Incident Response Plan: Detection
Cybersecurity Incidents are seemingly limitless in their variety, so it is impractical and infeasible to develop instructions for handling each type of attack. In general, however, there are three main threat vectors that organizations can prepare for in order to develop different response strategies.
Outside Attacks
- Hackers
- Malware
- Ransomware
- DDOS Attacks
- Web-based Applications
- Social Engineering
Insider Threats
- Malicious Employees
- Improper Software Installation
- Lost Laptop
- Stolen Mobile Device
- Corrupted file in an email
3rd Party Incidents
- Unauthorized Access to Information Systems by a Trusted Vendor
- Unauthorized Access to Nonpublic Information by a 3rd Party Service Provider (3PSP)
How does your organization know there has been a Cybersecurity Event?
One of the most challenging components of the incident response process is accurately detecting and assessing and analyzing potential incidents. Establishing whether an event has occurred, and if it has, the scope, depth and type of the problem.
Signs of an incident fall into one of two categories: precursors and indicators. A precursor is a sign that an incident may occur in the future while an indicator is a sign that an event may have occurred or may be occurring now.
Detecting precursors may give an organization the heads up it needs to adjustment its Cybersecurity stance, providing an opportunity to prevent an incident altogether. Unfortunately, most attacks do not have precursors from the targeted organization’s perspective.
Examples of precursors are:
- Web server log entries that indicate the usage of a vulnerability scanner
- A threatening statement from a group declaring that it will attack an organization
- Announcement of a new exploit that targeting a specific vulnerability of the organization’s mail server
While organizations rarely receive precursors in time to correct their Cybersecurity postures, indicators are much more common.
Examples of indicators:
- Antivirus software displays an alert after detecting a host infected with malware
- System administrator notices a filename with strange characters
- A network intrusion sensor displays alerts when a brute force or DDOS attempting to overflow systems occurs against a server
- Application logs multiple and repeated failed attempts to access from an unfamiliar remote system
- Network Administrator notices a strange network traffic flows that deviate from the norm.
Precursors and indicators come from many different sources. Computer security software alerts, logs, the news, and people can all be useful in detecting indicators and precursors.
It is crucial to have a robust Cybersecurity Program in place to capture the signs of an attack and a Cybersecurity Policy in place to facilitate communication between multiple parties.
If you received a precursor or indicator this exact moment, who would be the first person you would call?
