Cyber Breach Response That Actually Works

YOU WILL BE BREACHED—THE ONLY QUESTION IS WHETHER YOU'LL BE READY

A cyber breach could cost your organization millions of dollars—in 2019, the average cost of a cyber breach for companies was $3.9M, a figure that is increasing 20-30% annually. But effective planning can lessen the impact and duration of an inevitable cyberattack. Cyber Breach Response That Actually Works provides a business-focused methodology that will allow you to address the aftermath of a cyber breach and reduce its impact to your enterprise.

This book goes beyond step-by-step instructions for technical staff, focusing on big-picture planning and strategy that makes the most business impact. Inside, you’ll learn what drives cyber incident response and how to build effective incident response capabilities. Expert author Andrew Gorecki delivers a vendor-agnostic approach based on his experience with Fortune 500 organizations.

* Understand the evolving threat landscape and learn how to address tactical and strategic challenges to build a comprehensive and cohesive cyber breach response program
* Discover how incident response fits within your overall information security program, including a look at risk management
* Build a capable incident response team and create an actionable incident response plan to prepare for cyberattacks and minimize their impact to your organization
* Effectively investigate small and large-scale incidents and recover faster by leveraging proven industry practices
* Navigate legal issues impacting incident response, including laws and regulations, criminal cases and civil litigation, and types of evidence and their admissibility in court

In addition to its valuable breadth of discussion on incident response from a business strategy perspective, Cyber Breach Response That Actually Works offers information on key technology considerations to aid you in building an effective capability and accelerating investigations to ensure your organization can continue business operations during significant cyber events.

ANDREW GORECKI is a cybersecurity professional with experience across various IT and cybersecurity disciplines, including engineering, operations, and incident response. Originally from Europe, he provided consulting services across various industry sectors in the U.S., the UK, and other European countries. At the time of writing, he manages a team of incident response consultants within the X-Force IRIS competency of IBM Security where he leads investigations into large-scale breaches for Fortune 500 organizations, delivers proactive incident response services, and provides executive-level consulting on building and optimizing incident response programs. Foreword xxiii

