Cyber Breach Response That Actually Works E-Book

Table of Contents

Cover

Foreword

Introduction

Who Should Read This Book

How This Book Is Organized

How to Contact Wiley or the Author

Notes

CHAPTER 1: Understanding the Bigger Picture

Evolving Threat Landscape

Defining Cyber Breach Response

Identifying Drivers for Cyber Breach Response

Incorporating Cyber Breach Response into a Cybersecurity Program

Strategy Development

Governance

Summary

Notes

CHAPTER 2: Building a Cybersecurity Incident Response Team

Defining a CSIRT

Defining Incident Response Competencies and Functions

Creating an Incident Response Team

Enacting a CSIRT

Assigning Roles and Responsibilities

Working with Outsourcing Partners

Summary

Notes

CHAPTER 3: Technology Considerations in Cyber Breach Investigations

Sourcing Technology

Acquiring Forensic Data

Incident Response Investigations in Virtualized Environments

Leveraging Network Data in Investigations

Identifying Forensic Evidence in Enterprise Technology Services

Log Management

Summary

Notes

CHAPTER 4: Crafting an Incident Response Plan

Incident Response Lifecycle

Understanding Incident Management

Incident Management Workflow

Crafting an Incident Response Playbook

Post-Incident Evaluation

Continual Improvement

Summary

Notes

CHAPTER 5: Investigating and Remediating Cyber Breaches

Investigating Incidents

Conducting Analysis

Evidence Types

Remediating Incidents

Summary

Notes

CHAPTER 6: Legal and Regulatory Considerations in Cyber Breach Response

Understanding Breaches from a Legal Perspective

Collecting Digital Evidence

Admissibility of Digital Evidence

Establishing a Chain of Custody

Data Privacy and Cyber Breach Investigations

Summary

Notes

Index

End User License Agreement

List of Tables

Chapter 4

Table 4.1: An example of operational impact criteria

Table 4.2: An example of informational impact criteria

Table 4.3: An example of urgency criteria

Table 4.4: An example of a severity matrix

List of Illustrations

Chapter 1

Figure 1.1: X-Force IRIS cyberattack preparation and execution frameworks

Figure 1.2: NIST multitiered organizationwide risk management

Figure 1.3: Risk components

Figure 1.4: Cybersecurity program lifecycle

Figure 1.5: Strategy development process

Figure 1.6: SWOT quadrant

Figure 1.7: CMMI maturity levels

Figure 1.8: Vision, mission, goals, and objectives

Figure 1.9: CSF radar chart

Figure 1.10: Roadmap example

Chapter 2

Figure 2.1: CSIRT conceptual model

Figure 2.2: Multilevel support model

Figure 2.3: CSIRT coordination model

Figure 2.4: Relationship between incident manager and incident officer

Chapter 3

Figure 3.1: Hardware write blocker

Figure 3.2: Software write blocker

Figure 3.3: EDR deployment in cloud configuration

Figure 3.4: Data collection with an open source tool

Figure 3.5: Cloud computing models

Figure 3.6: A network tap and a SPAN port

Figure 3.7: An example of DNS structure

Figure 3.8: Log management lifecycle

Figure 3.9: Centralized log management architecture

Figure 3.10: Distributed log management architecture

Figure 3.11: Hybrid log management architecture

Chapter 4

Figure 4.1: NIST Incident Response Lifecycle

Figure 4.2: Process model

Figure 4.3: Relationship between process, procedure, and work instruction

Figure 4.4: Incident management workflow

Figure 4.5: Vulnerability management lifecycle

Figure 4.6: Lessons-learned process

Figure 4.7: Deming cycle

Figure 4.8: DIKW hierarchy

Figure 4.9: The seven-step improvement process

Chapter 5

Figure 5.1: Incident investigation process

Figure 5.2: Analysis lifecycle

Figure 5.3: The CTI lifecycle

Figure 5.4: The Pyramid of Pain

Figure 5.5: Threat hunting lifecycle

Figure 5.6: A remediation process workflow

Figure 5.7: Coordination between crucial roles

Chapter 6

Figure 6.1: EDRM Phases

Guide

Cover

Table of Contents

Begin Reading

Pages

iii

xxiii

xxiv

xxv

xxvi

xxvii

xxviii

xxix

1

2

3

4

5

6

7

8

9

10

11

12

13

14

15

16

17

18

19

20

21

22

23

24

25

26

27

28

29

30

31

32

33

34

35

36

37

38

39

40

41

42

43

44

45

46

47

48

49

51

52

53

54

55

56

57

58

59

60

61

62

63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

80

81

82

83

84

85

86

87

88

89

90

91

92

93

94

95

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

iv

v

vii

viii

ix

291

Cyber Breach Response That Actually Works

Organizational Approach to Managing Residual Risk

Foreword

It is often said that air traffic controllers have the most stressful job in the world. Being able to coordinate the safe takeoff and landing of dozens of commercial airliners, each carrying hundreds of passengers per day, all while dealing with a myriad of externalities, including the weather, ground control, controlled and noncontrolled airspaces, regulators like the FAA, flight crews, and airport operators, must seem like an impossible task. That is why in the United States, air traffic controllers must undergo a series of background checks and psychological exams, a rigorous training program, and certification testing, all before they ever set foot in a control tower.

If air traffic controllers have the most stressful job, cybersecurity incident responders might be a close second. As an incident responder, you're responsible for performing technical forensic investigations of highly complex environments as well as ensuring that the response team is maintaining its composure and working toward a common goal of mapping the full extent of attacker activity and eliminating their access to the network. It requires producing answers to questions that do not have an easy answer. It demands a deep level of technical knowledge in addition to a militaristic ability to lead a team toward a common objective. A responder must also consider the potential ramifications of a breach that may only surface much further down the line and take measures to protect the organization involved in the scenario, however improbable, that events unfold in such a way. It is part art form, part science.

