Making the case for incident response


Tim Armstrong

Co3 Systems, USA
Editor: Helen Martin


‘There is a shift occurring in the security space around incident response. It’s becoming clear that no organization is completely safe.' Tim Armstrong

Currently, there is a lot of talk of preventative security technologies being all but dead. I disagree, but their use might have changed. It would be a mistake to ignore the recommended best practice of installing anti virus, but it would be an even bigger mistake to stop there. The threat detection market is alive and well with a plethora of advanced technologies that do incredible things, from on-demand virtual sandboxes to advanced APT detection.

The problem is this: in some cases the bad guys will still get in, and the way in which you react once your defences have been breached can make the difference between a security event and a security disaster. It could mean the end of your job, or even the end of your company. A vast amount of time and money is dedicated to trying to keep the bad guys out, but very little is spent on planning for what to do when that defence fails.

Every day, I talk to organizations that have great intentions, but little to no preparation. Making the case for incident response to management can be trying at best. Unless your company has seen the result of a serious incident, both in terms of clean up costs and brand damage, it can be an uphill battle to convince budget holders of the value of incident response tools and techniques. While the continuing catalogue of high profile breaches in the news can only help your case, this is a problem that is not going to go away any time soon.

You can understand why, after so much time, effort and money has been spent on preventative tools, security professionals are hesitant to bring up the need for more tools or resources to deal with the situation when someone defeats their defences. While preventative tools are necessary, make no mistake, someone will get around them. Given enough time and resources on the part of the attacker, no system is 100% secure. We can see this is especially true in the case of state-sponsored malware – these attackers have almost endless resources.

What is not often discussed is how valuable defensive tools can be to the incident response process. Anti virus, IDS, SIEMs and other security tools are essential in recreating an incident timeline. They provide us with information about the attack vector, pathway through the network, and indicators of compromise. In fact, they allow us to make our defences stronger, once we know where to look.

There is a shift occurring in the security space around incident response. It’s becoming clear that no organization is completely safe. Whether you’re a retailer, a manufacturer, a hospital or insurance firm, you will need a plan. You will need a system of record. You will need a repeatable process, and the last thing you want is to be creating that process during the heat of an incident. In fact, you’ll want to tie that incident response process into every tool that helps.

A large part of the incident response process is made up of research, and having the output of quality tools available will shorten your response time. Look at any breach report and you’ll see that the response time is currently measured in months. As an industry, we need to bring that under control – it is the unfortunate truth that the bad guys currently have the upper hand. We are not winning at the gateway, we are not winning on the network, and we are not winning at the endpoint. We must win at incident response. Collecting data during incident response, sharing indicators of compromise, and making it as hard as possible for attackers is our best chance.

I believe that we need to accept that we will all deal with a breach at some point. But if we can act collectively to make attackers less effective, and get rid of the shame of disclosure, we can turn the tide of security to our favour.



Latest articles:

The TAO of Automated Iframe Injectors – Building Drive‑by Platforms For Fun and Profit

Aditya Sood and Rohit Bansal present the design of distributed infection models used by attackers to inject malicious iframes on the fly in order to conduct large-scale drive-by download attacks.

Throwback Thursday: Following the Breadcrumbs

Christine Orshesky describes how one large organization (with over 40,000 systems in its decentralized computing environment and a diverse population of over 20,000 employees spread over various departments and networks) decided to find out how and…

Behavioural Detection and Prevention of Malware on OS X

Malware on Apple’s OS X systems is proving to be an increasing security threat, and one that is currently countered solely with traditional anti-virus (AV) technologies. Traditional AV technologies impose a significant performance overhead on the…

Throwback Thursday: Olympic Games

In 1994, along with the Olympic Games came an Olympic virus, from a group of Swedish virus authors calling themselves ‘Immortal Riot’. Mikko Hyppönen had the details.

Throwback Thursday: Holding the Bady

In 2001, ‘Code Red’ caused White House administrators to change the IP address of the official White House website, and even penetrated the mighty Microsoft’s own IIS servers. In August 2001, Costin Raiu analysed the Win32/Bady.worm,