Cybersecurity incident response begins with a proactive strategy and well-defined processes.
Rapid proliferation and widespread use of Cloud computing services have given rise to an increased dependency on maintaining robust security for business continuity and supporting mission-critical operations. Incident response, which is one of the most critical domains of cybersecurity, begins with a proactive strategy and well-defined processes to deal with a security incident. Hence, to implement a holistic cybersecurity solution for Cloud infrastructure, organizations should begin by developing an incident response program.
Before you continue reading, how about following us on LinkedIn?
Cybersecurity Incident Response Phases
The IR-4 Incident Handling control, which is part of the NIST Special Publication 800-53 (Rev. 4) Incident Response Control Family, defines both the progressive and recursive phases that can be carried out in the Cloud to handle incident response activities. NIST lays out the following seven (7) phases of cybersecurity incident response.
Phase 1: Preparation Phase
This phase involves deploying security controls and taking precautionary measures to prevent failures and security breaches. Implementing controls will reduce the damage caused in the event of a security incident. After all, for organizations storing important information, cyber-attacks are not a matter of if, they are a matter of when. Over a long enough timeframe, security incidents are inevitable. Fortifying the security posture of an organization starts by establishing governance to: limit the blast radius by creating segregation of resources, deploy encryption of data at rest and transit, and employ logging on all endpoints. The key components of establishing effective governance require the following:
- Data classification by tagging the data storage services to identify data/information spillage quickly.
- Applying the principle of least privilege to and avoid giving unnecessary permissions to accounts and users.
- Using a risk management strategy to determine and prioritize the various cyber risks to the infrastructure.
- Implement highly available and fault-tolerant Cloud deployment by leveraging different CSP specific technologies (for example, Autoscaling Groups, Load Balancers)
- It is also essential to train the employees who will respond to the incident with “hands-on” training that runs the team through a range of cyber-attack scenarios via simulations.
“Limiting the Blast” radius by creating segregation of resources involves creating segments of resources that are independent of each other. This includes creating different master/admin/root accounts for hosting of various Cloud services. Building separate VPCs (Virtual Private Cloud) to host different tiers of the applications. Creating Cloud resources in different Availability Zones / Regions and finally, using ‘Service Control Policies’ to limit the services the account can be used to host if supported by the CSP (Cloud Service Provider). In case of a security event or breach, creating an isolated blast radius limits the security incident’s effect.
Logging all the various endpoints is the best way to collect multiple vital information about Cloud infrastructure resources. It is also possible to automate various incident response strategies using the anomaly or signature pattern based alarm, which is triggered with the help of OS/system level logs. When logging mechanisms are employed, the organization must collect all the logs in a centralized repository and limit the access to these logs based on the principle of least privilege to ensure security. It is also essential to enable encryption of log data if the log data contains any sensitive data.
Encryption of data-in-transit (Client-side) and Data-at-rest (Server-Side) ensures that data can be interpreted even in case of a data breach. Organizations do not have to worry about data leakage if the end-to-end encryption is properly implemented. While encrypting the data, it is essential to manage the private encryption keys properly. It is also crucial to choose a robust algorithm for encryption to ensure the formidable masking of data.
Phase 2: Identification Phase
This phase can also be referred to as the detection phase. This phase is used to identify if an incident is occurring. Security incidents occur regardless of whether the organization detects them. Hence, organizations must delay various discovery rules to detect breaches. To do this, the organization has to quickly determine which resources are compromised. The organization needs to detect the resources that need to be isolated to minimize the damage caused by the breach, resources that need cleaning up, and the depth of the attack. Knowing the intention of the attack (stealing data, DDoS, Ransomware, and so on) can also help the organization narrow down the resources that can potentially be affected by the attack. To safeguard sensitive data on the Cloud, organizations need to implement DLP (Data Loss Prevention) with the help of encryption and strict access control. Organizations that automate this phase of the cybersecurity incident response will be able to react to an incident much more quickly.