When I interview people for incident responder positions, I often ask candidates to describe a situation where they were able to thrive under adverse conditions, because they will absolutely find themselves in an even more difficult position as an incident responder. During a cybersecurity breach, stress levels are at their peak, people fear for their jobs and for the survival of their business, and in some circumstances, even fear for the physical safety of the general public. Attacks against critical infrastructure are not unheard of and seem to become even more prevalent as time goes on. In addition to the high-stress environment, financial budgets and higher-level business objectives undermine every step of the process. If you're not prepared to have the CEO of a Fortune 500 company channel his or her anger and frustration by yelling at you, you might not be cut out for the job. It is for these reasons that most incident responders do not stay in the field for very long. They move on to other roles and apply their experience in a proactive way to prevent organizations from experiencing their worst day. A responder with 10 years of experience is considered a relic.

All of this helps to explain why I always believed that there was no manual for how to do incident response, no textbook you could give to an inexperienced responder that tells them everything they need to know to be able to respond to incidents. The cybersecurity industry does not have a standard training curriculum and testing process to admit new entrants into the field, like the aviation industry has for air traffic controllers. Incident response is one of those things that you can truly learn only by doing, and you can only succeed after you have failed several times. It is baptism by fire, and the anointed need no other teacher.

That's why this book is so ambitious—it is an attempt to bring order to an inherently chaotic process. Over the past several years that Andrew and I have worked together, I have learned that he has a knack for reading complex situations, digesting critical information, and building structure around the process that allows various elements to operate more efficiently. Most responders get so “into the weeds” in trying to solve the immediate problem that they don't have either the time or the ability to step back and consider the bigger picture. Andrew has taken his experience and engineered a framework for doing incident response more effectively. Take his advice and run with it—and if even one paragraph of this book helps your organization avoid the worst-case scenario in a cybersecurity incident, you'll know who to thank.

Introduction

Cybersecurity has taken the media by storm in recent years, and cyberattacks are now headline news, from destructive ransomware attacks that impact manufacturing plants to data breaches that involve Fortune 500 companies.

Organizations have experienced notable disruptive cyberattacks in recent years. A ransomware attack on a global shipping company, A. P. Møller – Mærsk, wiped out their entire IT infrastructure across 600 sites in 130 countries. As a result of the cyberattack, Maersk had to rebuild their entire infrastructure in a heroic effort over 10 days. The total losses are estimated to have cost Mærsk up to $300 million.1

The National Health Service (NHS) in the U.K. incurred a cost of £92 million ($120 million) as a result of the WannaCry ransomware outbreak in June 2017. The cyberattack also resulted in the cancellation of 19,000 appointments.2

There are also numerous examples of data breaches resulting in significant financial losses, damage to brand reputation, and fines imposed by regulators. One of the most significant data breaches in recent years was the Equifax breach that led to the disclosure of personal data of 145 million U.S. consumers, including Social Security numbers, credit card information, addresses, and birth dates.3

As businesses and other organizations increase their digital footprint and online presence, the need to secure their information assets is more critical than ever before. The Ponemon Institute's Cost of a Data Breach Study (2019) determined an average cost of a data breach across various industries was $3.92 million.4 Furthermore, the World Economic Forum identifies cyberattacks as the fifth top risk in terms of likelihood and the seventh top risk in terms of impact.5

Many organizations are increasingly concerned about their exposure to cyberattacks. Businesses exist to generate value for their shareholders, and cyberattacks ultimately impact the bottom line. Even nonprofit organizations can suffer severe financial consequences as the result of a cyberattack.

In my consulting engagements, I have observed that cyber risk has become a frequent topic of board-level conversations, and enterprises increasingly perceive exposure to cyberattacks as a business issue. To address cyber risk, organizations build information security programs to protect critical assets and reduce risk to an acceptable level. As residual risk is inevitable, incident response is a critical control in the risk management process that allows organizations to address the aftermath of an incident, reduce the impact of a cyberattack, and restore the affected assets to a fully operational state.

An effective cyber breach response program is like a fire department. Organizations design a set of capabilities based on their needs and requirements, build an incident response team, acquire the necessary technology, and operationalize those capabilities. When the inevitable happens, the affected stakeholders can call the fire department, who might be able to extinguish the fire before the real damage is done, or at least reduce the amount of damage.

The benefits of developing an effective cyber breach response program include the following:

Minimize the impact of cyberattacks.

The sooner an organization detects and responds to a cyberattack, the lesser the impact to business operations, brand reputation, and financial standing.

Decrease the cost of response.

Effective incident response helps organizations decrease the overall attacker dwell time on their network, leading to a decreased cost of response.

Dwell time

is the time a threat actor remains on your network from the initial compromise to eradication.

Prevent enterprisewide incidents.

Undetected intrusions can swiftly progress into enterprisewide incidents within weeks. The response effort is usually proportional to the time an attacker dwells on the network. Furthermore, enterprisewide incidents usually require disruptive remediation and can impact the bottom line of the victim organization.

Improve security posture.

Incident response is an iterative process, with evaluation being one of its core components. The lessons-learned outcome can help organizations improve their policies, controls, and the incident response process itself. This approach ultimately leads to an enhanced security posture and cyber resilience.

Ensure compliance.

Specific regulations and standards require organizations to have incident response capabilities, including an incident response plan.

Enhance service quality.

Information technology is a business enabler, and its mission is to provide value to the business. The role of information security, on the other hand, is to protect that value. By building incident response capabilities, organizations can minimize the impact of cyberattacks on their services and core business functions, leading to overall better service quality to internal and external clients.

