Recently, there’s been an increase in the number of cyber-attacks, but we’ve also seen changes in how these attacks are carried out. Ransomware with exfiltration has become very prevalent, as has phishing, which is often how ransomware and malware gain a foothold. Additionally, attackers have becoming more sophisticated and are increasingly targeting partners and the supply chain as entry points, as highlighted by the FireEye and SolarWinds’ SUNBURST incidents.
When a cyber incident occurs, it can quickly escalate into a business crisis, leading to operational disruption, financial losses, legal implications, and reputational damage. The goal of incident response is to handle the situation in a way that limits damage, reduces recovery time and costs, and other damages. Cybersecurity incident response is critical to today's businesses because, simply put, there is so much to lose.
What is Cybersecurity Incident Response?
Incident response describes the process by which an organization handles a data breach or cyberattack (the “incident”), including the way the organization attempts to manage the consequences of the attack or breach. Because many companies experience a breach at some point in time, a well-developed and repeatable cybersecurity incident response plan is the best way to protect your company.
There are six key phases of a cybersecurity incident response plan and having full-fidelity packet capture and flow data is essential to many of them:
- Preparation. Educating and preparing users and IT staff to handle potential incidents, should they arise.
- Identification. Determining whether an event qualifies as a security incident. This is typically kicked off by an alert from an IDS or IPS.
- Investigation. Analysts start looking for what exactly the attack is, correlating alerts with packet and/or flow data.
- Risk Assessment. Understand the fallout, the damage caused by the incident, and begin isolating affected systems to prevent further harm. Packets/flow are often used to determine the scope.
- Remediation. Find root cause of incident and remove affected systems from production. Packet capture can be used to ensure no threat remains.
- Feedback. After the fact review to learn from the incident and improve future response efforts and defenses.
Incident Response Tools
There are a variety of incident response tools that can be used for incident response investigation, risk assessment, and remediation. Packet and flow data are the most common:
- Packet capture and analysis with deep packet inspection (DPI) to identify protocols details and URLs with abundant packet storage for historical analysis.
- Unsampled flow monitoring for network traffic reports with port mapping and dependency mapping. Raw flow is significantly lighter weight than packets and can be kept for a much longer time, so it’s great for historical investigations.