You will be breached - the only question is whether you'll be ready
A cyber breach could cost your organization millions of dollars - in 2019, the average cost of a cyber breach for companies was $3.9M, a figure that is increasing 20-30% annually. But effective planning can lessen the impact and duration of an inevitable cyberattack. Cyber Breach Response That Actually Works provides a business-focused methodology that will allow you to address the aftermath of a cyber breach and reduce its impact to your enterprise.
This book goes beyond step-by-step instructions for technical staff, focusing on big-picture planning and strategy that makes the most business impact. Inside, you’ll learn what drives cyber incident response and how to build effective incident response capabilities. Expert author Andrew Gorecki delivers a vendor-agnostic approach based on his experience with Fortune 500 organizations.
- Understand the evolving threat landscape and learn how to address tactical and strategic challenges to build a comprehensive and cohesive cyber breach response program
- Discover how incident response fits within your overall information security program, including a look at risk management
- Build a capable incident response team and create an actionable incident response plan to prepare for cyberattacks and minimize their impact to your organization
- Effectively investigate small and large-scale incidents and recover faster by leveraging proven industry practices
- Navigate legal issues impacting incident response, including laws and regulations, criminal cases and civil litigation, and types of evidence and their admissibility in court
In addition to its valuable breadth of discussion on incident response from a business strategy perspective, Cyber Breach Response That Actually Works offers information on key technology considerations to aid you in building an effective capability and accelerating investigations to ensure your organization can continue business operations during significant cyber events.
Table of Contents
Foreword xxiii
Introduction xxv
Chapter 1 Understanding the Bigger Picture 1
Evolving Threat Landscape 2
Identifying Threat Actors 2
Cyberattack Lifecycle 4
Cyberattack Preparation Framework 5
Cyberattack Execution Framework 6
Defining Cyber Breach Response 8
Events, Alerts, Observations, Incidents, and Breaches 9
Events 9
Alerts 9
Observations 10
Incidents 10
Breaches 11
What is Cyber Breach Response? 12
Identifying Drivers for Cyber Breach Response 13
Risk Management 13
Conducting Risk Management 13
Risk Assessment Process 14
Managing Residual Risk 17
Cyber Threat Intelligence 18
What is Cyber Threat Intelligence? 18
Importance of Cyber Threat Intelligence 19
Laws and Regulations 20
Compliance Considerations 20
Compliance Requirements for Cyber Breach Response 21
Changing Business Objectives 22
Incorporating Cyber Breach Response into a
Cybersecurity Program 23
Strategic Planning 23
Designing a Program 24
Implementing Program Components 25
Program Operations 26
Continual Improvement 27
Strategy Development 27
Strategic Assessment 28
Gap Analysis 28
Maturity Assessment 30
Strategy Definition 32
Vision and Mission Statement 32
Goals and Objectives 33
Establishing Requirements 33
Defining a Target Operating Model 35
Developing a Business Case and Executive Alignment 35
Strategy Execution 37
Enacting an Incident Response Policy 37
Assigning an Incident Response Team 38
Creating an Incident Response Plan 38
Documenting Legal Requirements 38
Roadmap Development 39
Governance 40
Establishing Policies 40
Enterprise Security Policy 41
Issue-Specific Policies 41
Identifying Key Stakeholders 42
Executive Leadership 42
Project Steering Committee 42
Chief Information Security Officer 43
Stakeholders with Interest in Cyber Breach Response 43
Business Alignment 44
Continual Improvement 44
Necessity to Determine if the Program is Effective 45
Changing Threat Landscape 45
Changing Business Objectives 45
Summary 46
Notes 47
Chapter 2 Building a Cybersecurity Incident Response Team 51
Defining a CSIRT 51
CSIRT History 52
The Role of a CSIRT in the Enterprise 52