Who Should Read This Book

I have written this book for anyone who is looking for an authoritative source of information on building and managing a cyber breach response program, including senior cybersecurity managers and chief information security officers (CISOs).

This book is also a valuable source of information for executive leaders, business and technology professionals, legal counsel, risk managers, and other stakeholders who have an active interest in cyber breach response in their organizations or who are planning to transition into a career in this field.

In this book, I explain cyber breach response concepts in a clear, concise, and technology-agnostic language that anyone with a grasp of fundamental cybersecurity and risk management concepts can understand.

How This Book Is Organized

I organized this book into six chapters that provide a comprehensive discussion of various topics relating to cyber breach response. I designed the book to serve both as a guide for building cyber breach response programs from scratch and as a reference guide for organizations that strive to grow and evolve their capabilities. Although the book consists of progressive chapters, each chapter provides stand-alone content that the reader can reference. Where appropriate, I also direct the reader to other chapters for specific information.

Chapter 1

: Understanding the Bigger Picture

This chapter defines cyber breach response and discusses foundational concepts. It starts with a brief overview of the threat landscape and discusses drivers for cyber breach response and their role within an overall cybersecurity program. A discussion of the critical building blocks of a sound cyber breach response strategy concludes this chapter.

Chapter 2

: Building a Cybersecurity Incident Response Team

Chapter 2

discusses the various considerations that organizations need to take into account when building an incident response team. The topics in this chapter include incident response competencies and functions, team models, skills, the hiring and retaining of talent, and cross-functional team development. A brief discussion on outsourcing considerations concludes this chapter.

Chapter 3

: Technology Considerations in Cyber Breach Investigations

This chapter focuses on building the technical capabilities necessary to support incident response investigations. The chapter starts with a discussion on general considerations for sourcing incident response technology. Then it progresses into a discussion on data acquisition in on-premises and virtualized environments, including cloud computing. The final two sections discuss sources of network data and log management solutions.

Chapter 4

: Crafting an Incident Response Plan

Chapter 4

starts with a discussion on the incident response lifecycle. Then it dives into various incident management concepts before concluding with a discussion on post-incident activities and continual improvement.

Chapter 5

: Investigating and Remediating Cyber Breaches

This chapter takes an in-depth look at a methodology that incident responders employ during investigations. It discusses topics such as digital forensics and data analysis, cyber threat intelligence, malware analysis, threat hunting, and reporting. This chapter also discusses evidence types before concluding with a discussion on remediating cyber breaches.

Chapter 6

: Legal and Regulatory Considerations in Cyber Breach Response

Chapter 6

discusses how the legal and regulatory landscape impacts cyber breach investigations. It goes in-depth into considerations that organizations need to keep in mind to establish a defensible protocol for the handling of digital evidence. The chapter concludes with a brief discussion on data privacy considerations in investigations.

How to Contact Wiley or the Author

You can contact the author at [email protected].

If you believe you have found an error in this book, and it is not listed on the book's page at www.wiley.com, you can report the issue to our customer technical support team at support.wiley.com.

Notes

1

.  “NotPetya Ransomware Attack Cost Shipping Giant Maersk Over $200 Million,” Forbes, August 16, 2017,

www.forbes.com/sites/leemathews/2017/08/16/notpetya-ransomware-attack-cost-shipping-giant-maersk-over-200-million/#21c48af04f9a

.

2

.  “WannaCry cyber attack cost the NHS £92m as 19,000 appointments cancelled,” The Telegraph, October 11, 2018,

www.telegraph.co.uk/technology/2018/10/11/wannacry-cyber-attack-cost-nhs-92m-19000-appointments-cancelled

.

3

.  Federal Trade Commission, Equifax Data Breach Settlement, January 2020,

www.ftc.gov/enforcement/cases-proceedings/refunds/equifax-data-breach-settlement

.

4

.  IBM Security, “How much would a data breach cost your business?”

www.ibm.com/security/data-breach

.

5

.  World Economic Forum, The Global Risks Report 2019, 14th Edition,

www.weforum.org/reports/the-global-risks-report-2019

.

CHAPTER 1Understanding the Bigger Picture

Organizations across all industries increasingly rely on digital information to execute their business processes and support core business functions. Digital information that is of value to enterprises is also often a valuable and appealing target for threat actors. As a result, it requires protection in the same way as assets do in the physical world. Organizations implement safeguards to minimize risk arising from internal and external factors that might have a detrimental impact on their business. Cyber breach response plays a vital role in this process.

Building an effective cyber breach response program starts with strategy. Strategy is a process that allows organizations to achieve a vision and ensure that everyone is working toward the same goal. It enables this by providing a sense of direction and helping enterprises set measurable goals. A sound strategy also allows organizations to align capabilities to business objectives and manage residual risk when other controls fail.

This chapter discusses relevant foundational cybersecurity concepts, explains drivers for cyber breach response, and discusses the critical building blocks of strategy relating to cyber breach response.

Evolving Threat Landscape

Cyber breach response is typically a part of a more comprehensive cybersecurity program. Enterprises build cybersecurity programs to manage cyber risk and to ensure that they can continue business operations during significant cyber events. This section discusses the cyberattack lifecycle and the different types of threat actors who pose a threat to enterprises.

Identifying Threat Actors

The cyber threat intelligence (CTI) community coined the term threat actor to describe an individual or a group who is responsible for cyberattacks or who poses a threat to an organization. Cybersecurity professionals and business stakeholders often use the term attacker or adversary instead. I use these terms interchangeably throughout this book.