Introduction xxv

CHAPTER 1 UNDERSTANDING THE BIGGER PICTURE 1

Evolving Threat Landscape 2

Identifying Threat Actors 2

Cyberattack Lifecycle 4

Cyberattack Preparation Framework 5

Cyberattack Execution Framework 6

Defining Cyber Breach Response 8

Events, Alerts, Observations, Incidents, and Breaches 9

Events 9

Alerts 9

Observations 10

Incidents 10

Breaches 11

What is Cyber Breach Response? 12

Identifying Drivers for Cyber Breach Response 13

Risk Management 13

Conducting Risk Management 13

Risk Assessment Process 14

Managing Residual Risk 17

Cyber Threat Intelligence 18

What is Cyber Threat Intelligence? 18

Importance of Cyber Threat Intelligence 19

Laws and Regulations 20

Compliance Considerations 20

Compliance Requirements for Cyber Breach Response 21

Changing Business Objectives 22

Incorporating Cyber Breach Response into a

Cybersecurity Program 23

Strategic Planning 23

Designing a Program 24

Implementing Program Components 25

Program Operations 26

Continual Improvement 27

Strategy Development 27

Strategic Assessment 28

Gap Analysis 28

Maturity Assessment 30

Strategy Definition 32

Vision and Mission Statement 32

Goals and Objectives 33

Establishing Requirements 33

Defining a Target Operating Model 35

Developing a Business Case and Executive Alignment 35

Strategy Execution 37

Enacting an Incident Response Policy 37

Assigning an Incident Response Team 38

Creating an Incident Response Plan 38

Documenting Legal Requirements 38

Roadmap Development 39

Governance 40

Establishing Policies 40

Enterprise Security Policy 41

Issue-Specific Policies 41

Identifying Key Stakeholders 42

Executive Leadership 42

Project Steering Committee 42

Chief Information Security Officer 43

Stakeholders with Interest in Cyber Breach Response 43

Business Alignment 44

Continual Improvement 44

Necessity to Determine if the Program is Effective 45

Changing Threat Landscape 45

Changing Business Objectives 45

Summary 46

Notes 47

CHAPTER 2 BUILDING A CYBERSECURITY INCIDENT RESPONSE TEAM 51

Defining a CSIRT 51

CSIRT History 52

The Role of a CSIRT in the Enterprise 52

Defining Incident Response Competencies and Functions 55

Proactive Functions 55

Developing and Maintaining Procedures 56

Conducting Incident Response Exercises 56

Assisting with Vulnerability Identification 57

Deploying, Developing, and Tuning Tools 58

Implementing Lessons Learned 59

Reactive Functions 59

Digital Forensics and Incident Response 59

Cyber Threat Intelligence 60

Malware Analysis 60

Incident Management 61

Creating an Incident Response Team 61

Creating an Incident Response Mission Statement 62

Choosing a Team Model 62

Centralized Team Model 63

Distributed Team Model 64

Hybrid Team Model 65

An Integrated Team 66

Organizing an Incident Response Team 66

Tiered Model 66

Competency Model 68

Hiring and Training Personnel 69

Technical Skills 69

Soft Skills 71

Pros and Cons of Security Certifications 72

Conducting Effective Interviews 73

Retaining Incident Response Talent 74

Establishing Authority 75

Full Authority 75

Shared Authority 76

Indirect Authority 76

No Authority 76

Introducing an Incident Response Team to the Enterprise 77

Enacting a CSIRT 78

Defining a Coordination Model 78

Communication Flow 80

Incident Officer 80

Incident Manager 81

Assigning Roles and Responsibilities 82

Business Functions 82

Human Resources 82

Corporate Communications 83

Corporate Security 83

Finance 84

Other Business Functions 85

Legal and Compliance 85

Legal Counsel 85

Compliance Functions 86

Information Technology Functions 87

Technical Groups 87

Disaster Recovery 88

Outsourcing Partners and Vendors 89

Senior Management 89

Working with Outsourcing Partners 90

Outsourcing Considerations 91

Proven Track Record of Success 91

Offered Services and Capabilities 91

Global Support 92

Skills and Experience 92

Outsourcing Costs and Pricing Models 92

Establishing Successful Relationships with Vendors 93

Summary 94

Notes 95

CHAPTER 3 TECHNOLOGY CONSIDERATIONS IN CYBER BREACH INVESTIGATIONS 97

Sourcing Technology 98

Comparing Commercial vs. Open Source Tools 98

Commercial Tools 98

Open Source Software 98

Other Considerations 99

Developing In-House Software Tools 100

Procuring Hardware 101

Acquiring Forensic Data 102

Forensic Acquisition 102

Order of Volatility 103

Disk Imaging 103

System Memory Acquisition 105

Tool Considerations 106

Forensic Acquisition Use Cases 107

Live Response 108

Live Response Considerations 109

Live Response Tools 109

Live Response Use Cases 112

Incident Response Investigations in Virtualized Environments 113

Traditional Virtualization 115

Cloud Computing 115

Forensic Acquisition 115

Log Management in Cloud Computing Environments 117

Leveraging Network Data in Investigations 118

Firewall Logs and Network Flows 118

Proxy Servers and Web Gateways 120

Full-Packet Capture 120

Identifying Forensic Evidence in Enterprise Technology Services 123

Domain Name System 123

Dynamic Host Confi guration Protocol 125

Web Servers 125

Databases 126

Security Tools 127

Intrusion Detection and Prevention Systems 127

Web Application Firewalls 127

Data Loss Prevention Systems 128

Antivirus Software 128

Endpoint Detection and Response 129

Honeypots and Honeynets 129

Log Management 130

