Basics
Incident Detection, Response, and Forensics: The Basics
Richard Bejtlich on how to build an effective cyber incident detection and response mechanism in your organization.
By Richard Bejtlich
Second order incident detection moves beyond reconnaissance and exploitation to the final three stages of compromise: reinforcement, consolidation, and pillage. Reinforcement is the process by which an intruder leverages the unauthorized access gained during exploitation in order to build a more stable platform for repeated re-entry. Downloading and installing a remote access Trojan program is a classic reinforcement activity. Consolidate is the act of controlling a compromised asset using the means installed during reinforcement. Pillage is the execution of the intruder's ultimate plan, which could be pivoting on the target to attack another system, exfiltrating sensitive information, or any other nefarious plan the intruder may wish to execute. Second order detection focuses on identifying any of these final three phases of compromise, which can be highly variable and operate at the discretion of the intruder.
Third order incident detection occurs outside the realm of the five phases of compromise by concentrating on post-pillage activities. Whereas first- and second-order detection is done at the enterprise, either by watching hosts, network traffic, logs, or possibly even sensitive data, third order detection takes place outside the enterprise. Third order detection seeks to discover indications that preventative and detection mechanisms have failed by finding the consequences of an intrusion. Looking for these sorts of signs could take the form of searching for, and finding, private company documents on peer-to-peer networks, or intruder-operated botnet servers, or a competitor's release of a product uncannily similar to your company's own. Each of these events indicate a breach or policy violation occurred, yet none may have been detected by conventional means. Third order detection is a powerful way to determine if the formal detection mechanisms operated by an organization's security team make any difference in the real world.
A complementary way to think about detection takes the form of six maturity levels. Using the ideas below, you can determine how advanced your detection initiative may be.
Level 0. No primary detection method exists. No formal data sources are used. No actions are taken, since this "blissful ignorance" hides the fact that the enterprise could be (and probably is) severely compromised.
Level 1. Customers, peer organizations, and users are the primary detection methods. No data sources beyond those provided by the aforementioned parties are available. The predominate reaction is to form an ad-hoc team to fight fires on a repeated basis.
Level 2. Customers, peer organizations, and users are still the primary detection methods. However, the organization has some data store from which to draw conclusions -- once the enterprise knows it must look for clues. Reaction involves more fire fighting, but the officers aren't quite as blind as they were at level 1 thanks to the availability of some logs.
incident response
Security Directions: A Virtual Conference
Available On Demand Sept. 30 - Dec. 30
Join us for a virtual event with candid, expert information on top security challenges and issues - all from the comfort of your desktop.
Protecting PII: How to Work with IT to Manage Risk
Understand the critical nature of the test data privacy problem and get tips on how to work with IT to implement a test data privacy program.
Get instant notifications when whitepapers, webcasts and case studies are added
to our library. Sign up for a Resource Alert now!
CSO Corporate Partners
CSO Perspectives
-
April 5-7, 2010Hyatt Regency Santa ClaraClick here for more information!
Santa Clara, California
(ISC)2 members can earn up to 24 CPE Credits!