Digital information has inherent risks associated with it. The World Economic Forum ranks cyberattacks as the fifth top risk in terms of likelihood and the seventh top risk in terms of impact.1 The majority of medium-sized and large enterprises rely on critical digital assets that threat actors seek to exploit for a variety of purposes.

Historically, individuals and small groups engaged in hacking for notoriety or even fun. Their tactics typically focused on exploiting vulnerabilities in perimeter security in order to gain unauthorized access to computer networks. However, the rise of hacktivism, advanced persistent threats (APTs), and organized cybercrime have significantly increased cyber risk. The following list discusses common threat actor types and their motivations:

Advanced Persistent Threats

Advanced persistent threats

, also referred to as

nation-state actors

, are sophisticated threat actors who work on behalf of nation-states and foreign intelligence agencies, typically engaging in social espionage and stealing foreign intellectual property. What truly differentiates APTs from other threat actors is seemingly unlimited resources and substantial funding. APT actors target specific organizations with clear objectives in mind. For example, the Chinese state-sponsored espionage group APT41 has targeted organizations in 14 countries over 7 years, and their operations have been consistent with Chinese national policy priorities.

2

Another key differentiator is that APTs often create custom malware that they tailor for the target. The meaning of APT has blurred in recent years, and it is not uncommon for cybersecurity professionals to use the term to refer to advanced cybercrime adversaries.

Organized Cybercrime

 Organized cybercrime has been on a steep rise over the last several years.

3

According the Federal Bureau of Investigation (FBI), its Internet Crime Complaint Center (IC3) received 351,937 complaints in 2018, as compared to 288,012 complaints in 2015.

4

With no geographic boundaries and the ability to stay anonymous, the Internet is a very attractive place for cybercriminals. The Internet made it possible for traditional crimes, such as theft or fraud, to evolve into cybercrime and maximize profits in the shortest time possible.

5

Organized cybercriminals have become increasingly sophisticated and often specialize in certain aspects of cybercrime. It is also not uncommon for cybercriminals to leverage models such as malware-as-a-service or pay-per-infection. Cybercriminals exploit organizations for financial gain in numerous ways. Examples include stealing intellectual property and other highly confidential information, stealing financial information and payment card data, planting ransomware, and cyber extortion through distributed denial-of-service (DDoS) attacks.

Insider Threats

Insider threats

come from within an organization and are particularly dangerous to enterprises due to the amount of trust their employers give them. Another concern is the level of access insider threats have to valuable digital assets. Examples of insider threats include current and former employees, contractors, and even business partners who have inside information or access to digital assets. The industry also coined the term

unintentional insider threat

to describe individuals who unintentionally cause damage—for example, by sharing passwords or leaving sensitive documents in plain view.

6

Hacktivists

Hacktivism

is a blend of computer hacking and activism. Hacktivists use technology and cyberattacks to draw attention to their ideology and political, social, or religious views. Common targets of cyber hacktivists may include corporations, government agencies, or any other entities that hacktivists consider or perceive as corrupt or not aligned with their ideology. Hacktivist attacks can cause severe disruption to enterprises. For example, a cyber hacktivist group may launch a DDoS attack against the victim or deface their website and leave a visible message to draw attention to the hacktivist's ideology. An example of a notable hacktivist attack is “Operation Tunisia,” where the Anonymous group with the help of Tunisian hackers took down eight government websites using DDoS attacks in support of the Arab Spring movement in 2010.

7

It is also worth mentioning that hacktivist attacks have dropped nearly 95 percent since 2015.

8

Script Kiddies

Script kiddies

are the least sophisticated threat actor discussed thus far. They lack programming knowledge and computer expertise of their own. Instead, they use scripts, open source software tools, and other freely available hacking tools to launch cyberattacks. In some cases, script kiddies may be experimenting with a tool that they downloaded from the Internet without being aware that they are launching a cyberattack. There are plenty of freely available tools and tutorials on the Internet that script kiddies can leverage.

In many cases, script kiddies are just a nuisance to organizations. However, their actions can also negatively impact enterprises. For example, a script kiddie may unleash a DDoS attack that could cause interruption of applications or use social engineering toolkits to steal sensitive data from employees, even if the attack is relatively unsophisticated. Also, script kiddies commonly engage in cyberstalking and cyberbullying. Cyberstalking and cyberbullying refer to the stalking and bullying that occurs by means of electronic communications technologies, often over the Internet.

Cyberattack Lifecycle

Some threat actors operate predictably, and the threat intelligence community created models to describe their operations. A cyberattack lifecycle is a sequence of steps that typically more sophisticated attackers move through to attain their goals. The threat intelligence community sometimes classifies those steps into two categories: preparation and execution. Understanding a cyberattack lifecycle is essential because breaking one of the stages can prevent a threat actor from attaining their goals. Cyber breach response plays a vital role in this process.

Various organizations have created their own models of the cyberattack lifecycle, such as the Lockheed Martin Cyber Kill Chain9 or the MITRE ATT&CK framework.10 This book discusses the cyberattack preparation and execution frameworks that IBM X-Force Incident Response and Intelligence Services (X-Force IRIS) created to provide a conceptual representation of how sophisticated threat actors prepare and execute their attacks against a target. I chose this model because it clearly distinguishes between the preparation and execution phases of a cyberattack. It also incorporates additional steps, such as building an infrastructure for an attack that other approaches lack. Another crucial differentiator of the model is that it incorporates the idea of an attack “feedback loop.” The attacker feedback loop allows for continuous engagement and refinement by the attacker to reach their objectives. This approach is more consistent with real-life incidents where threat actors adjust their operations in response to detection in order to remain in a compromised environment.