Defining Incident Response Competencies and Functions 55
Proactive Functions 55
Developing and Maintaining Procedures 56
Conducting Incident Response Exercises 56
Assisting with Vulnerability Identification 57
Deploying, Developing, and Tuning Tools 58
Implementing Lessons Learned 59
Reactive Functions 59
Digital Forensics and Incident Response 59
Cyber Threat Intelligence 60
Malware Analysis 60
Incident Management 61
Creating an Incident Response Team 61
Creating an Incident Response Mission Statement 62
Choosing a Team Model 62
Centralized Team Model 63
Distributed Team Model 64
Hybrid Team Model 65
An Integrated Team 66
Organizing an Incident Response Team 66
Tiered Model 66
Competency Model 68
Hiring and Training Personnel 69
Technical Skills 69
Soft Skills 71
Pros and Cons of Security Certifications 72
Conducting Effective Interviews 73
Retaining Incident Response Talent 74
Establishing Authority 75
Full Authority 75
Shared Authority 76
Indirect Authority 76
No Authority 76
Introducing an Incident Response Team to the Enterprise 77
Enacting a CSIRT 78
Defining a Coordination Model 78
Communication Flow 80
Incident Officer 80
Incident Manager 81
Assigning Roles and Responsibilities 82
Business Functions 82
Human Resources 82
Corporate Communications 83
Corporate Security 83
Finance 84
Other Business Functions 85
Legal and Compliance 85
Legal Counsel 85
Compliance Functions 86
Information Technology Functions 87
Technical Groups 87
Disaster Recovery 88
Outsourcing Partners and Vendors 89
Senior Management 89
Working with Outsourcing Partners 90
Outsourcing Considerations 91
Proven Track Record of Success 91
Offered Services and Capabilities 91
Global Support 92
Skills and Experience 92
Outsourcing Costs and Pricing Models 92
Establishing Successful Relationships with Vendors 93
Summary 94
Notes 95
Chapter 3 Technology Considerations in Cyber Breach Investigations 97
Sourcing Technology 98
Comparing Commercial vs. Open Source Tools 98
Commercial Tools 98
Open Source Software 98
Other Considerations 99
Developing In-House Software Tools 100
Procuring Hardware 101
Acquiring Forensic Data 102
Forensic Acquisition 102
Order of Volatility 103
Disk Imaging 103
System Memory Acquisition 105
Tool Considerations 106
Forensic Acquisition Use Cases 107
Live Response 108
Live Response Considerations 109
Live Response Tools 109
Live Response Use Cases 112
Incident Response Investigations in Virtualized Environments 113
Traditional Virtualization 115
Cloud Computing 115
Forensic Acquisition 115
Log Management in Cloud Computing Environments 117
Leveraging Network Data in Investigations 118
Firewall Logs and Network Flows 118
Proxy Servers and Web Gateways 120
Full-Packet Capture 120
Identifying Forensic Evidence in Enterprise Technology Services 123
Domain Name System 123
Dynamic Host Confi guration Protocol 125
Web Servers 125
Databases 126
Security Tools 127
Intrusion Detection and Prevention Systems 127
Web Application Firewalls 127
Data Loss Prevention Systems 128
Antivirus Software 128
Endpoint Detection and Response 129
Honeypots and Honeynets 129
Log Management 130
What is Logging? 130
What is Log Management? 132
Log Management Lifecycle 133
Collection and Storage 134
Agent-Based vs. Agentless Collection 134
Log Management Architectures 135
Managing Logs with a SIEM 137
What is SIEM? 138
SIEM Considerations 139
Summary 140
Notes 141
Chapter 4 Crafting an Incident Response Plan 143
Incident Response Lifecycle 143
Preparing for an Incident 144
Detecting and Analyzing Incidents 145
Detection and Triage 146
Analyzing Incidents 146
Containment, Eradication, and Recovery 147
Containing a Breach 147
Eradicating a Threat Actor 148
Recovering Business Operations 149
Post-Incident Activities 149
Understanding Incident Management 150
Identifying Process Components 151
Defining a Process 151
Process Controls 153
Process Enablers 155
Process Interfaces 155
Roles and Responsibilities 158
Service Levels 159
Incident Management Workfl ow 160
Sources of Incident Notifi cations 160
Incident Classifi cation and Documentation 162
Incident Categorization 163
Severity Assignment 163
