Cyber Breach Response That Actually Works - Organizational Approach to Managing Residual Risk

Foreword xxiii Introduction xxv Chapter 1 Understanding the Bigger Picture 1 Evolving Threat Landscape 2 Identifying Threat Actors 2 Cyberattack Lifecycle 4 Cyberattack Preparation Framework 5 Cyberattack Execution Framework 6 Defining Cyber Breach Response 8 Events, Alerts, Observations, Incidents, and Breaches 9 Events 9 Alerts 9 Observations 10 Incidents 10 Breaches 11 What is Cyber Breach Response? 12 Identifying Drivers for Cyber Breach Response 13 Risk Management 13 Conducting Risk Management 13 Risk Assessment Process 14 Managing Residual Risk 17 Cyber Threat Intelligence 18 What is Cyber Threat Intelligence? 18 Importance of Cyber Threat Intelligence 19 Laws and Regulations 20 Compliance Considerations 20 Compliance Requirements for Cyber Breach Response 21 Changing Business Objectives 22 Incorporating Cyber Breach Response into a Cybersecurity Program 23 Strategic Planning 23 Designing a Program 24 Implementing Program Components 25 Program Operations 26 Continual Improvement 27 Strategy Development 27 Strategic Assessment 28 Gap Analysis 28 Maturity Assessment 30 Strategy Definition 32 Vision and Mission Statement 32 Goals and Objectives 33 Establishing Requirements 33 Defining a Target Operating Model 35 Developing a Business Case and Executive Alignment 35 Strategy Execution 37 Enacting an Incident Response Policy 37 Assigning an Incident Response Team 38 Creating an Incident Response Plan 38 Documenting Legal Requirements 38 Roadmap Development 39 Governance 40 Establishing Policies 40 Enterprise Security Policy 41 Issue-Specific Policies 41 Identifying Key Stakeholders 42 Executive Leadership 42 Project Steering Committee 42 Chief Information Security Officer 43 Stakeholders with Interest in Cyber Breach Response 43 Business Alignment 44 Continual Improvement 44 Necessity to Determine if the Program is Effective 45 Changing Threat Landscape 45 Changing Business Objectives 45 Summary 46 Notes 47 Chapter 2 Building a Cybersecurity Incident Response Team 51 Defining a CSIRT 51 CSIRT History 52 The Role of a CSIRT in the Enterprise 52 Defining Incident Response Competencies and Functions 55 Proactive Functions 55 Developing and Maintaining Procedures 56 Conducting Incident Response Exercises 56 Assisting with Vulnerability Identification 57 Deploying, Developing, and Tuning Tools 58 Implementing Lessons Learned 59 Reactive Functions 59 Digital Forensics and Incident Response 59 Cyber Threat Intelligence 60 Malware Analysis 60 Incident Management 61 Creating an Incident Response Team 61 Creating an Incident Response Mission Statement 62 Choosing a Team Model 62 Centralized Team Model 63 Distributed Team Model 64 Hybrid Team Model 65 An Integrated Team 66 Organizing an Incident Response Team 66 Tiered Model 66 Competency Model 68 Hiring and Training Personnel 69 Technical Skills 69 Soft Skills 71 Pros and Cons of Security Certifications 72 Conducting Effective Interviews 73 Retaining Incident Response Talent 74 Establishing Authority 75 Full Authority 75 Shared Authority 76 Indirect Authority 76 No Authority 76 Introducing an Incident Response Team to the Enterprise 77 Enacting a CSIRT 78 Defining a Coordination Model 78 Communication Flow 80 Incident Officer 80 Incident Manager 81 Assigning Roles and Responsibilities 82 Business Functions 82 Human Resources 82 Corporate Communications 83 Corporate Security 83 Finance 84 Other Business Functions 85 Legal and Compliance 85 Legal Counsel 85 Compliance Functions 86 Information Technology Functions 87 Technical Groups 87 Disaster Recovery 88 Outsourcing Partners and Vendors 89 Senior Management 89 Working with Outsourcing Partners 90 Outsourcing Considerations 91 Proven Track Record of Success 91 Offered Services and Capabilities 91 Global Support 92 Skills and Experience 92 Outsourcing Costs and Pricing Models 92 Establishing Successful Relationships with Vendors 93 Summary 94 Notes 95 Chapter 3 Technology Considerations in Cyber Breach Investigations 97 Sourcing Technology 98 Comparing Commercial vs. Open Source Tools 98 Commercial Tools 98 Open Source Software 98 Other Considerations 99 Developing In-House Software Tools 100 Procuring Hardware 101 Acquiring Forensic Data 102 Forensic Acquisition 102 Order of Volatility 103 Disk Imaging 103 System Memory Acquisition 105 Tool Considerations 106 Forensic Acquisition Use Cases 107 Live Response 108 Live Response Considerations 109 Live Response Tools 109 Live Response Use Cases 112 Incident Response Investigations in Virtualized Environments 113 Traditional Virtualization 115 Cloud Computing 115 Forensic Acquisition 115 Log Management in Cloud Computing Environments 117 Leveraging Network Data in Investigations 118 Firewall Logs and Network Flows 118 Proxy Servers and Web Gateways 120 Full-Packet Capture 120 Identifying Forensic Evidence in Enterprise Technology Services 123 Domain Name System 123 Dynamic Host Confi guration Protocol 125 Web Servers 125 Databases 126 Security Tools 127 Intrusion Detection and Prevention Systems 127 Web Application Firewalls 127 Data Loss Prevention Systems 128 Antivirus Software 128 Endpoint Detection and Response 129 Honeypots and Honeynets 129 Log Management 130 What is Logging? 