Chapter 4. Next Steps

Incident response is a very broad topic, though sometimes it may be considered to only be the investigative portion. The reality is that successful incident response requires a lot of planning. The goal shouldn’t be to enhance your investigative capabilities, necessarily. Instead, the goal of a complete incident response program should be to limit the amount of investigation you are doing. The better you are prepared, the faster you can identify incidents, and the less time it will take to respond to them. When you catch them early, you don’t have dozens or hundreds of systems you have to investigate.

There are some things you can do to start or increase your incident response capabilities:

Incident response plan

Create an incident response plan. You can get started very simply with this. Identify some simple goals you can achieve easily. This may involve identifying all of your log sources and identifying incident response team members. Escalation paths and communications strategies are important. Getting your incident response plan started or working to improve what you have is important.

Log data

Make sure you have a standard for the types of logs you are going to collect. Take a look at all of your hosts, especially servers. Definitely look at your network devices. All firewalls and certainly intrusion-detection systems should be generating logs. Make sure you are aggregating your logs. If you are a small organization, there are some free, open source log aggregation systems you can use. You can also get free, open source security information and event management (SIEM) systems that will give you the ability to search the log data you have.

Indicators of compromise

Get in the habit of developing indicators of compromise (IOCs) that you can feed into your SIEM if you have one. Additionally, you can use these indicators in your intrusion-detection systems. FireEye has an IOC editor you can download, though you certainly don’t have to use that. You can also generate YARA rules for indicators of compromise. A YARA rule is especially useful for identifying malware.

Law enforcement

Make connections to local law enforcement and, especially if you have multiple offices in more than one state, the Federal Bureau of Investigation. You may be able to join InfraGard, which can be used to gather intelligence from federal law enforcement sources.

Threat intelligence

Find a threat intelligence source. You may be able to use Information Sharing and Analysis Centers (ISACs). One that is a bit of a catchall is the multistate ISAC (MS-ISAC). This is a more general-purpose ISAC than others. There are other threat intelligence sources as well. You can take your threat intelligence sources and feed them into a SIEM if you have one.

Data classification

Select categories for data classification. The simplest categories are public and confidential. If you need to, you can add additional ones. You may have a separate category for intellectual property than you do for personal information, for instance. Once you have identified your categories, you can start classifying data. This will help you identify sensitive information. You can use this data classification to help prioritize resources when it comes to prevention and detection.

Exercise

Exercise your plan. You improve your processes by trying them out and identifying gaps, and then filling them. Always keep exercising your plan and work on adding capabilities and addressing limitations.

There is a lot more that you can be doing to start or enhance your incident response program. This is just a start. Of course, even if you have all of these in place, there is always more you can be doing. Every process can be improved or enhanced. The more intelligence you have in your program and the more experience you have, the better you will be able to improve your incident response plan.