Automated Incident Response (comparing NIST & SANS frameworks):

The process of IR team is characterized into different categories such as preparation, Detection & Analysis, containment, Eradication, Recovery and post incident Activity.  There are various problems in this entire process. The problems include in detection and analysis of the incident. In this research, an effort has been made to address few of the problems and prioritize, orchestrate few of their issues into a platform which helps identify most suitable solution to reduce the day to day work lot easier and typically reduce the time of their process and solve them in few steps. This project uses open source threat intelligence platforms to detect and classify threats and provide an analysis and recommendations in a short duration of time compare to manual analysis.

An incident is an event that could lead to loss of, or disruption to, an organization's operations, services or functions. Incident management (IcM) is a term describing the activities of an organization to identify, analyze, and correct hazards to prevent a future re-occurrence. These incidents within a structured organization are normally dealt with by either an incident response team (IRT), an incident management team (IMT), or Incident Command System (ICS). Without effective incident management, an incident can disrupt business operations, information security, IT systems, employees, customers, or other vital business functions.

The process as follows with 6 steps:

1.       Preparation

2.       Detection & Analysis

3.       Containment

4.       Eradication

5.       Recovery

6.       Post-Incident Activity.

There are various problems in the entire process and this project will address the problems and solve them in some steps. The problems include in detection and analysis of the incident. This project uses open source threat intelligence platforms to detect and classify threats and provides an analysis and recommendation in a short time compared to the manual analysis.

Main objectives of this project:

1. An effective incident response will start well in advance of an actual detection of any incident or crisis. The time an organization spends on preparation and planning before an incident occurs can minimize the impact and exposure during an incident.

2. Reduces activity disruption with an automated and lightning-fast response to security incidents.

3. We can improve security team’s efficiency by saving time and money by automating security processes.

 Automated Incident Response using Threat Intelligence

1: Introduction

Incident response:

Incident response is a plan for responding to a cybersecurity incident methodically. If an incident is wicked, steps are taken to quickly contain, minimize, and learn from the damage. Not every cybersecurity event is serious enough to warrant investigation. Events, like a single login failure from an employee on premises, are good to be aware of when occurring as isolated incidents, but don’t require man hours to investigate. Every cybersecurity team should have a list of event types with designated boundaries on when each type needs to be investigated. From there, you should have customized incident response steps for each type of incident.

Importance of incident Response:

A data breach should be viewed as a “when” not “if” occurrence, so be prepared for it. Under the pressure of a critical level incident is no time to be figuring out your game plan. Your future self will thank you for the time and effort you invest on the front end. Incident response can be stressful, and IS stressful when a critical asset is involved and you realize there’s an actual threat. Incident response steps help in these stressing, high pressure situations to more quickly guide you to successful containment and recovery. Response time is critical to minimizing damages. With every second counting, having a plan to follow already in place is the key to success.

Incident response as a cycle rather than a stand-alone process. While we will cover several different incident response models, to achieve cyber resiliency, incident handling must feed into an overall cycle of prevention, detection, and response. Networks can no longer rely solely on preventive security defenses, viewing incident handling as an isolated and discreet activity. Instead, incident response must be an ongoing part of active defensive operations, feeding intelligence and information to network defenders to not only responds to current threats but to help mitigate future ones.

Process:

Incident response is a plan for responding to a cybersecurity incident methodically. If an incident is nefarious, steps are taken to quickly contain, minimize, and learn from the damage. Not every cybersecurity event is serious enough to warrant investigation. Events, like a single login failure from an employee on premises, are good to be aware of when occurring as isolated incidents, but don’t require man hours to investigate. Your cybersecurity team should have a list of event types with designated boundaries on when each type needs to be investigated. From there, you should have customized incident response steps for each type of incident.

The Importance of Incident Response Steps

Under the pressure of a critical level incident is no time to be figuring out your game plan. Your future self will thank you for the time and effort you invest on the front end. Incident response can be stressful, and IS stressful when a critical asset is involved and you realize there’s an actual threat. Incident response steps help in these stressing, high pressure situations to more quickly guide you to successful containment and recovery. Response time is critical to minimizing damages. With every second counting, having a plan to follow already in place is the key to success.

The Two Industry Standard Incident Response Frameworks

Introduced in no particular order, NIST and SANS are the dominant institutes whose incident response steps have become industry standard.

