What You Need to Know about Incident Management

In spite of your best efforts to prevent compromise and downtime, they will occur. Thus, you must not only plan to prevent problems, you must also plan to handle failures when they occur. This type of planning is known as incident management. In order to be reasonably prepared for the unexpected or the “it occurred anyway” events, your organization needs to address several essential incident response concepts.

Audit & Log Analysis
In relation to threat management and access control, it is important to audit, log, and monitor events that occur, whether caused by or focused on systems and processes or subjects. But what is even more important is to review and analyze the collected data. Analysis involves processing the audit logs with the goal of gaining a perspective and understanding events as well as the status of security. Analysis may include forensics, which seeks to understand the meaning behind items recorded by auditing. Auditing and analysis thus lead to resolving employee issues, tracking down criminals, and improving the security of the organization.

Continuous Monitoring/SIEM
Continuous monitoring and security information and event management (SIEM) are the combination of two previously separate disciplines: security information management (SIM) and security event management (SEM). SIEM focuses on providing real-time analysis of incidents detected by hardware and software. SIEM systems provide detailed incident reports that are often useful in incident management and response and for compliance verification. SIEM systems can aggregate data from a plethora of sources, find correlations within bulk data, automatically issue alerts, provide real-time insight into the status of the infrastructure, and assist in event record retention. The ability to have a continuous and consistent monitoring mechanism, such as a SIEM solution, can be a vital part of an enterprise’s ability to track down and ultimately resolve issues and compromises quickly.

Forensics
Forensics is the art and science of collecting information and assets, analyzing the collected items, and presenting findings to a legal authority, often in relation to a civil or criminal case. Forensics is generally the science of evidence collection, preservation, analysis, and reporting. Specifically, computer forensics focuses on gathering evidence from computer systems and storage devices. Since such evidence is stored as binary data on volatile and mostly magnetic media, it is easy to damage and change even in the act of discovery and collection. If an organization takes action based on information they discover or uncover in their auditing processes or system maintenance procedures, they must make sure to abide by the rules of evidence in order for it to be admissible in a court of law. Often, organizations will have trained forensics personnel on staff or on call as consultants, or they may have an established relationship with local law enforcement. The use of proper forensic procedure can make the difference between obtaining justice and allowing a suspect to get away with a crime.

Hacking/Cyber Warfare
Hacking is the ability to use a system in a way that it wasn’t designed, to gain new benefits or capabilities by modifying a product, or to locate vulnerabilities and take advantage of them. When hacking is performed for illicit gain or simply to cause harm to the target, it is a criminal action and may be linked to cyber warfare actions. Anyone with a little time and interest can learn to become a hacker. There is an abundance of very powerful hacking tools available on the Internet, along with tutorials and training materials. Your organization needs to be prepared to defend itself against the international hacker as well as a disgruntled employee. Learn the skills, tools, techniques, and methodologies of criminal hackers, and then use them against your own organization’s security structure to identify deficiencies that need to be addressed. 

Incident Response
Once you are aware of a compromise, intrusion, or other form of unplanned downtime, you need to respond quickly to contain damage, remove the offending elements, and restore the environment back to normal. The success of incident response is based on preparation. Incident response preparation includes written policies and procedures, an established Computer Incident Response Team (CIRT), training, drills, simulations, with thorough follow-up/post-mortem reviews. When your organization is under threat of an attack or has been damaged by Mother Nature, or a key component of the infrastructure fails without warning, only a well-designed and executed incident response will be able to provide you with fast recovery and prevent a true disaster from occurring.

Reverse Engineering
Reverse engineering is the ability to analyze an item, hardware or software, in order to understand how it works without having access to its source code or original design blueprints. Reverse engineering can enable someone to develop a reproduction or simulation of the original item. This could be useful when the original source code is unavailable or patent restrictions prevent or hinder use of the original. Reverse engineering can be used to solve problems or create more efficient alternatives. However, reverse engineering can also be used to develop new exploits and attacks. For example, a technique called fuzzing repeatedly sends random input sets to a target to watch how it reacts. If an abnormal reaction occurs, this could be a symptom of a bug or coding error, which may be converted into an exploit. Reverse engineering is also useful in understanding how malicious code works, including its means of distribution, infection, and payload delivery. Through reverse engineering techniques, defenses against exploits and malware may be developed.

Related Courses
Certified Ethical Hacker v8
Foundstone Forensics & Incident Response
RSA Security Analytics Forensics Fundamentals

Related Resources
Cybersecurity Necessities: A Firewall, Antivirus, and a Well-Trained Workforce