Capturing Incident Information 167
Incident Escalations 169
Hierarchical Escalations 169
Functional Escalation 169
Creating and Managing Tasks 169
Major Incidents 170
Incident Closure 171
Crafting an Incident Response Playbook 171
Playbook Overview 171
Identifying Workfl ow Components 173
Detection 173
Analysis 174
Containment and Eradication 176
Recovery 176
Other Workflow Components 177
Post-Incident Evaluation 177
Vulnerability Management 177
Purpose and Objectives 178
Vulnerability Management Lifecycle 178
Integrating Vulnerability Management and Risk Management 180
Lessons Learned 180
Lessons-Learned Process Components 181
Conducting a Lessons-Learned Meeting 183
Continual Improvement 184
Continual Improvement Principles 184
The Deming Cycle 184
DIKW Hierarchy 185
The Seven-Step Improvement Process 187
Step 1: Define a Vision for Improvement 188
Step 2: Define Metrics 188
Step 3: Collect Data 189
Step 4: Process Data 190
Step 5: Analyze Information 191
Step 6: Assess Findings and Create Plan 191
Step 7: Implement the plan 192
Summary 192
Notes 193
Chapter 5 Investigating and Remediating Cyber Breaches 195
Investigating Incidents 196
Determine Objectives 197
Acquire and Preserve Data 198
Perform Analysis 200
Contain and Eradicate 202
Conducting Analysis 202
Digital Forensics 203
Digital Forensics Disciplines 203
Timeline Analysis 205
Other Considerations in Digital Forensics 206
Cyber Threat Intelligence 207
Cyber Threat Intelligence Lifecycle 208
Identifying Attacker Activity with Cyber Threat Intelligence 209
Categorizing Indicators 212
Malware Analysis 214
Classifying Malware 214
Static Analysis 216
Dynamic Analysis 217
Malware Analysis and Cyber Threat Intelligence 217
Threat Hunting 218
Prerequisites to Threat Hunting 218
Threat Hunting Lifecycle 219
Reporting 221
Evidence Types 223
System Artifacts 223
Persistent Artifacts 223
Volatile Artifacts 225
Network Artifacts 226
Security Alerts 227
Remediating Incidents 228
Remediation Process 229
Establishing a Remediation Team 230
Remediation Lead 231
Remediation Owner 232
Remediation Planning 233
Business Considerations 233
Technology Considerations 234
Logistics 235
Assessing Readiness 235
Consequences of Alerting the Attacker 236
Developing an Execution Plan 237
Containment and Eradication 238
Containment 238
Eradication 239
Monitoring for Attacker Activity 240
Summary 241
Notes 242
Chapter 6 Legal and Regulatory Considerations in Cyber Breach Response 243
Understanding Breaches from a Legal Perspective 244
Laws, Regulations, and Standards 244
United States 245
European Union 246
Standards 246
Materiality in Financial Disclosure 247
Cyber Attribution 248
Motive, Opportunity, Means 248
Attributing a Cyber Attack 249
Engaging Law Enforcement 251
Cyber Insurance 252
Collecting Digital Evidence 252
What is Digital Evidence? 253
Digital Evidence Lifecycle 253
Information Governance 254
Identification 254
Preservation 255
Collection 255
Processing 255
Reviewing 256
Analysis 256
Production 257
Presentation 258
Admissibility of Digital Evidence 258
Federal Rules of Evidence 258
Types of Evidence 260
Direct Evidence 260
Circumstantial Evidence 260
Admission of Digital Evidence in Court 261
Evidence Rules 261
Hearsay Rule 261
Business Records Exemption Rule 262
Best Evidence 262
Working with Legal Counsel 263
Attorney-Client Privilege 263
Attorney Work-Product 264
Non-testifying Expert Privilege 264
Litigation Hold 265
Establishing a Chain of Custody 265
What is a Chain of Custody? 266
Establishing a Defensible Protocol 266
Traditional Forensic Acquisition 267
Live Response and Logical Acquisition 268
Documenting a Defensible Protocol 269
Documentation 269
Accuracy 270
Auditability and Reproducibility 270
Collection Methods 270
Data Privacy and Cyber Breach Investigations 271
What is Data Privacy? 271
Handling Personal Data During Investigations 272
Enacting a Policy to Support Investigations 272
Cyber Breach Investigations and GDPR 273
Data Processing and Cyber Breach Investigations 274
Establishing a Lawful Basis for the Processing of Personal Data 275
Territorial Transfer of Personal Data 276
Summary 277
Notes 278
Index 281