As mentioned in my previous blog, the core goal of incident response is to reduce attacker dwell-time as a form of risk mitigation but organizations must first define the level of risk to be mitigated. It is important to consider incident response maturity and capabilities in relation to threats relevant to the business and the scope of impact these threats can create. Business risk awareness requirements define metrics and security spend to achieve appropriate response times.
In 2013, James Webb, CISO of Appalachian State University, proposed an incident response maturity model on a time axis, which Vectra has adopted and evolved as part of our advisory security practice.
This model considers two core capabilities that are critical to incident response success:
The ability to have accurate and reliable information about the presence of threat actors, their intentions, their historical activities, and how defenses relate to them. Time-to-detect and time-to-know are crucial.
The ability to quickly and sufficiently isolate, eradicate and return the business to normal operations. This involves the time-to-respond.
Most security maturity frameworks imply the adoption of tools to provide linear capabilities as a layered security approach. That methodology potentially leads to overlap and redundancy, which often has a negative impact on threat awareness and response agility. It also highlights tradeoffs between detection and response capabilities that occur at every level of maturity.
By relating these two attributes to the incident response process, maturity and capability can be defined and measured across the five stages of the maturity model based on the desired level of risk awareness.
Levels of incident response maturity
This is the whack-a-mole approach, where the organization responds to threats only after they emerge. The detection of internal threats is usually from an external source. Unfortunately, too many organizations still rely this method of response when they discover a compromised asset. Restoring the system from backups makes it easy to be agile and quickly reclaim business functions. However, threat awareness is low with no real knowledge gained about how the system was compromised or why and what it was used for after the compromise.
2. Tool driven/signature based
At this phase, organizations adopt tools that look for potential compromises in the environment. These are often signature-driven tools like antivirus software and intrusion detection and prevention system (IDPS), which provide some automated alerts about potential compromises from known threats. The remediation of these compromised systems is also driven by tools that are designed to clear a system of compromise, which is incidentally not a good idea. Agility begins to diminish and leads to an ad-hoc response approach.
3. Process driven
At this phase, organizations adopt formal incident response roles, processes and governance structures. It often includes multiple sources of threat detection and alert correlations that map to phases in the attack lifecycle. For many organizations, this is the ideal state of operations. Attacks are detected, analyzed and addressed in a cost-effective and repeatable manner. Although formalized processes slow down agility, it is irrelevant because the volume of attacks tends to be low and most incidents are benign internal user errors or policy violations. The primary deficiency with this model is that dealing with targeted attacks requires more than just good processes.
4. Intelligence driven
For many large organizations, intelligence-driven incident response is a big goal due to the prevalence of targeted attacks. This incident response level requires having a more detailed and up-to-date understanding of threat actors, including their objectives and motivation as well as their tools, tactics and procedures (TTP) profile. To achieve this goal, it is advisable to correlate with external knowledge bases like the MITRE ATT&CK framework. The knowledge of adversarial disposition is then used to architect security defenses and detection controls in a manner that allows discrete actions to be taken to disrupt, degrade and deny the ability of adversaries to reach their objectives.
5. Predictive defense
Also known as active defense, this stage represents the convergence of incident response processes and an adaptive defensive architecture that can be used to waylay adversaries when they enter, operate and move within protected environments. One of the key characteristics of this model are capabilities that allow adversarial deception and denial of operations. Threat hunting is the ultimate expression of a proactive defense.
Incident response plan alignment
While time is the most important factor in incident response, time is also money. How much to spend and how much threat awareness or agility is required to mitigate business risk depends on the unique needs of an organization. These needs differ based on size, industry and compliance requirements.
Prioritizing the handling of the incident is perhaps the most critical decision point in the incident response process. Prioritization requires an understanding of the threat and risk to the organization. The classification of that risk drives the necessary maturity level of the organization.
Choosing the appropriate level
The level of maturity an organization must reach for incident response is based on the requirements for such a capability. Industry-specific threats, risks and compliance requirements dictate the needs of an organization. Looking at the needs of other organizations in the same industry helps identify a good starting point for a target maturity level.
For example, a small company operating in the logistics business will not have the same requirement—or ability—to respond to cybersecurity incidents the way a major corporate organization in the finance sector or a government entity. In contrast, organizations with highly recognized brands or valuable intellectual property must enhance threat awareness by proactively hunting for attackers while maintaining the agility necessary to respond fast to the threats they find. This goes beyond a maintained plan, concrete roles and responsibilities, lines of communication, and response procedures. A formal security operations center (SOC) plan and process is not enough to address the risk of targeted attacks.
If you need to improve your security operations and enhance your incident response capabilities, discover Vectra Advisory Services for a range of offerings tailored to your organization’s specific needs.