31 Mar Improving Incident Response Investigations
Improving Incident Response Investigations
Investigating cybersecurity incidents requires balancing investigation depth with analyst capacity. Using robust triage checklists and threat management platforms can reduce investigative time. Larger SOCs/CSIRTs use a tiered system to allow skilled investigators to focus on high-risk events while maintaining coverage across all events. Many smaller organizations simply don’t have the budget or luxury to attain what larger SOCs/CSIRTs can do. Organizations of all sizes need to use tools to automate and create efficiencies in the process.
All this starts with people and process. Only then can you implement technology to force multiply your people.
Tools that operationalize the SOC are:
- Triage Checklists
- Investigation and Incident Handling Playbooks
- Knowledge Base Tools
- SIEM/Correlation Tools
- Properly Filtered Threat Intelligence Subscription(s)
- Incident Process Tracking Tools (called Incident Response Platforms )
- Forensic Tools
Some Process Improvement Ideas
Using a combination of these tools can allow the SOC/CSIRT to focus on the investigation rather than focusing on collection. In addition to the tools, having a flexible investigative process will help. A process should include:
- Triage Checklists – List of steps to validate if an alert is a risk that needs to be escalated or can be closed out. This standardizes your triage process across different analysts.
- Indicator Enrichment and Correlation – Identify where indicators map across multiple data sources to correlate information and define an incident’s true scope
- Investigative Checklist – Include security logs, manual verification, historical intelligence analysis, threat intelligence context, etc.
- Containment actions – Limit damage to the organization while preparing to remediate
- Remediation actions – Define who is fixing the issue, and how. Agree on timelines for outlined actions
- Remediation verification – Independently verify a successful remediation process
- Internal Intelligence – Identify actors or tools used against the organization and collect the data in a knowledge base
- Post Mortem – Assess what happened and establish processes to prevent a similar attack in the future. Have a pre-determined format for reporting the root cause and how to improve controls going forward.
As you build out your Incident Response playbooks make sure you think through all the different systems you need to pull data from. Also, as you document a process, you will be able to see where you may be able to optimize!