Eric C. Thompson
Cybersecurity Incident ResponseHow to Contain, Eradicate, and Recover from Incidents
Eric C. Thompson
Lisle, Illinois, USA
ISBN 978-1-4842-3869-1e-ISBN 978-1-4842-3870-7
https://doi.org/10.1007/978-1-4842-3870-7
Library of Congress Control Number: 2018957666
© Eric C. Thompson 2018
This work is subject to copyright. All rights are reserved by the Publisher, whether the whole or part of the material is concerned, specifically the rights of translation, reprinting, reuse of illustrations, recitation, broadcasting, reproduction on microfilms or in any other physical way, and transmission or information storage and retrieval, electronic adaptation, computer software, or by similar or dissimilar methodology now known or hereafter developed.
Trademarked names, logos, and images may appear in this book. Rather than use a trademark symbol with every occurrence of a trademarked name, logo, or image we use the names, logos, and images only in an editorial fashion and to the benefit of the trademark owner, with no intention of infringement of the trademark. The use in this publication of trade names, trademarks, service marks, and similar terms, even if they are not identified as such, is not to be taken as an expression of opinion as to whether or not they are subject to proprietary rights.
While the advice and information in this book are believed to be true and accurate at the date of publication, neither the authors nor the editors nor the publisher can accept any legal responsibility for any errors or omissions that may be made. The publisher makes no warranty, express or implied, with respect to the material contained herein.
Distributed to the book trade worldwide by Springer Science+Business Media New York, 233 Spring Street, 6th Floor, New York, NY 10013. Phone 1-800-SPRINGER, fax (201) 348-4505, e-mail [email protected], or visit www.springeronline.com. Apress Media, LLC is a California LLC and the sole member (owner) is Springer Science + Business Media Finance Inc (SSBM Finance Inc). SSBM Finance Inc is a Delaware corporation.
Introduction

There are two reasons I wrote this book. The first, I’ve sat through several incident response table-top exercises and witnessed firsthand how uncomfortable the process is when one does not feel prepared. Second, I read Urban Meyer’s book above the line, which I felt spoke to me about how to create a culture of preparation, teamwork and no excuses.

This book is not a technical book with deep dives into incident response forensics. You will not learn how to perform and analyze memory dumps here. This work focuses on how to establish an incident response program. It focuses on policy, strategy, people and process. It was written for members of incident response teams building and enhancing the program and for executives and members of management. Stakeholder in incident response not part of IT can read this book and get a sense of what the incident response program should look like.

This book begins by discussing the need for strong incident response capabilities. In this current landscape, cybersecurity programs are judged by the ability to respond to incidents. Necessary protective capabilities must exist and a framework for responding to incidents established. Leadership qualities, strategy development and pre-planning are covered. Each phase of incident response: identification, containment, eradication and recovery are outlined in detail before discussion how to monitor the program using NIST 800-137 is presented.

The book is ends with a story about an incident designed to show how unplanned and unfocused responses leads to worse outcomes.

The reader is left with thoughts on how take action toward building and enhancing the incident response program, and knowledge of how much effort it takes to be successful.

Acknowledgments

Again, I want to thank Susan McDermott and Rita Fernando for making this project come to life. Also, thank you to Andy Reeder for his help as technical editor.

