It is a good investment to invest in a Threat & Incident Lifecycle Management Procedure since cyber threats show no sign of slowing down.
This post is focused on what organisations can do to detect cyber threats, but this will also be useful for individuals and consumers.
What is Threat & Incident Lifecycle Management?
The Threat & Incident Lifecycle Management can be described as in the below diagram:
The Investigation phase
The Investigation phase starts when someone notices something is not right. For example someone contacts the help desk with an access problem, or a server/PC becomes very slow. This will start an investigation by the help desk who may then identify a potential cyber attack in progress. This investigation is assisted by:
- Forensic data collection
- Gathering Logs from running systems
- Monitoring systems that notice unusual behaviour on the network
- Gathering alarm data
- Gathering metrics on excessive load on servers and on the networks.
You also need a baseline to determine what is the normal state and to know when you expect busy periods that may exert unusual loads on your IT systems.
The investigation phase should be ongoing and staff should be continuously looking for potential threats in their systems as well as monitoring threat intelligence in the press and on social media. This can also be automated through monitoring systems that are providing alerts when unusual behaviour starts or an intrusion is detected.
This is also where organisations can conduct routine penetration testing to determine if their applications (and vendor applications) are vulnerable to any of the latest threats. This can be done by:
- Red Teams/Ethical Hackers who attempt to penetrate the organisations systems (and responsibly disclose) using:
- Offensive Security
- Ethical Hacking
- Penetration testing using multiple attack vectors (e.g. social engineering, attack scripts)
- Back Box Testing
- Blue Teams who are constantly closing vulnerabilities and who:
- Conduct Defensive Security
- Implement Infrastructure Protection
- Conduct Damage Control
- Manage the Incidence Response Procedures and Teams
- Conduct Operational Security
- Threat hunting and assessment including monitoring threat intelligence for new and/or renewed threats
- Conduct routine Digital Forensics on application and OS logs.
Red and Blue teams can be internal organisations to the company or an outsourced service. You will also find Security Researchers (e.g. Googles Project Zero as well as local IT support outsourcers) who perform research into vulnerabilities and ethically disclose them to the vendor organisations.
The Discovery Phase
The Discovery Phase comes after the organisation has determined a credible threat exists. Confirmation that a cyber attack is in progress can be extracted from the various logs and information gathered during the Investigation phase using:
- Forensic analysis of the various logs gathered
- Using Machine Learning to confirm the existence of a threat and to learn about new threats
- Using threat intelligence to determine the nature of any new threats, zero days and ongoing hacking/social engineering campaigns.
Analysis of the logs is often laborious if done manually, but with analytics programs and machine learning this is massively sped up and can be performed routinely and automatically.
This phase should be executed continuously as new potential threats are discovered and is often best automated.
The Quantification Stage
Threats discovered in the Discovery stage are further analysed and quantified in the Quantification Stage and assessed to find out their potential impact, urgency of resolution, and how they can be mitigated. This phase is time sensitive, as an identified attack may mature faster than
This is where a cyber incident is identified and a team of specialists are often required to be assembled from various disciplines within the organisation (Cyber Incident Team).
In this phase, false positives are a big challenge, and they must be identified to prevent the organization from using resources against non-existent threats. Inefficient qualification may lead to true positives being missed and false positives being included. Legitimate threats could, therefore, go unnoticed and unattended.
A Cyber Threat may not be currently exploited within your organisation, but if a vulnerability has been discovered it is only a matter of time before a diligent hacker will find it (especially if it is an unsecured online database or an IoT vulnerability).
The Investigation Phase
The Investigation Phase is where threats are categorized as true positives and are fully investigated to determine whether or not they have caused a security incident.
This phase requires continuous access to forensic data and intelligence about many threats. It can be automated, and this simplifies the lookup process for a threat among millions of known threats. This phase also looks at any potential damage a threat might have done in the organization before it was identified by the security tools or your Red/Blue teams.
Based on information gathered from this phase, the IT team of an organization can proceed accordingly against a threat.
The Neutralisation Phase
Once a credible threat has been discovered and the extent of the threat known, the organisation deploys mitigations to:
- Remove the Threat
- Prevent future attacks.
This is done by, for example:
- Running malware removal software
- Repairing databases and file-stores
- Resetting passwords
- Removing unnecessary privileges from accounts
- Patching systems to the latest security patch releases
- Installing supported releases of critical software (e.g. Databases)
- Closing vulnerabilities in in-house built applications
- Updating procedures to reflect the threat.
The Recovery Phase
The recovery phase only comes after the organisation is sure the identified threat is neutralised and that any risks that it faced are put under control. This is often very difficult to determine as the attackers might have hidden backdoors elsewhere, installed malware to monitor what is going on or possibly shutdown their operations once they detect they have been detected. It is often reduced to a risk management process where the risk of a sustained attack is weighted against full eradication of the threat.
The aim of this phase is to restore the organization to a position it enjoyed prior to being attacked. Recovery is less time critical and it depends on the type of software or service being made available again. However, this process requires care to be taken so that mitigations introduced in the neutralisation phase are not backed out. It is essential that system functionality is brought back to the exact state that they were in
before being attacked, which should also include:
- Updated patching policies
- Investment in keeping infrastructure in a completely clean state
- Updated user behaviour policies including training on identifying attacks.
Disclosure of Cyber Attacks
Depending on the regulatory environment you are under, disclosure of a cyber attack (however trivial it might be) is often required within a prescribed period of time. The GDPR regulations require full disclosure especially where Personal and Identifiable Information (PII) is disclosed regarding EU and UK citizens. This is often required within a period of time following initial discovery of the threat and often before it is fully quantified.
Failure to disclose these incidents can result in heavy fines and in some cases imprisonment.
What we have written above is aligned to a generic organisation and could be applied from a start-up to a multi-national. Multi-nationals will (hopefully) have specialist cyber security teams. However, small companies may not have the time or resource to perform this kind of analysis. This is where this can be outsourced as part of your regular IT maintenance.
This should also apply to individuals/consumers as you will also want to recover from an incident as soon as possible, but also know that you have eradicated the threat.
Cyber security threats are not going away, in fact they are escalating especially now we are all working from home a lot more and using our home internet connections for business tasks (during the Coronavirus pandemic). In order to reduce the impact of cyber threats individuals, as well as companies, need to take the threat seriously. If you don’t believe this applies to you, then please at least read our blog post “Myths of Cyber Security” which will put you right on the matter.
Disclosure of cyber incidents is now required in the EU and the UK as well as by various regulatory bodies in other countries. The impact of a cyber incident can have long term consequences to a company’s reputation and regulatory certifications. Heavy fines can also be levied by regulatory bodies that can also result in criminal charges as well as jail time as well as banning from being certified again in the future.
While individuals/consumers may not be affected in the same way by regulation, securing your home environment is equally important as there will be the potential for financial loss as well as inconvenience. However, if you are working from home (we have seen a massive increase in this in 2020), you must have a secure environment with fully patched devices as well as a fully updated router.
Our guidance pages offer a lot more advice on mitigating cyber threats.