In spite of your best efforts to prevent compromise and downtime, they will occur. Thus, you must not only plan to prevent problems, you must also plan to handle failures when they occur. This form of planning is known as Incident Management. In order to be reasonably prepared for the unexpected or the “it occurred anyway” events, your organization needs to address several essential incident response concepts including:
- Audit & Log Analysis
- Continuous Monitoring/SIEM
- Hacking/Cyber Warfare
- Incident Response
- Reverse Engineering
Audit & Log Analysis
In relation to Threat Management and Access Control, it is important to audit, log, and monitor events that occur whether caused by or focused on systems and processes or subjects. But what is even more important is to review and analyze the collected data. Analysis involves the processing of the audit logs with the goal of gaining a perspective and understanding of events as well as the status of security. Analysis may include forensics which seeks to understand the meaning behind items recorded by auditing. Auditing and analysis thus lead to resolving employee issues, tracking down criminals, and improving the security of the organization.
Continuous monitoring and Security Information and Event Management (SIEM) is the combination of two previously separate disciplines — namely SIM (security information management) and SEM (security event management). SIEM focuses on providing real-time analysis of incidents detected by hardware and software. SIEM systems provide detailed incident reports which are often useful in incident management and response and also for compliance verification. SIEM systems can aggregate data from a plethora of sources, find correlations within bulk data, automatically issue alerts, provide real-time insight into the status of the infrastructure, and assist in event record retention. The ability to have a continuous and consistent monitoring mechanism, such as a SIEM solution, can be a vital part of an enterprise’s ability to track down and ultimately resolve issues and compromises quickly.
Forensics is the art and science of collecting information and assets, analyzing the collected items, and presenting findings to a legal authority, often in relation to a civil or criminal case. Forensics is generally the science of evidence collection, preservation, analysis, and reporting. Specifically, computer forensics focuses on gathering evidence from computer systems and storage devices. Since such evidence is stored as binary data on volatile and mostly magnetic media, it is easy to damage and change even in the act of discovery and collection. If an organization takes action based on information they discover or uncover in their auditing processes or system maintenance procedures, they must make sure to abide by the rules of evidence in order for it to be admissible in a court of law. Often, organizations will have trained forensics personnel on staff, on call as consultants, or have an established relationship with local law enforcement. The use of proper forensic procedure can make the difference between obtaining justice and allowing a suspect to get away with a crime.
Hacking is the ability to use a system in a way that it wasn’t designed, to gain new benefits or capabilities by modifying a product, or to locate vulnerabilities and take advantage of them. When hacking is performed for illicit gain or simply to cause harm to the target, it is a criminal action and may be linked to cyber warfare actions. Anyone with a little time and interest can learn to become a hacker. There is an abundance of very powerful hacking tools available on the Internet along with tutorials and training materials. Your organization needs to be prepared to defend itself against the international hacker as well as a disgruntled employee. Learn the skills, tools, techniques, and methodologies of criminal hackers, and then use them against your own organization’s security structure to identify deficiencies that need to be addressed.
Once you are aware of a compromise, intrusion, or other form of unplanned downtime, you need to respond quickly to contain damage, remove the offending elements, and restore the environment back to normal. The success of incident response is based on preparation. Incident response preparation includes written policies and procedures, an established CIRT (Computer Incident Response Team), training, drills, simulations, with thorough follow-up/post-mortem reviews. When your organization is under threat from an attack, has been damaged by mother nature, or a key component of the infrastructure fails without warning, only a well-designed and executed incident response will be able to provide you with fast recovery and prevent a true disaster from occurring.
Reverse engineering is the ability to analyze an item, hardware or software, in order to understand how it works without having access to its source code or original design blueprints. Reverse engineering can enable someone to develop a reproduction or simulation of the original item. This could be useful when the original source code is unavailable or there are patent restrictions preventing/hindering use of the original. Reverse engineering can be used to solve problems or create more efficient alternatives. However, reverse engineering can also be used to develop new exploits and attacks. For example, a technique called fuzzing repeatedly sends random input sets to a target to watch how it reacts. If an abnormal reaction occurs, this could be a symptom of a bug or coding error, which may be converted into an exploit. Reverse engineering is also useful in understanding how malicious code works — including its means of distribution, infection, and payload delivery. Through reverse engineering techniques, defenses against exploits and malware may be developed.