Page 40 - index
P. 40
4. Becoming a headless chicken when breaches occur. In addition to the right staff,
budget and tools, you also need a comprehensive plan for incident response. Not having
a plan results in hasty, uninformed decisions when breaches occur, and that is never
good for business. Organizations need to have a written incident response playbook that
very clearly delineates defined roles and approved procedures for handling an incident.
For example, is the incident response team permitted to take machines offline without
additional approval to contain an attack? What about wiping computers or blocking
access to specific services? Are those actions permitted when necessary? Additionally,
what are the company’s legal, regulatory and contractual obligations when a breach
occurs? It is critical to have these types of questions answered in writing before an
incident happens.
5. Using generic processes not specific to your organization. While incident response
procedures should be a focus for all organizations today, it’s important to recognize that
‘playbooks’ generally aren’t one size fits all. Context is really key when building an
incident response program.
You have to take into account the specific types of critical assets your organization
possesses, where they are located, your risk tolerance, and how much leeway your
CSIRT has to make major decisions and changes to your infrastructure. Ideally, your IR
plan should strike a comfortable balance between having policies in place to ensure that
the right decisions are made in a crisis, yet not having so many layers of approval that
you hinder the efficacy of skilled responders.
6. Improper threat modeling. Along those same lines, the assets that you focus the most
effort on protecting should be what is most valuable to your specific organization.
Unfortunately, no CSIRT can protect everything all the time, so it is critical to know
where your organization’s risk really lies.
Know which assets would have the biggest impact on the success of your organization if
taken down by an attacker and give thought to the scenarios in which those assets are
put at risk.
7. Not considering your environment and capabilities when tuning devices. There are
multiple tools out there that can significantly improve incident response processes.
However, believing that you can get the maximum value out of them by leaving them as
they are out of the box is generally a mistake.
With today’s complex network infrastructures, devices need to be tuned according to
your organization’s size and needs, and more often than not, need to be retuned as
things change or as you become more used to the tool and more familiar with your
needs and requirements.
Neglecting to tune or retune a device can lead to alert overload, which actually makes
the job of an incident responder harder instead of easier. Worse still, some products that
40 Cyber Warnings E-Magazine – July 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
