If your company is like most, you consider a cyber security incident to be such only if ‘you get hacked’ – whatever this magic term means, or if a major mass infection occurs in your network. But if you really look into what is going on in your IT environment you might find one or more intruders roaming freely, collecting information, leaking it out and deleting their traces, then another intruder coming in, doing what they intended to do and leaving, this would be repeating on and on. Because some intruders don’t want to advertise their presence and never show up publicly with a report they hacked you. They would not trigger your AV, either.
By implementing proper security monitoring (which usually costs a lot of money on SIEM/IDS/IPS/DLP/storage/analysts/threat intelligence subscriptions) you will suddenly start receiving a lot of alerts – and some of them will be of actual incidents.
Employees break security policies and procedures on a regular basis, code gets executed without authorization – and in the cases when this code is malicious, external parties might gain access to your internal network.
People browse non-work related sites, download things they are not supposed to, execute things they are not supposed to, send home documents they are not supposed to, bring devices they are not supposed to bring, etc.
And if a few years ago it was appropriate to let the IT Administration / CISO handle such situations, now this is impossible due to the number and complexity of incidents – if your organization counts in more than 1000 people, you need a separate DFIR (digital forensics and incident response) team.
Building such a team is a complicated effort and if you are just starting to consider this option, start by reading the following resources:
NIST Computer Security Incident Handling Guide – http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-61r2.pdf
http://www.dtic.mil/cjcs_directives/cdata/unlimit/m651001.pdf – CYBER INCIDENT HANDLING PROGRAM (U.S. Military guideline)
Then move on to https://www.enisa.europa.eu/activities/cert/training – this resource could become the single point of training for the whole DFIR team, as it offers practical exercises as well as theoretical material in the form of templates, guidelines, text books, etc.
It is impossible nor desirable to cover such a complex topic in a single chapter – as with many of the chapters of this book (which I call a reference for a reason) – its main objective is to give you guidance in a helpful direction.
Your CSIRT is the immune system of your organization – detecting internal and external breaches and isolating any perpetrator before it has done major harm. In the case of an ‘infection’, your CSIRT will raise the ‘temperature’ of the whole organization and with the collective intelligence of the whole organism will drive the intruder out.
Here is the best possible material / source you could learn from:
https://www.enisa.europa.eu/activities/cert/support/guide
A handy list (frequently updated) of useful resources your CSIRT (cyber security incident response team) will need to get to know and use:
https://github.com/rshipp/awesome-malware-analysis
The best blog on incident response you could start reading is http://journeyintoir.blogspot.com – as it details a lot of the processes which are not described in books on the topic.
Another similar blog is http://windowsir.blogspot.com – as its name implies, focused primarily on Windows.