What is Logging? 130

What is Log Management? 132

Log Management Lifecycle 133

Collection and Storage 134

Agent-Based vs. Agentless Collection 134

Log Management Architectures 135

Managing Logs with a SIEM 137

What is SIEM? 138

SIEM Considerations 139

Summary 140

Notes 141

CHAPTER 4 CRAFTING AN INCIDENT RESPONSE PLAN 143

Incident Response Lifecycle 143

Preparing for an Incident 144

Detecting and Analyzing Incidents 145

Detection and Triage 146

Analyzing Incidents 146

Containment, Eradication, and Recovery 147

Containing a Breach 147

Eradicating a Threat Actor 148

Recovering Business Operations 149

Post-Incident Activities 149

Understanding Incident Management 150

Identifying Process Components 151

Defining a Process 151

Process Controls 153

Process Enablers 155

Process Interfaces 155

Roles and Responsibilities 158

Service Levels 159

Incident Management Workfl ow 160

Sources of Incident Notifi cations 160

Incident Classifi cation and Documentation 162

Incident Categorization 163

Severity Assignment 163

Capturing Incident Information 167

Incident Escalations 169

Hierarchical Escalations 169

Functional Escalation 169

Creating and Managing Tasks 169

Major Incidents 170

Incident Closure 171

Crafting an Incident Response Playbook 171

Playbook Overview 171

Identifying Workfl ow Components 173

Detection 173

Analysis 174

Containment and Eradication 176

Recovery 176

Other Workflow Components 177

Post-Incident Evaluation 177

Vulnerability Management 177

Purpose and Objectives 178

Vulnerability Management Lifecycle 178

Integrating Vulnerability Management and Risk Management 180

Lessons Learned 180

Lessons-Learned Process Components 181

Conducting a Lessons-Learned Meeting 183

Continual Improvement 184

Continual Improvement Principles 184

The Deming Cycle 184

DIKW Hierarchy 185

The Seven-Step Improvement Process 187

Step 1: Define a Vision for Improvement 188

Step 2: Define Metrics 188

Step 3: Collect Data 189

Step 4: Process Data 190

Step 5: Analyze Information 191

Step 6: Assess Findings and Create Plan 191

Step 7: Implement the plan 192

Summary 192

Notes 193

CHAPTER 5 INVESTIGATING AND REMEDIATING CYBER BREACHES 195

Investigating Incidents 196

Determine Objectives 197

Acquire and Preserve Data 198

Perform Analysis 200

Contain and Eradicate 202

Conducting Analysis 202

Digital Forensics 203

Digital Forensics Disciplines 203

Timeline Analysis 205

Other Considerations in Digital Forensics 206

Cyber Threat Intelligence 207

Cyber Threat Intelligence Lifecycle 208

Identifying Attacker Activity with Cyber Threat Intelligence 209

Categorizing Indicators 212

Malware Analysis 214

Classifying Malware 214

Static Analysis 216

Dynamic Analysis 217

Malware Analysis and Cyber Threat Intelligence 217

Threat Hunting 218

Prerequisites to Threat Hunting 218

Threat Hunting Lifecycle 219

Reporting 221

Evidence Types 223

System Artifacts 223

Persistent Artifacts 223

Volatile Artifacts 225

Network Artifacts 226

Security Alerts 227

Remediating Incidents 228

Remediation Process 229

Establishing a Remediation Team 230

Remediation Lead 231

Remediation Owner 232

Remediation Planning 233

Business Considerations 233

Technology Considerations 234

Logistics 235

Assessing Readiness 235

Consequences of Alerting the Attacker 236

Developing an Execution Plan 237

Containment and Eradication 238

Containment 238

Eradication 239

Monitoring for Attacker Activity 240

Summary 241

Notes 242

CHAPTER 6 LEGAL AND REGULATORY CONSIDERATIONS IN CYBER BREACH RESPONSE 243

Understanding Breaches from a Legal Perspective 244

Laws, Regulations, and Standards 244

United States 245

European Union 246

Standards 246

Materiality in Financial Disclosure 247

Cyber Attribution 248

Motive, Opportunity, Means 248

Attributing a Cyber Attack 249

Engaging Law Enforcement 251

Cyber Insurance 252

Collecting Digital Evidence 252

What is Digital Evidence? 253

Digital Evidence Lifecycle 253

Information Governance 254

Identification 254

Preservation 255

Collection 255

Processing 255

Reviewing 256

Analysis 256

Production 257

Presentation 258

Admissibility of Digital Evidence 258

Federal Rules of Evidence 258

Types of Evidence 260

Direct Evidence 260

Circumstantial Evidence 260

Admission of Digital Evidence in Court 261

Evidence Rules 261

Hearsay Rule 261

Business Records Exemption Rule 262

Best Evidence 262

Working with Legal Counsel 263

Attorney-Client Privilege 263

Attorney Work-Product 264

Non-testifying Expert Privilege 264

Litigation Hold 265

Establishing a Chain of Custody 265

What is a Chain of Custody? 266

Establishing a Defensible Protocol 266

Traditional Forensic Acquisition 267

Live Response and Logical Acquisition 268

Documenting a Defensible Protocol 269

Documentation 269

Accuracy 270

Auditability and Reproducibility 270

Collection Methods 270

Data Privacy and Cyber Breach Investigations 271

What is Data Privacy? 271

Handling Personal Data During Investigations 272

Enacting a Policy to Support Investigations 272

Cyber Breach Investigations and GDPR 273

Data Processing and Cyber Breach Investigations 274

Establishing a Lawful Basis for the Processing of Personal Data 275

Territorial Transfer of Personal Data 276

Summary 277

Notes 278

Index 281