130 What is Log Management? 132 Log Management Lifecycle 133 Collection and Storage 134 Agent-Based vs. Agentless Collection 134 Log Management Architectures 135 Managing Logs with a SIEM 137 What is SIEM? 138 SIEM Considerations 139 Summary 140 Notes 141 Chapter 4 Crafting an Incident Response Plan 143 Incident Response Lifecycle 143 Preparing for an Incident 144 Detecting and Analyzing Incidents 145 Detection and Triage 146 Analyzing Incidents 146 Containment, Eradication, and Recovery 147 Containing a Breach 147 Eradicating a Threat Actor 148 Recovering Business Operations 149 Post-Incident Activities 149 Understanding Incident Management 150 Identifying Process Components 151 Defining a Process 151 Process Controls 153 Process Enablers 155 Process Interfaces 155 Roles and Responsibilities 158 Service Levels 159 Incident Management Workfl ow 160 Sources of Incident Notifi cations 160 Incident Classifi cation and Documentation 162 Incident Categorization 163 Severity Assignment 163 Capturing Incident Information 167 Incident Escalations 169 Hierarchical Escalations 169 Functional Escalation 169 Creating and Managing Tasks 169 Major Incidents 170 Incident Closure 171 Crafting an Incident Response Playbook 171 Playbook Overview 171 Identifying Workfl ow Components 173 Detection 173 Analysis 174 Containment and Eradication 176 Recovery 176 Other Workflow Components 177 Post-Incident Evaluation 177 Vulnerability Management 177 Purpose and Objectives 178 Vulnerability Management Lifecycle 178 Integrating Vulnerability Management and Risk Management 180 Lessons Learned 180 Lessons-Learned Process Components 181 Conducting a Lessons-Learned Meeting 183 Continual Improvement 184 Continual Improvement Principles 184 The Deming Cycle 184 DIKW Hierarchy 185 The Seven-Step Improvement Process 187 Step 1: Define a Vision for Improvement 188 Step 2: Define Metrics 188 Step 3: Collect Data 189 Step 4: Process Data 190 Step 5: Analyze Information 191 Step 6: Assess Findings and Create Plan 191 Step 7: Implement the plan 192 Summary 192 Notes 193 Chapter 5 Investigating and Remediating Cyber Breaches 195 Investigating Incidents 196 Determine Objectives 197 Acquire and Preserve Data 198 Perform Analysis 200 Contain and Eradicate 202 Conducting Analysis 202 Digital Forensics 203 Digital Forensics Disciplines 203 Timeline Analysis 205 Other Considerations in Digital Forensics 206 Cyber Threat Intelligence 207 Cyber Threat Intelligence Lifecycle 208 Identifying Attacker Activity with Cyber Threat Intelligence 209 Categorizing Indicators 212 Malware Analysis 214 Classifying Malware 214 Static Analysis 216 Dynamic Analysis 217 Malware Analysis and Cyber Threat Intelligence 217 Threat Hunting 218 Prerequisites to Threat Hunting 218 Threat Hunting Lifecycle 219 Reporting 221 Evidence Types 223 System Artifacts 223 Persistent Artifacts 223 Volatile Artifacts 225 Network Artifacts 226 Security Alerts 227 Remediating Incidents 228 Remediation Process 229 Establishing a Remediation Team 230 Remediation Lead 231 Remediation Owner 232 Remediation Planning 233 Business Considerations 233 Technology Considerations 234 Logistics 235 Assessing Readiness 235 Consequences of Alerting the Attacker 236 Developing an Execution Plan 237 Containment and Eradication 238 Containment 238 Eradication 239 Monitoring for Attacker Activity 240 Summary 241 Notes 242 Chapter 6 Legal and Regulatory Considerations in Cyber Breach Response 243 Understanding Breaches from a Legal Perspective 244 Laws, Regulations, and Standards 244 United States 245 European Union 246 Standards 246 Materiality in Financial Disclosure 247 Cyber Attribution 248 Motive, Opportunity, Means 248 Attributing a Cyber Attack 249 Engaging Law Enforcement 251 Cyber Insurance 252 Collecting Digital Evidence 252 What is Digital Evidence? 253 Digital Evidence Lifecycle 253 Information Governance 254 Identification 254 Preservation 255 Collection 255 Processing 255 Reviewing 256 Analysis 256 Production 257 Presentation 258 Admissibility of Digital Evidence 258 Federal Rules of Evidence 258 Types of Evidence 260 Direct Evidence 260 Circumstantial Evidence 260 Admission of Digital Evidence in Court 261 Evidence Rules 261 Hearsay Rule 261 Business Records Exemption Rule 262 Best Evidence 262 Working with Legal Counsel 263 Attorney-Client Privilege 263 Attorney Work-Product 264 Non-testifying Expert Privilege 264 Litigation Hold 265 Establishing a Chain of Custody 265 What is a Chain of Custody? 266 Establishing a Defensible Protocol 266 Traditional Forensic Acquisition 267 Live Response and Logical Acquisition 268 Documenting a Defensible Protocol 269 Documentation 269 Accuracy 270 Auditability and Reproducibility 270 Collection Methods 270 Data Privacy and Cyber Breach Investigations 271 What is Data Privacy? 271 Handling Personal Data During Investigations 272 Enacting a Policy to Support Investigations 272 Cyber Breach Investigations and GDPR 273 Data Processing and Cyber Breach Investigations 274 Establishing a Lawful Basis for the Processing of Personal Data 275 Territorial Transfer of Personal Data 276 Summary 277 Notes 278 Index 281