NIST: NIST stands for National Institute of Standards and Technology. They’re a government agency proudly proclaiming themselves as “one of the nation’s oldest physical science laboratories”. They work in all-things-technology, including cybersecurity, where they’ve become one of the two industry standard go for incident response with their incident response steps.

SANS: SANS stands for SysAdmin, Audit, Network, and Security. They’re a private organization that, per their self-description, is “a cooperative research and education organization”. Though more youthful than NIST, their sole focus is security, and they’ve become an industry standard framework for incident response.

Overall difference between this two framework processes as follows with below steps:

Preparation: In this section, the organization will highlight the preparation that is undertaken. In the case of phishing, this can include employee awareness to identify potential phishing email or the use of an email appliance that scans attachments for malware.

Detection: For phishing attacks, organizations are often alerted by aware employees or through email security controls. Organizations should also plan on receiving alerts via malware prevention or Host Intrusion Prevention System (HIPS) controls.

Analysis: If an event is detected, analyzing any evidence available will be critical to classifying and appropriately responding to an incident. In this case, analysis may include examining the compromised host's memory, examining event logs for suspicious entries, and reviewing any network traffic going to and from the host.

Containment: If a host has been identified as compromised, it should be isolated from the network. Eradication: In the event that malware has been identified, it should be removed. If not, the playbook should have an alternative such as reimaging with a known good image.

Recovery: The recovery stage includes scanning the host for potential vulnerabilities and monitoring the system for any anomalous traffic.

Post-incident activity: The playbook should also give guidance on what actions should take place after an incident. Many of these actions will be the same across the catalog of playbooks, but are important to include, ensuring that they are completed in full.

Literature Review:

Information security rarely has a dull day. The past year delivered significant data breaches from SANS report in 2019, impacting industries ranging from hospitality to legal to social media. We’ve seen a continuation of financially motivated threats, such as business email compromise (BEC), which continue to pillage and drain corporate bank accounts. Ransomware has brought multiple cities to their knees, earning threat actors significant funds in the process. Coupled with the ever-looming threat that a nation–state sponsored threat actor might pull an organization into its crosshairs, there’s little reason to cease vigilance in enterprise networks. Vigilance requires the ability to be nimble and flexible, especially given the array of options available to threat actors these days. In surveys past, we commended our respondents on improving response times, increasing the use of threat intelligence, and upping the amount of automation and integration within their networks. However, the work is never done; we must constantly be improving. The aforementioned threats aren’t necessarily new, but perhaps more refined. For example, some threat actors have moved from noisy, custom malware to “living off the land” with built-in Microsoft Windows capabilities. And in that spirit, we identify the theme for this year’s survey:  It’s time for a change. This year’s survey shows crucial improvement in incident response (IR).

 •   Containment and remediation—two of the most important phases of incident response—needs shorter times.

 •   Incidents were detected internally at a much higher ratio.

 •   False positives declined.

Which we hope means organizations have gotten better at classifying their incidents. However, even with these improvements, we continue to see problem areas from year to year. Many organizations still show severe gaps in visibility, a critical problem that needs to be front and center. It’s tough to truly determine your security posture if you are blind to a portion of your environment. Many respondents again expressed concerns about levels of staffing and skills shortages, problems that may require out of-the-box thinking. We also saw some different issues take priority in this year’s survey, which is a healthy sign of maturity and growth within organizations. Host-based data is by far the largest source of incident data, and respondents indicated this data is largely integrated and automated. We also examine an enormous opportunity for organizations to start weaving network-based data into their investigations.

What is the issue and how we want to fill the gap (scope)

Having an understanding of the various categories that comprise an incident response allows responders to properly organize their material. Even smaller incidents create documentation meaning that responders can become a chore. To make the process flow better responders should be prepared to address the various categories at the onset of an incident and organize their documentations accordingly.

To reduce the SOC, CSIRT teams day to day activities time. Then we need to automate few of their working process, then we can save lot more time and it may impact positively towards the productivity of the resources time.  Some research studies based on IR and characterization for general purpose have been attained: however, past literature does provide some sort of evidence of Automated Incident Response process using threat intelligence and in this project we are going to reduce the time compare to the manual work they are doing with our web frame work.

In the present research work findings we are trying to develop a web tool with open source which is free source to use anyone in their organization and can modify accordingly. The main objective behind this study is to initiate and resolve the response time and work efficiently, effectively to facilitate that response to any incidents with in less duration of time with free and open source web tool.