The threat intelligence community uses the concept of tools, tactics, and procedures (TTPs) to define behavioral characteristics that describe how threat actors operate. The term TTPs also refers to tactics, techniques, and procedures. However, in the context of cyber breach response, the terms are interchangeable. I discuss this concept in-depth in Chapter 5.

The X-Force IRIS cyberattack preparation and execution frameworks characterize threat data and communicate threat intelligence. These frameworks explain the full range of activities that occur before and during an actual compromise. This process provides incident responders and threat intelligence analysts with a model they can use to track data, conduct peer review research, and communicate analysis with greater clarity and consistency.

IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Cyberattack Preparation Framework

The cyberattack preparation framework addresses activities that threat actors execute before the initial comprise.

The X-Force IRIS cyberattack preparation framework consists of eight phases, beginning with the determine objective phase and ending with the launch attack phase, where the attacker determines whether the attack resulted in a successful compromise or not. Between those initial and final phases, the attacker has several options to design an attack and may use any combination of the prepare attack phases. Upon determining the success or failure of the launch attack phase, the attacker will either move on to the execution framework in the case of success, or revise, change, or cancel the attack plan in the case of a failure.

IBM X-Force IRIS Cyberattack Preparation and Execution Frameworks

Each phase within the preparation framework describes unique activities that an attacker can execute to prepare a cyberattack:

External reconnaissance:

Determine a target and perform research on the target to identify exploitable access points.

Align TTPs to target:

Identify and determine TTPs necessary to conduct a successful attack.

Infrastructure:

Build a command and control (C2) infrastructure to access and control malware planted on the victim's network.

Malware and software tools:

Prepare an attack toolset necessary to launch and carry out the attack.

When all of the prerequisites are in place, an attacker launches an attack using either direct or indirect methods. A direct attack refers to a situation where the attacker directly compromises the target. In contrast, an indirect attack involves an intermediary step. For example, an attacker may choose to compromise a third-party website or launch a supply-chain attack.

The operational security component underpins the entire preparation process. It represents the actions that an attacker takes to remain undetected. Examples include using obfuscation techniques, hiding their infrastructure behind different network addresses, or performing a reconnaissance from a different network. Finally, there is a feedback loop from the preparation process that allows attackers to revise and adjust their strategies.

Cyberattack Execution Framework

The cyberattack execution framework addresses activities that attackers execute after a successful compromise and focuses on access to the compromised environment, as well as expanding that access to attain the attacker's objectives, as depicted in Figure 1.1.

The X-Force IRIS cyberattack execution framework includes the phases that occur after the attacker moves through the key phases of the X-Force IRIS cyberattack preparation framework, and successfully gains access to at least one host within a network, or has logged in to one or more user account.

IBM X-Force IRIS Cyberattack Preparation and Execution Framework

Figure 1.1: X-Force IRIS cyberattack preparation and execution frameworks

As with the preparation framework, each phase of the execution framework describes the activities that an attacker progresses through to execute an attack:

Initial compromise:

Occurs when an attacker successfully executes an attack and gains unauthorized access to the victim's system or network.

Establish foothold:

Allows an attacker to maintain access to the compromised network—for example, by planting backdoor malware.

Escalate privileges:

Attacker gains elevated access to system resources.

Internal reconnaissance:

Attacker collects internal information about the victim's network necessary to carry out the attack.

Move laterally:

Attacker compromises other systems and acquires additional privileges.

Maintain persistence:

Attacker maintains access to the compromised network.

Defense evasion and monitoring underpin each phase of the execution framework. As in the preparation phase, an attacker takes operational measures to evade security controls and remain undetected on the victim's network. Finally, there is a feedback cycle, as with the preparation framework, that allows the attacker to revisit some of the stages and execute additional activities.

When an attacker successfully progresses through all the stages of both frameworks, they have accomplished their objectives. It is vital to emphasize that the preparation and execution frameworks model demonstrates how attackers often operate. However, in practice, an attacker may choose to skip certain phases, depending on their objectives and level of sophistication.

That said, the frameworks are an indispensable tool that can help cybersecurity professionals explain to nonsecurity personnel and business leaders the risks associated with sophisticated attackers and why cyber breach response is critical to managing those risks.

Defining Cyber Breach Response

Now that you have an essential understanding of threat actors and how they operate, it is time to explain some crucial cyber breach response terms. There is a great deal of confusion in the cybersecurity community when it comes to terminology. At times, even seasoned professionals incorrectly use basic terms relating to cyber breach response. This section discusses the basic terminology of cyber breach response and articulates important differences between fundamental concepts.

Events, Alerts, Observations, Incidents, and Breaches

It is essential to understand the difference between events, alerts, observations, incidents, and breaches in order to avoid confusion and to ensure an appropriate response. Although these terms may be obvious to cybersecurity professionals, cyber breach response also includes business and technology stakeholders who may not be familiar with essential terms relating to cyber breach response. The following paragraphs explain the difference between these terms.

Events

An event is a change in the state of a computer system.11 Systems and software applications change their state frequently in the course of their operations. For example, a state change occurs when a user authenticates into a system in order to perform some activities and the system captures the state change information in a log. This behavior is normal, and the generated log data provides a chronological record of system activities. For example, in my experience it is not uncommon for a medium-sized domain controller to generate more than 20,000 events a day, or for a demilitarized zone (DMZ) firewall to generate more than 70,000 events a day.

Some events may be indicative of an adverse activity that threatens the confidentiality, integrity, or availability of a computer system, including software applications and digital information that the system handles. For example, an adverse event occurs when a system or a software application generates errors in response to an unauthorized activity, such as an attempt to exploit a vulnerability.

