Thursday, September 23 2021

We went through the whole CRP life cycle splitting it up into stages to better understand the steps taken in order to recover from security incidents. The apparent thing in all the steps is that someone must actually do it. The security staff in charge of the CRP life cycle process are Information Security professionals in the field of cyber security that have expert knowledge of Information Systems and are able to realize what exactly is going on when an alert triggers. Some companies have few Information security personnel and are limited in their response process. Other companies are increasingly outsourcing their cyber response capabilities to third party Security Operation Centers (SOC).

Cyber Security Response Plan

A SOC team is a centralized department that deals with all security related issues. It can be built in-house or it can be outsourced. There are some companies that choose the hybrid of these two possibilities due to monetary costs related to outsourcing most of its security operations.

An in-house SOC is an internal department in the company that deals with all security policies and procedures, tools, threats and incidents. The main people in the SOC are information Security Analysists that keep an eye on all the detection systems a company has in place. The SOC usually has a Senior Information Security Analyst and a SOC manager to make sure things are running smoothly and that junior analysts are getting the right training in order to be able to detect more sophisticated threats.

An outsourced SOC is a team of experts hired to watch over the company’s security systems and defend the company’s network from all types of attacks. This service is expensive but nonetheless, more and more companies choose this option as it reliefs them of finding the right staff to do the job and insuring the staff stay for a longer period of time. The demand for cyber security experts is very high as finding them is difficult due to the shortage in the workforce. This is an increasing problem globally and hence the salaries of cyber security experts are very high. This in turn creates a bigger overturn of security staff and companies struggle keeping them from leaving the company for a better offer.

To showcase how the entire process works, an example of an incident would do well. Imagine an employee opened a phishing email with an invoice attachment. The employee opens the attachment and triggers a virus. The virus spreads to a few computers in the office before an intrusion detection system triggers an alert. Junior Security analyst would immediately start investigating the alert to determine if it is a false positive or an actual incident. The Analyst would look for the originating hostname, inspect the process tree to determine what happened and in some cases talk to the employee that was sitting at the infected computer. If the analyst determines this is an actual attack, he or she would escalate the incident to a higher-level security analyst.

Since the incident has been identified, the staff would work together with the IT department to contain the spread of malware. Network containing all the machines and monitoring the network is usually the best options to ensure complete containment.

After examining the process tree to determine which process directly triggered the alert from the system, the security analyst can determine the root cause analysis and if needed, talk to the employee that was sitting behind the initially infected computer.

Wiping the infected machines clean and backing them up would eradicate and threat actors and recover the system for further use. In this particular example, lessons learned from the incident are that employees’ awareness of security is low and that they should undergo a Security awareness Training program.

In the past few years, it was determined that most of the cyber incidents occur from employees being tricked into opening malicious emails. Some reports estimate the number to be in the 70 % range which makes almost two thirds of all cyber-attacks. If we consider that human factor is the weakest link in any security system, we shouldn’t find the 70 % number so shocking. Malicious hackers do not want to spend months trying to exploit a certain perimeter device of a company such as a next-generation firewall, so instead just crafts a malicious email and sends it to a large number of employees in the company.

Because of this rise in phishing attacks, companies have started training their employees about the dangers of unknown emails. Almost every major company has a comprehensive Security Awareness Training program in place to decrease the number of employees that fall victim to such emails. The program usually comprises of some type of instructional videos combined with quizzes at the end to test the employee on lessons learned. The videos usually focus on red flags in the emails such as: unknown emails with emphasized urgency they have, urgent invoices that need to be paid with attachments, spoofed links in emails that lead employees to fake login pages etc.

Previous

Maze Ransomware Attack on a leading MNC

Next

Cyber Security Jobs

Check Also

Widget

Don’t Miss

Cyber Deal Update: Upstream Security, Hunters, build.security

Khushi Arora

Upstream Security and Hunters complete Series C and Series A funding rounds, respectively. Elastic NV acquires build.security. Funding Upstream Security, an Israeli provider of automotive cybersecurity and a data analytics platform for connected vehicles, has closed a $62 million Series C funding round led by Mitsui Sumitomo Insurance, along with new investors I.D.I. Insurance, NextGen […]

Cyber Deal Update: Loop Secure, Intelligent Automation, Blumira

Khushi Arora

Tesserent acquires Loop Secure to complement its own services, and BlueHalo merges with Intelligent Automation. Blumira completes a Series A funding round. Mergers and Acquisitions Tesserent, an Australian network security company, has announced its intent to acquire Loop Secure, a provider of managed security services, governance risk and compliance, and offensive security services also based […]

Cyber Deal Update: FHIRBlocks, InfoSum

Khushi Arora

Healthcare cybersecurity company ConsenSys Health acquires FHIRBlocks. InfoSum and Monte Carlo close a Series B and Series C funding round, respectively. Mergers and Acquisitions Otava, a Michigan-headquartered cloud solutions provider, has announced its acquisition of NewCloud Networks, a Colorado-based cloud computing services provider. The acquisition provides Otava a product portfolio that includes security services, cloud […]

Cyber Deal Update: Carve Systems, Baffle, Certik

Khushi Arora

iVision acquires Carve Systems, Baffle closes a Series B funding round, and CertiK closes adds to its Series B funding round announced last month. Mergers and Acquisitions iVision, a Georgia-based provider of IT infrastructure and application solutions, has acquired Carve Systems, a New York-based cybersecurity company that provides security testing, security engineering, and security strategy […]

Cyber Executive Moves: Aegon Asset Management, Tego Cyber

Khushi Arora

Aegon Asset Management hires former COO of MN and Tego Cyber gains a new CISO. Aegon Asset Management, based in The Netherlands, has appointed Nicole Grootveld-Sandig as its chief technology officer. Grootveld-Sandig joins Aegon from the Dutch specialist pensions management company MN NV. Tego Cyber, a Nevada-based developer of cyber threat intelligence solutions, has hired […]

Cyber Deal Update: Appriss Insights, Espagon

Khushi Arora

Equifast acquires data analytics company Appriss Insights, while Cisco acquires observability provider Espagon. Mergers and Acquisitions Equifax, an Atlanta-based global data, analytics and technology company, has announced its acquisition of Appriss Insights, a Kentucky-based information technology company providing customized solutions to enhance security and financial processes for businesses, for $1.825 billion. “We are extending the […]