriminals, since most often, after successfully breaking into a company, hackers return in the hope of exploiting the same shortcomings of its protection. During this process, the IRP platform will give the necessary commands to the means of protection and collect the missing data about all the devices affected by the incident. Thus, the speed of response to an information security incident in terms of eliminating the threat itself increases significantly when using an IRP system, which will be an excellent tool for information security analysts.

6. Recovery

At the recovery stage, you should check the reliability of the protection measures taken, return the systems to normal operation (business as usual), possibly restoring some systems from backups or installing and configuring them again. At this stage, IRP systems will help to remember all the devices involved in the incident and the chronology of events, since this data is stored and accumulated in the IRP throughout the entire incident investigation cycle.

7. Post-incident activities

At the stage of post-incident activities (root post analysis), the root cause analysis should be analyzed in order to minimize the likelihood of a similar incident in the future again, as well as to assess the correctness and timeliness of the actions of personnel and protective equipment , and, possibly, to optimize some response procedures and IS policies. In the event of a serious incident, an extraordinary scan of the infrastructure should be performed for vulnerabilities, a pen test and / or an unscheduled audit of information security.

It will be logical to use the aggregated knowledge base for maintaining the accumulated response experience, which can also be done in the IRP platform, which already stores detailed information about the incidents of information security and about the response measures taken. In some cases, an official incident report is required, especially if it was serious or affected important data: for example, information on computer incidents in the critical information infrastructure should be sent to the state system of SSSOPKA. For such purposes, some domestic IRP-systems have both an API for working with the State SOPKA and the ability to automatically generate incident reports based on pre-created templates. As you can seeIRP is also a universal repository of information about incidents of information security with the ability to robotize the routine of an information security specialist.

Summarize. IRP systems are automated information security incident response tools that implement countermeasures to counter information security threats in accordance with predefined response scenarios. Response scenarios are called playbooks or runbooks and are a set of automated tasks for detecting threats and anomalies in the protected infrastructure, real-time response and containment of threats. Response scenarios act on the basis of customizable rules and types of incidents, performing certain actions depending on the incoming data from security equipment or information systems. IRP platforms help you conduct structured and journaled response to information security incidents based on rules and policies.Upon completion of the incident response, the IRP platform will help to create a report on the incident and the actions taken to eliminate it.

Summarizing the above, we can conclude that the IRP system is a cybersecurity incident response platform designed to protect information by systematizing data on information security incidents and robotizing the actions of the information security analyst. Thanks to IRP platforms, information security incident response teams can significantly save time and effort in investigating information security incidents, which directly increases the operational efficiency of the information security departments and SOC centers.

Incident Response Platform class systems: application and main functions