Alerts

Organizations often use the terms event and alert interchangeably. However, there is a significant difference between them. An alert is a notification that a particular adverse event has occurred and may be indicative of a cybersecurity incident. Administrators configure systems and tools to trigger alerts when a specific event or a series of events occurs. For example, an administrator might configure an alert in a security information and event management (SIEM) tool for conditions such as a high number of failed authentication events within a short period associated with a particular user account.

Over the years, cybersecurity vendors and the open source community have developed systems and tools that inspect data in motion and data at rest to alert on adverse events, and in some cases to prevent them. For example, network-based intrusion detection systems (IDSs) inspect network traffic and trigger alerts for events that match patterns of known attack vectors.

Observations

Observations is a term that is associated with events. Some organizations collect significant amounts of data, such as security events, social media data, email, data gathered through honeypots, and web crawling data, among others. By processing the data and applying algorithms to it, enterprises can generate observations that they can consume to identify patterns and formulate a threat hypothesis. For example, an organization may create an observation in the form of a graph diagram that shows particular malware connecting to a specific C2 domain that is associated with a phishing email address. Observations augment CTI capabilities, can help make informed decisions regarding defenses, and are invaluable in incident response investigations.12

Incidents

An adverse event becomes a cybersecurity incident when it either negatively impacts or poses an imminent threat to the confidentiality, integrity, or availability of a digital asset. Organization also often classify explicit or implied security policy violations as cybersecurity incidents. There is no one universal definition of when an event becomes a cybersecurity incident. Enterprises need to establish criteria such as impact and urgency to determine when to declare a cybersecurity incident. Various noncommercial organizations established incident classification taxonomies that enterprises can adopt and customize to their needs. For example, the European Union Agency for Cybersecurity, or ENISA, created a reference incident taxonomy that consists of the following classifications:13

Abusive Content

Malicious Code

Information Gathering

Intrusion Attempts

Intrusions

Availability

Information Content Security

Fraud

Vulnerable

Other

The taxonomy also includes specific examples and a description for each of these incident categories.

Furthermore, depending on the combination of the criteria, organizations typically declare cybersecurity incidents at different levels of severity to ensure that they allocate the necessary resources to response. Chapter 4 discusses incident management in detail, and it explains the criteria that organizations typically use to assign a severity level to a cybersecurity incident.

Breaches

A cybersecurity breach is a type of an incident. A cybersecurity breach occurs when an attacker gains unauthorized access to a computer system, software application, or digital data. All cybersecurity breaches are incidents. However, not all incidents are cybersecurity breaches. For example, an attacker might perform a password brute-force attack against a critical server that causes performance issues. If the attacker does not gain unauthorized access to the server as a result of the attack, the incident does not qualify as a breach. Another example is a DDoS attack that leads to an availability incident but not unauthorized access.

It is critical to emphasize that a cybersecurity breach is not synonymous with the term data breach. A data breach is a legal term that refers to unauthorized disclosure of sensitive information. A data breach often occurs when an attacker gains unauthorized access to highly confidential data. In other words, a data breach occurs when an attack impacts data confidentiality but not data integrity or data availability. Data privacy officers and other legal professionals interpret various laws and regulations and closely work with incident responders to determine whether a data breach has occurred as a result of a cyberattack. Consequently, incident responders and other stakeholders with no expertise in data privacy laws and regulations should abstain from using the term during investigations to minimize the risk of legal exposure. I typically advise clients to use the term significant event or incident instead.

What Is Cyber Breach Response?

Cyber breach response is a set of business, technical, and cybersecurity capabilities that allow organizations to address and manage a cybersecurity breach in an organized and orchestrated manner according to business priorities. The goal of cyber breach response is to reduce the attacker dwell time on the compromised network and prevent further damage to the enterprise. Dwell time refers to the time that an attacker remains on the compromised network from the initial compromise to the time when the organization eradicates the attacker from their environment.

An effective cyber breach response program aligns people, processes, and technology in a way that helps organizations achieve this goal. Response to a cybersecurity breach spans multiple organizational functions that provide expertise in their functional areas, including cybersecurity, information technology, legal counsel, senior management, corporate communications, risk management, or human resources (HR), among other functions. As part of building a cyber breach response program, organizations enact appropriate policies and create a response plan to ensure coordination and orchestration of activities at all levels of the organizational hierarchy.

A term similar to cyber breach response is incident response. As discussed in the previous section, not all incidents result in cybersecurity breaches. When an enterprise detects an incident, it is not always obvious whether the attacker gained unauthorized access to a digital asset. Incident responders need to perform an investigation to determine the impact associated with the incident, including any evidence of unauthorized access to systems, software applications, or digital data that the enterprise protects. In simple terms, incident response is the de facto industry term14 and has a wider scope than cyber breach response.

Throughout this book, I use the term incident response when talking about incident investigations in a general sense. I use the term cyber breach response to refer exclusively to responding to confirmed cybersecurity breaches.

Identifying Drivers for Cyber Breach Response

As part of outlining a strategy, enterprises need to identify internal and external drivers for a cyber breach response program.

Clearly identified drivers provide stakeholders with the information that they need to build a business case and socialize the necessity for cyber breach response with executive leaders and other key stakeholders.

This section discusses common considerations that directly shape the requirement for cyber breach response.

Risk Management

Risk management is a coordinated set of activities designed to direct and control an organization with regard to risk.15 This approach focuses on the continuous process of identifying, evaluating, and treating cyber risk in order to ensure that it remains at an acceptable level. This process also includes managing residual risk when other controls fail. Cyber breach response is a vital function in addressing that residual risk.

Conducting Risk Management

Not all digital information requires the same level of protection against cyber threats. To determine the right level of protection, organizations must perform a risk assessment and apply risk treatment strategies to ensure that cyber risk remains at an acceptable level.