Phase 3: Containment Phase
Containment means to remove or contain the immediate threat and isolate all the compromised resources in the Cloud environment. This can be done using CSP specific scripts. Some examples include a key policy which denies decryption activity in case of compromised access keys, deployment-ready NACL (Network Access Control Lists) that can be applied to all the resources to restrict access to the subnet to which it is attached, script to remove privileges by denying access to the compromised resources to various Identity and Access Management (IAM) users and accounts. Scripts can be created to meet the organization’s tailored needs based on the CIA triage (confidentiality, integrity, and availability) priority defined by the organization’s risk management policy. Automation of the containment phase can help ensure a timely response to the security events.
In addition to containing the threat, in case of compromised instances or virtual servers, this phase also involves stopping the instances in the production environment and taking a snapshot of the compromised volumes for further investigations performed during the later stages of the incident response workflow.
The first three stages of the cybersecurity incident response workflow can be considered as immediate stages. Containment phase of the incident response plan is heavily dependent on the outcome of the identification phase. An incomplete evaluation of resources can leave the Cloud environment vulnerable to exploits.
Phase 4: Investigation Phase
Once the threat has been contained, it’s time to begin a thorough analysis and forensic evaluation of the security incident to determine how (method of ingress), when (timeline of events), and what happened (severity of the incident and details about the attack). This phase also determines whether the security incident still poses any threat to the Cloud environment. The security incident timeline, which is derived during the investigation phase, can determine the extent to which the resources are compromised. This phase of the incident response is handled by an experienced security professional by evaluating various types of logs (OS, Flow logs, System logs, Network Logs, API access logs, and so on) collected by the organization. Additionally, the investigation phase is usually carried out in a sandboxed environment using techniques such as the live box or dead box testing. This ensures the safety of the production environments from security threats.
Phase 5: Eradication Phase
Once the analysis has been completed and the team understands how the malicious code works, it’s time to start cleaning up all the compromised resources. Whenever possible, the compromised resources should be deleted and replaced with versions of the resources free from security vulnerabilities, which were the root cause of the security incident. Replacing the compromised resources quickly with a standardized version using snapshots, backups, or virtual images is advantageous in deploying an immutable architecture on the Cloud. Additionally, it is important to ensure that the backups used during the eradication phase are healthy and securely hardened. Furthermore, if encryption mechanisms were implemented to protect the data on the Cloud resources, it is important to replace or rotate the access keys used to protect the resources. Eradication of threat also involves processes like wiping affected files, deleting objects, patching vulnerable services, and creating new encrypted volumes to migrate the unaffected files.
Phase 6: Recovery Phase
This phase involves slowly rolling back all the compromised resources to the production environment. All the security controls implemented during the containment phase are rolled back with caution during this phase. Organizations must ensure that the forensic analysis done during the previous stages is thorough. Improper evaluation of threats can potentially harm secure or isolated infrastructure without the required due diligence.
Phase 7: Follow-Up Phase
Follow up, hot-wash, or lessons learned phase involves reflecting on the effectiveness and efficiency of the incident response program. Organizations need to make changes to the cybersecurity incident response to manage the ever-evolving cybersecurity challenges faced by the industry. It is also important for organizations to strive for efficiency by inculcating automation into their incident response framework to mitigate security events before they cause significant damage. They should be carried out by experienced security professionals with a systematic and documented approach.
This post was authored by Sharan Jain, Cybersecurity Analyst at Idenhaus.
Learn how an IAM Assessment and Solution Roadmap can help your organization effectively plan for change so you can achieve ongoing excellence with your IAM program. Register for our upcoming webinar now.
Idenhaus is honored to be featured in the Top 10 Identity Governance and Administration Consulting/Service Companies of 2019.
By going to work quickly to solve the most challenging cybersecurity and identity management problems, Idenhaus takes the pain out of securing corporate information and assets for companies that aspire to maximize their potential in this digital age. Click here to contact us