Table of Contents

Chapter 1:​ The Significance of Incident Response 1
Why Does This Happen?​ 2
Strategy vs.​ Tactics 7
Changing the Culture 9
Summary 9
Chapter 2:​ Necessary Prerequisites 11
Establishing the Identify and Protect Functions 11
Defined Cybersecurity Program 12
How Does Each Program Support Incident Response?​ 15
Summary 16
Chapter 3:​ Incident Response Frameworks 17
NIST 800-61 18
Organizing a Computer Incident Response Capability 18
Handling an Incident 32
NIST CSF Implementations 33
Detection 34
Respond 37
Recover 40
From Guidance to Program Implementation 41
Policy 41
Procedures 43
Control Processes Implemented 43
Measurement 44
Management Actions 45
Summary 45
Chapter 4:​ Leadership, Teams, and Culture 47
Leadership Qualities 47
Passion 48
Humility 48
Listening 50
Decisiveness 51
Emotional Intelligence 52
Culture 53
How They Build Culture at Ohio State 53
Alignment of the Team 57
Prepare to Handle Incidents 57
Facilitating Organizational Change 57
Kotter’s Eight-Step Change Model 58
Lewin’s Change Management Model 61
Summary 64
Chapter 5:​ The Incident Response Strategy 65
Purpose 65
Scope 66
Definitions 66
How to Respond to Incidents 67
Incident Response Goals 67
Roles and Responsibilities​ 67
Triage 68
Escalation 68
Event and Response Phases 68
Summary 70
Chapter 6:​ Cyber Risks and the Attack Life Cycle 71
Documenting Cyber Risks 72
Threat Analysis 73
How Vulnerabilities Become Risks 74
Measuring Risk Severity 75
Review the Risk Assessment 77
The Mandiant Cyber Attack Life Cycle 78
Breaking Down the Life Cycle 79
How This Helps 82
Tie the Risk Assessment and Kill Chain 82
Targeting End Users 82
Targeting Web Applications 83
Summary 85
Chapter 7:​ Detection and Identification of Events 87
Building Detective Capabilities 88
Data Loss Protection 88
Implementing DLP 88
End Point Detection and Response 91
Analyzing Traffic 91
Security Incident and Event Management 92
Empowering End Users 93
Other Ways of Detecting and Identifying Events 94
Identification of Security Events 96
Summary 98
Chapter 8:​ Containment 99
Indicators of Compromise 99
Containment Fundamentals 100
Choosing a Containment Strategy 101
Malware and Ransomware Outbreaks 101
Denial of Service 112
Lost Assets 112
Data Theft 113
Unauthorized Access and Misuse of Assets 114
Retaining Forensic Investigators 115
Executive Expectations 115
Summary 116
Chapter 9:​ Eradication, Recovery, and Post-incident Review 117
Removing the Attacker’s Artifacts 117
Malware Artifacts 118
Rootkits 120
Vulnerability Scanning 121
Patching Vulnerabilities 121
Restoring Systems via Backups 121
Post-incident Review 121
Summary 123
Chapter 10:​ Continuous Monitoring of Incident Response Program 125
Components of Continuous Monitoring 126
The Organizational Tiers 127
How Continuous Monitoring Works 128
The Continuous Monitoring Strategy 128
Incorporating Continuous Monitoring into the NIST CSF Environment 130
What Are the Incident Response Risks?​ 130
Defining the Monitoring Strategy 132
Establishing and Implementing the Program 133
Analyzing Data and Reporting Findings 133
Responding to Findings 134
Reviewing and Updating the Monitoring Program 135
Summary 135
Chapter 11:​ Incident Response Story 137
Background 137
Initial Response 138
The Nightmare Begins 141
Blue Screen of Death 141
A Locked Database 141
All Is Quiet 142
The First Angry Call 144
The Second Incident Response 145
The CISO’s Office 146
Log Files and a Revelation 146
End Point Detection and Response (EDR) 147
Help Arrives 148
Lessons Learned 148
Summary 149
Chapter 12:​ This Is a Full-Time Job 151
Full-Time Effort Required 151
Building a Program 151
Leadership 152
Balancing the Incident Response Program Against Other Priorities 154
Developing a Battle Plan 154
Network Segmentation and Incident Response 154
Preplanning and Strategy Development 156
Identification 157
Containment 157
Eradication, Recovery, and Lessons Learned 158
Summary 159
Appendix:​ NIST Cybersecurity Framework 161
Identify:​ Asset Management 161
Identify:​ Business Environment 162
Identify:​ Governance 162
Identify:​ Risk Assessment 163
Identify:​ Risk Management 163
Identify:​ Supply Chain Risk Management 164
Protect:​ Access Control 165
Protect:​ Awareness and Training 165
Protect:​ Data Security 166
Protect:​ Information Protection 166
Protect:​ Maintenance 167
Protect:​ Protective Technology 168
Detect:​ Anomalies and Events 168
Detect:​ Continuous Monitoring 169
Detect:​ Detection Processes 169
Respond:​ Response Planning 170
Respond:​ Communications 170
Respond:​ Analysis 170
Respond:​ Mitigation 171
Respond:​ Improvement 171
Recover:​ Recovery Planning 172
Recover:​ Improvements 172
Recover:​ Communications 172
Index 173

About the Author and About the Technical Reviewer

About the Author

Eric C. Thompson
../images/460521_1_En_BookFrontmatter_Figb_HTML.jpg
is an accomplished governance, risk, and compliance professional. As of Director of Information Security and Compliance at Blue Health Intelligence (BHI), Eric leads efforts to increase cyber security maturity in several domains, including governance, policy and controls, risk management, cyber security strategy, and business alignment. He established the risk management function which includes assessment, analysis and treatments of risks, threat and vulnerability management strategy, and due diligence requirements for assessing third-party risk. In his new role, Eric added cybersecurity operations and incident response to his list of responsibilities. Both are now information security passions.

Prior to BHI, Eric spent seven years at Ernst & Young in the Advisory practice where he specialized in helping healthcare organizations (providers, payers, and business associates) solve problems related to information security, risk management, and compliance when dealing with electronic medical records. Eric led the HITRUST Common Security Framework (CSF) cybersecurity program management and third-party risk management assessments.

Eric is also a proud member of the SANS Mentor team.

 

About the Technical Reviewer

Andrew Reeder
../images/460521_1_En_BookFrontmatter_Figc_HTML.jpg
serves as the HIPAA (Health Insurance Portability and Accountability Act of 1996) security officer and director of HIPAA Privacy at Rush University Medical Center, a major academic medical center in Chicago. In this role, Andy provides leadership in achieving regulatory compliance related to information-protection requirements, with major responsibilities including response and investigation into HIPAA privacy and security incidents, coordination of patient privacy rights actions, and policy development. Andy also serves as an adjunct faculty member in the College of Computing and Digital Media at DePaul University, where he teaches cybersecurity and information assurance topics at the graduate and undergraduate levels. Andy has been involved in providing privacy and information security services for many years and has previously served as director, Information Security, for a major Chicago-area regional healthcare provider and as a senior manager at a major professional services firm. He holds CISSP, CISA, CISM, CHPC, and HCISPP certifications and a master’s degree in public administration.
 
..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
3.144.227.72