The objective of risk management is to manage the inherent risk associated with information technology and increase cyber resilience. As part of risk management, organizations implement controls to prevent certain types of cyberattacks and adequately respond to cyber events in order to minimize their impact on business operations. Residual risk is the remaining risk once an organization has applied controls to reduce the inherent risk associated with information technology.

Over the years, various risk management methodologies have emerged both in the private and public sectors to help enterprises manage cyber risk, such as the International Organization for Standardization and the International Electrotechnical Commission (ISO/IEC) 27005, National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), and Control Objectives for Information and Related Technology (COBIT) 5 from the Information Systems Audit and Control Association (ISACA). Organizations need to choose an approach that fits their organizational culture and integrates well with the overall organizational risk management framework.

A multitiered approach16 takes a holistic view of risk management in order to ensure that organizations conduct risk management across different levels of the organizational hierarchy. This approach also emphasizes downward and upward communication between organizational levels. By establishing two-way communication, organizations ensure that leaders communicate organizationwide risk awareness to lower organizational levels, while there is a feedback loop from lower levels to upper levels in order to facilitate continual improvement. This multilevel approach ensures that stakeholders at various organizational levels do not make decisions concerning cyber risk in isolation. The approach includes the following tiers, as shown in Figure 1.2:

Tier 1—Organization:

This tier focuses on the role of governance and risk management strategy at the executive level to support the organizational mission.

Tier 2—Business process:

This tier focuses on enterprise architecture and helps ensure that organizations consider cyber risk as part of process and system definitions.

Tier 3—Information systems:

This tier is concerned with the selection and management of security controls to manage cyber risk as part of the system development lifecycle.

It is vital that cybersecurity professionals communicate residual risk associated with cyber threats at each of these levels. The level of residual risk directly impacts the resources that an enterprise may dedicate to cyber breach response.

Risk Assessment Process

Whereas risk management focuses on the overall continuous process of identifying, evaluating, and treating cyber risk in order to ensure that it remains at an acceptable level, risk assessment primarily focuses on the identification and analysis phases of risk management.

Figure 1.2: NIST multitiered organizationwide risk management

Several industry-accepted frameworks exist for performing a risk assessment, such as ISO 31000:2018 or NIST SP 800-30. Although frameworks have a varying degree of complexity and may focus on different organizational aspects, their overall goal is to help organizations identify key risks. For example, ISO 31000:2018 includes the following steps:

Establishment of the context

Risk identification

Risk analysis

Risk evaluation

Risk treatment

Furthermore, some approaches use qualitative methods to analyze risk as part of the assessment process, whereas other approaches lean toward quantitative techniques. Qualitative risk analysis focuses on the probability and potential impact. In contrast, quantitative risk analysis numerically evaluates the potential effect of specific risks.

Regardless of the choice, a sound risk assessment methodology typically includes the following activities:

Categorizing digital assets in terms of their criticality to the enterprise

Identifying vulnerabilities and analyzing risk associated with cyber threats

Deciding on appropriate measures to reduce the risk

Figure 1.3 shows a relationship between various risk components.17

Figure 1.3: Risk components

Threat Actor

 A

threat actor

, also referred to as an attack or adversary, is an individual or a group posing a threat to organizations. Threat actors often use computers to conduct malicious activities, but they can also leverage social engineering and other nontechnical means to achieve their objectives.

Cyber Threat

 A

cyber threat

is an event or condition that can lead to the exploitation of a vulnerability or weakness in a computer system or software application. From a risk assessment perspective, a cyber threat is something that might occur and has the potential to cause damage to digital assets. An example of a cyber threat is ransomware, which can encrypt business-critical data and other digital information.

Vulnerability

 A

vulnerability

is a weakness that a threat actor can exploit. Although cybersecurity professionals typically use this term to refer to weaknesses in computer systems and software applications, a weakness can also occur in a process or an environmental control. A vulnerability is what allows a cyberattack to succeed. For example, a vulnerable web application could allow a threat actor to exploit the vulnerability and remotely execute arbitrary code without the need to authenticate into the target system.

Cyber Risk

Cyber risk

is an uncertain event that may lead to negative consequences, such as loss of revenue, brand reputation damage, disruption to business operations, or noncompliance with laws and regulations. For example, insufficient hardening of a file share server may lead to the risk of disruption of business operations if ransomware exploits a weakness in the underlying system and encrypts data on that server.

Digital Asset

Digital assets

are resources that are necessary for business operations and require protection from cyberattacks. Examples of digital assets include systems, software applications, sensitive data, intellectual property, and any other information that organizations store in a digital format.

Exposure

Exposure

is a quantifiable measure of potential loss resulting from a cyberattack. An exposure occurs when organizations do not adequately protect their digital assets. For example, if a threat actor exploits an insufficiently protected web application that processes payment card data, the exposure could include significant fines imposed by regulators, as well as the cost associated with litigation and lawsuits. A term that is closely related to exposure is impact.

Impact

is the negative outcome that results from exposure.

Control

Control

is a safeguard or a countermeasure that helps mitigate or reduce risk associated with cyberattacks. Cybersecurity professionals typically group controls into three categories: logical, administrative, and physical. An example of a cybersecurity control is multifactor authentication that mitigates the risk associated with weaknesses in traditional access control mechanisms such as passwords.

Managing Residual Risk

Enterprises implement multiple controls as part of a defense-in-depth strategy to mitigate cyber risk. The idea behind this concept is that an attacker must penetrate multiple layers of protection before attaining their objective. However, residual risk is inevitable, even with state-of-the-art controls. For this reason, enterprises need to build cyber breach response capabilities as part of the overall risk management process and shift their focus toward cyber resilience.

