Planning for Rapid Response Will Help Ensure You Have a Foundation in Place During Times of Crisis
Crises and outbreaks change us and society, with the war against COVID-19 having the most dramatic impact in recent memory. Every aspect of our existence is different, including new ways of working, communicating, conducting business, and taking care of ourselves and our families. The key is learning from these experiences so we can be better prepared for future events.
These extreme changes have escalated another war, a war against cyber threats, with exposure to new cybersecurity risks that threat actors choose to exploit. The line between work and personal devices has blurred with users and usage moving fluidly between them. Personal and business data flows freely across home Wi-Fi networks. When the workday ends, we transition seamlessly to virtual happy hours and binge-watching videos using a growing number of services – further expanding the attack surface. Threat actors are also using novel lures that pull on our fears and inquisitive nature to entice us to click on malicious links or attachments or unwittingly share data that we shouldn’t. It’s a situation that is quickly becoming untenable for many cybersecurity professionals and causing organizations to question their capacity to respond rapidly.
While serving as a Supreme Allied Commander during WWII, Dwight D. Eisenhower said, “In preparing for battle I have always found that plans are useless, but planning is indispensable.” Planning for rapid response will help ensure you have a foundation in place during times of crisis to work more effectively with your peers to mitigate risk and to answer questions from management about the organization’s resilience to the latest threats.
I’ve outlined three steps to help you lay the groundwork for rapid response. It’s important to note that these recommendations aren’t specific to COVID-19. Going through this planning process will also improve your ability to respond rapidly to future events – from a new, high-profile, ransomware campaign with global impact to opportunistic cyberattacks triggered by a natural or manmade disaster.
1. Consume. As we’ve seen before with global threats like Wannacry and are seeing now with COVID-19, crises and outbreaks generate a strong uptick in new, disparate sources of threat information. Many commercial threat intelligence providers, governments, open source feeds and frameworks like MITRE ATT&CK provide valuable threat and outbreak-specific data. Becoming aware of these new sources is one thing but being able to consume all that data is another, especially since they are in different formats and may be different types of data than you currently utilize. To make this situation manageable you need a central repository that is prepared to accept these feeds or if they are in non-standard formats can map to them quickly – in minutes or hours. The agility to accept new threat information sources quickly for consumption is at the heart of rapid response. With high quality data aggregated and normalized, you can assess how it may pertain to you and utilize it.
2. Understand. Understanding the data individually provides value, but the real value comes from understanding it in aggregate, including with respect to events and associated indicators from your own internal systems – for example, from your SIEM, log management repository, case management system and security infrastructure. By relating the data to what’s actually happening in your environment, you gain context that makes it tangible. For example, an indicator that is active, high-scoring or cited within the last 24 hours will initiate further investigation, while others may warrant ongoing monitoring and those that are benign can be set aside. A big picture view also allows you to quickly see who else within the organization needs to consume and understand this data – your SOC team, network security team, threat intelligence analysts, threat hunters, forensics and investigations, management, etc. – and share it.
3. Action. The final step is to enable the data as part of your infrastructure and operations. Quickly sending the appropriate pieces of data to the appropriate tools, systems and controls within your environment will accelerate detection, response and prevention. For example, exporting the data to your existing infrastructure allows those technologies to perform more efficiently and effectively – delivering fewer false positives. You can also use your curated threat intelligence to be anticipatory and prevent attacks in the future – like automatically sending intelligence to your sensor grid (firewalls, IPS/IDS, routers, web and email security, endpoint detection and response (EDR), etc.) to generate and apply updated policies and rules to mitigate risk.
With capabilities to quickly curate and integrate new threat data sources across your operations, you’re prepared for whatever the future brings. You can be confident that your security teams have laid the groundwork for rapid response. You also have a construct for effective communication with management, with capability to provide details about a specific threat and how you are mitigating risk in ways that resonate with business leaders. Planning now for how you will deal with new threats triggered by the next big crisis or outbreak is time well-spent, and an activity that Dwight D. Eisenhower would applaud.