What is Incident Response?
When a security team detects a threat, it’s essential organizations are ready for what comes next. That requires having a tightly coordinated incident response plan (IRP) and sequence of actions and events assigned to specific stakeholders on a dedicated IR team.
Some businesses may have their own in-house team, some may outsource their 事件响应服务, while others might take a hybrid approach where they outsource technical analysis but manage the rest of the IRP in-house. Either way, this team should have trained and planned for these IR events well before any trouble. 协调良好的IR工作应始终包括:
- 高级事件管理和协调
- 事件的技术分析
- 确定事件范围以确定受影响的人员或内容
- Crisis communications to ensure information is released in a coordinated and beneficial manner
- Legal response to determine any implications and prepare any needed response or action
- Remediation and mitigation recommendations and actions to ensure a smooth recovery
谁是事件应变小组的主要成员?
The key players on an IR team are crucial and should tailor actions to the unique circumstances of a breach. Security organizations should identify specific individuals or teams for the following core functions:
- Incident management: This central role requires extensive technical knowledge and prior experience in management and IR. The person in this role acts as an overall project manager to oversee technical task completion, 以及为所有相关利益相关者收集信息.
- 企业事故调查: This is where the challenges of working at an enterprise can vary from smaller counterparts. A large breach at a bigger organization requires leveraging technologies and partnerships across teams to quickly assist in forensics across hosts (even remote ones) so that the team can find indicators of compromise 以及潜在的范围,越快越好.
- Technical analysis这些角色需要技术知识, and it's best to have analysts on the team who specialize in specific areas, such as malware analysis, forensics analysis, event log analysis, and network analysis. Any information these analysts find should be shared with the rest of the IR team.
- Incident scoping:违规的程度是什么? 这是任何IR团队都需要知道的一个关键问题. The answer to this question may change over the course of the IR and investigation, 特别是随着技术分析的继续.
- Crisis communications:分享调查结果, 以及范围和潜在结果, 需要在内部和外部同时发生吗. An experienced crisis communications team should communicate the right details to the right audiences. 他们的职责可能包括违规通知, regulatory notifications, 员工和/或受害者通知, and press briefings, if needed.
- 法律、人力资源和监管方面的问题: If a breach has any 法规或遵从性考虑, it’s important to have someone on the team with knowledge of how to navigate disclosure requirements or work with law enforcement groups, 比如政府代表. 对于没有满足这些需求的内部专家的团队, 聘请律师的专业法律知识是值得投资的.
- Executive decision making: Any breach can potentially affect an organization's public image and financial standing, 这就是为什么行政领导应该始终参与其中. There will be crucial decision points over the course of an IR and investigation, and the team will need executive input on how to proceed at these crucial junctures.
- Reporting and remediation在制作IR时,重要的是要记录所有内容. With this information, teams should be able to piece together an entire story for the breach: what the attackers did, when and how they did it, 以及他们设法达成的妥协. 这将使制定详细的应对计划成为可能 remediation and mitigation 从漏洞中恢复的建议, and hopefully help the organization defend against any future attacks that are similar in nature.
什么是事件应变计划?
IR计划描述了需要采取的步骤, and by whom, 当组织中发生违规或安全危机时. A robust response plan should empower teams to leap into action and mitigate damage as quickly as possible. Every moment counts. That’s why emergency incident responders go through regular training simulations and process reviews, so when a situation arises they know how to act almost by muscle memory.
以防止在您的组织中发生缓慢的响应, 响应人员应该有一个精心绘制的IR计划, 定期排练各种可能的场景. Buy-in from key organizational stakeholders and C-level executives is also critical, so your team knows the support is in place for them to act quickly and efficiently.
After all, 发生安全事件时, it’s not just technical teams that need to act; non-technical resources – such as legal and communications – as well as outside parties will need to be involved, 尤其是当你和一个 security service provider.
什么是受管理的事件响应服务?
Managed IR services are provided by an external vendor and are intended to help organizations of any maturity, size, 以及更好地应对和管理漏洞的技能. These managed services providers can help address strategic and tactical gaps by:
- 开发健壮的安全程序: If you're unsure whether your incident detection program covers all possible contingencies relevant to your organization, managed IR services can help you improve your readiness to incidents and breaches.
- 进行桌面练习: Put your internal IR team through their paces and verify their readiness with threat simulation exercises conducted by the provider.
- 进行妥协和/或违约准备评估: An external IR team can assess the current state of your organization's environment and security processes, 并确定任何潜在的风险或差距.
- 提供即时的违约补救:如果您怀疑自己被入侵并需要立即帮助, a managed services provider can jump into action to help stop further damage.
- 提供事件响应保留: A retainer ensures your team and the provider's teams are aligned to a plan and everyone is ready to go in case of a breach. 许多保留服务将包括上面提到的几种服务, and they will often guarantee a certain service level agreement on their response times.
It may sound repetitive, but the worst time to prepare for a breach is after its happened. 有一个健全的IR计划 – 并确保与所有利益相关者沟通 – 为最坏的情况做准备的最好方法是什么.
The Post-Mortem
After successfully responding to an incident, it's not time to rest just yet. The internal IR team should conduct a post-mortem to learn from the experience and fine-tune response preparedness.
什么是有效的,什么是无效的,什么可以更好或更快地工作? 经验是最好的老师, so it's important to glean as many lessons as possible from responding to an actual incident.
阅读更多关于事件响应的信息
准备战斗:让我们建立一个事件响应计划(第一部分)
准备战斗:让我们建立一个事件响应计划(第二部分)
事件响应新:最新的Rapid7博客文章