Cyber resilience takes a more holistic and integrated approach to risk management to ensure that enterprises can continue to operate during cyber events. This approach integrates more traditional approaches to cybersecurity with business continuity and disaster recovery (BCDR). Cyber breach response is also a critical element of cyber resilience. In simple terms, enterprises can no longer assume that they can adequately protect themselves against cyber threats, so they need to prepare for eventual successful attacks.18

A more appropriate approach is to focus on minimizing the impact of cyberattacks and efficiently recovering business operations. This is yet another reason why enterprises should invest in building a cyber breach response program.

Cyber Threat Intelligence

Managing cyber risk without high-quality CTI is a daunting task. CTI informs enterprises about cyber threats and provides context to cyber breach response. Arguably, it is very challenging—if not impossible—for enterprises to protect themselves and effectively respond to cyberattacks without embedding high-quality CTI into the risk management process and various components of their cybersecurity programs. CTI allows organizations to answer vital questions, such as who may be behind a cyberattack, what motivates the attacker, what are their capabilities, and how to identify the attacker activity in the corporate environment.

What Is Cyber Threat Intelligence?

CTI is knowledge that organizations acquire about threat actors and their operations. Examples may include information about capabilities, modus operandi, and objectives. Gartner defines threat intelligence as “evidence-based knowledge, including context, mechanisms, indicators, implications, and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject's response to that menace or hazard.”19 Analysts collect raw data about cyber threats that they analyze, contextualize, and structure in a rigorous way to produce CTI.

There are three primary forms in which enterprises consume CTI:20

Strategic Intelligence

Strategic intelligence

is all about the big picture, and it informs executive-level personnel and boards of directors about cyber threats in support of strategic decision making. Geopolitics tends to be a significant aspect of strategic intelligence. The audience typically consumes strategic threat intelligence in the form of high-level trends, usually tailored to a specific industry or even organization.

Operational Intelligence

Operational intelligence

focuses on higher-order TTPs and campaigns to help organizations make informed decisions about defenses and preemptively put controls in place to prevent specific types of attacks. The primary audiences for operational intelligence are security managers and technical personnel involved in designing and optimizing controls. Operational intelligence can help attribute an attack to a specific group, determine their intent and modus operandi, and provide an insight into the sophistication level of the group. Organizations can leverage this type of information to prevent specific attacks before they occur.

Tactical Intelligence

Tactical intelligence

is low-level, granular, and often short-lived information that precisely describes how a specific threat actor deploys their capabilities. CTI analysts produce tactical intelligence nearly exclusively for technical audiences to support incident response and security operations. Examples of tactical intelligence include specific attack vectors, indicators of compromise (IOC), observables, anti-forensic techniques, tools, and other granular information that describes how a threat actor operates.

Importance of Cyber Threat Intelligence

CTI allows organizations to remain informed about cyber threats, and it is a crucial input into the risk management process. It provides enterprises with the cyber threat context that they require to make informed decisions about investments in cybersecurity, including building and expanding a cyber breach response program. For example, CTI can inform an enterprise about how specific threat groups conduct ransomware attacks. In turn, this information can help the enterprise evaluate its security posture and address key weaknesses to reduce the risk of a ransomware outbreak.

In my personal experience, CTI has been invaluable in communicating cyber risk to clients. After explaining how attackers operate and progress through the cyberattack lifecycle, some clients have made changes to their processes and invested in additional capabilities to respond to incidents more effectively.

CTI also helps alleviate challenges associated with increasing volumes of security data. Incident responders often leverage open source and proprietary CTI to contextualize security data and look for specific IOCs and patterns indicative of attacker activity. High-quality CTI is actionable; it informs and augments cyber breach response, and helps leaders make decisions about priorities during cyber breach investigations.

Laws and Regulations

Advances in technology and increasing volumes of personal data that enterprises collect and process have raised data privacy concerns in many countries. Moreover, people are increasingly becoming both aware and concerned with data privacy. In response, many governments enacted data privacy laws and regulations that require organizations to protect personal data and adequately respond to cyber breaches involving the data. Moreover, since computer crimes became prevalent, governments in many jurisdictions have enacted laws that criminalize cyberattacks.

Compliance Considerations

Nongovernmental entities, such as the Payment Card Industry (PCI) Security Standards Council, have enacted compliance standards that require organizations to protect certain types of data. Breaches of that data could lead to significant losses for both consumers and businesses, as well as fines that regulators impose on the breached organizations. In some instances, data breaches could also lead to civil litigation or even class-action lawsuits.

Inappropriate handling of personal and other protected data can result in noncompliance with laws and regulations and legal risk. As enterprises apply controls to protect regulated data, it is essential to emphasize that cyber breach response is also a control that allows organizations to manage residual risk. A cybersecurity breach does not necessarily automatically lead to a data breach and legal exposure. As previously discussed in the “Cyberattack Lifecycle” section, threat actors must often progress through a series of phases to attain their objectives, such as data theft. Breaking the attack lifecycle with cyber breach response in early phases can prevent a data breach and reduce the risk of legal exposure.

The compliance landscape is extremely complex and varies from jurisdiction to jurisdiction. Furthermore, organizations must also comply with laws and regulations specific to their industries. In the United States alone, organizations must comply, often simultaneously, with numerous laws and regulations. Examples include the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes–Oxley Act (SOX), Federal Information Security Management Act of 2002 (FISMA), Gramm–Leach–Bliley Act (GLBA), Payment Card Industry Data Security Standard (PCI DSS), and Family Educational Rights and Privacy Act (FERPA) among other regulations.

Compliance Requirements for Cyber Breach Response

This section briefly discusses the PCI DSS and the General Data Protection Regulation (GDPR) as examples of standards and regulations that directly drive the need for cyber breach response.