Incident Response Trends in 2021: XDR, Mitre Matrix and More
Gilad David Maayan
Share this on:
What is Incident Response?
Incident response is the practice of managing cyber security events in an organized manner, with the aim of reducing the scope and damage caused by a breach. In addition, an incident response methodology should strive to reduce the recovery time and costs during and after a security breach.
A standardized approach to incident response ensures all relevant parties know their responsibilities during a security event, what technologies are used, and how to react, respond, and report the details of the event. Typically, incident response activities fall within the responsibility of a computer security incident response team (CSIRT).
A CSIRT is a collaboration between IT staff, information security experts, and C-suite level stakeholders. Additional members of the team include representatives from human resources, legal departments, and public relations experts.
The CSIRT follows an incident response plan (IRP)—a set of instructions that clearly define how the organization responds to security incidents, network events, and confirmed breaches. Planning in advance is a critical and integral component of incident response. The goal is to ensure organizations have a plan they can implement during incidents.
Extended detection and response (XDR) solutions centralize security by combining several technologies together, including security information and event management (SIEM), network traffic analysis (NTA), endpoint detection and response (EDR), and security orchestration, automation, and response (SOAR).
XDR can help SOC teams gain visibility across several environments, including multiple clouds, networks and remote endpoints. The centralized XDR interface can help security analysts correlate threat intelligence rapidly across the entire security tool stack. During security incidents, teams can quickly investigate and respond to threats in one user interface, instead of having to switch between multiple tools and datasets.
2. Impact of Remote Work
COVID-19 has led to rapid changes in all industries across the world, causing many businesses to quickly digitize their services and shift to remote work. This massive shift has had a major impact on cyber security.
Many organizations were forced to quickly implement unplanned and rushed cloud migrations and procure IT resources to accommodate the shift to remote work. Suddenly, instead of using company-approved devices, physically located in the office—employees started using their personally-owned devices, remotely accessing company resources.
The remote work paradigm enables businesses to maintain normal operations. However, it also introduces new security risks. Networks are now becoming more complex and distributed, as organizations combine on-premise resources with cloud resources, and as stakeholders access company assets from endpoints that are not controlled by IT.
This is making it much more difficult to detect security incidents, and respond to them across disparate, physically distributed environments.
3. MITRE ATT&CK Matrix
The MITRE ATT&CK Matrix is an organized knowledge base of cyber threats. It is based on profiles of known advanced persistent threat (APT) groups, including the techniques and tactics they typically employ in order to achieve their objectives.
There are twelve categories of tactics, techniques and processes (TTPs), mapping out the entire kill chain, from initial penetration of the network, to techniques used to disrupt operations and steal or destroy data.
Traditionally, SOC teams used correlation rules—these are rules that match events and conditions discovered in system logs to adversary techniques. Correlation rules were based on a static model indicating which systems should be protected and how these systems are expected to behave under attack. They used threat models that relate to specific malicious behaviors, and when those behaviors were discovered, an alarm was triggered.
Incident response teams can reverse this process and use TTPs proactively. They can actively look for known attack patterns, beyond the alerts triggered by security systems, to discover how attackers managed to penetrate the network, how they moved towards their final objective, and what they did to achieve the final result of data exfiltration or service disruption.
4. Incident Response Automation
Automation helps organizations to reduce the scope of manual, repetitive tasks and introduce a higher level of efficiency into the pipeline. Automation processes can provide teams with prioritized alerts that ensure teams remain productive. Teams can then focus on making strategic decisions and performing more complex tasks.
Automated solutions can, for example, detect suspicious code when it enters an endpoint. The automated process can then feed this suspicious sample to relevant tools, like next-generation threat detection solutions, sandboxing solutions, or endpoint agents. The tool can then observe and classify the threat. Once the analysis is complete, relevant automated or manual processes can be triggered.
Automated processes can initiate several types of responses. For example, the security system can automatically identify other infected hosts on the network, request permission to quarantine the hosts, wipe and reimage them. Another possible response is identifying and patching vulnerabilities associated with the detected malware.
Finally, the system can send notifications to in-house staff or external parties. During each phase of the process—responses, requests, and actions—events are documented for future reference. Incident response automation is especially useful for generating detailed logs, reports and documentation for auditors.
5. Zero Trust
COVID-19 has accelerated the shift to zero-trust security. All over the world, businesses quickly shifted to remote work. This has created a distributed and complex corporate network. To defend this type of network, organizations can implement zero-trust security, which essentially means that no user or entity should be trusted by default, even if they have successfully connected to the network.
However, traditional security tools cannot usually enforce zero-trust on their own. Firewalls and VPN, for example, can mainly protect an existing perimeter network. To implement a zero trust model, organizations use additional tools, such as:
Identity and device authentication, which can be implemented across cloud networks and remote endpoints, not only within the perimeter
Micro-segmentation solutions which create interior boundaries within networks that help minimize the damage caused by attackers who compromise a user account or device.
Zero trust platforms can enforce security broadly, ensuring that users are left with no choice but to operate in a secure manner. Ideally, a zero trust solution can be layered on top of your existing security components, eliminating the need to replace or remove existing security tools.
6. Secure Access Service Access (SASE)
The term SASE was first coined and defined by Gartner in 2019. This security model employs a number of technologies for the purpose of establishing secure remote access. Tools included in the SASE stack should be able to identify malware and sensitive data, continuously monitor sessions for trust levels and risks, and decrypt content at line speed.
Notable technologies included in SASE are:
Cloud access security brokers (CASB)
Wide area networking (WAN)
Secure web gateways (SWG)
Zero-trust network access (ZTNA)
Firewall as a service (FWaaS)
SASE should seamlessly deliver all of these capabilities via cloud connectivity. Ideally, SASE should be offered as a service. The goal is to address future security and networking needs, as data moves from on-premises data centers to the cloud.
In this article I covered six trends that are changing the face of incident response:
Extended Detection and Response (XDR) – a new category of security solution that enables unified response to security events across all layers of the security stack
Remote work – remote workers, often working with their personal devices, create new security threats and a need to respond to security incidents beyond the boundaries of the traditional network.
MITRE ATT&CK – a highly valuable dataset that can grant incident responders detailed information about the tactics and techniques used by attackers at every stage of the attack kill chain.
Incident response automation – new technology is being used to automate and orchestrate incident response, to support overworked analysts and improve the speed and effectiveness of responses.
Zero trust – a zero trust security model helps contain and limit the spread of threats, making incident response easier and more manageable.
Secure Access Service Access (SASE) – SASE provides enterprise-wide policies for governing and controlling web traffic, making it possible to quickly detect and respond to web-based threats.
I hope this will help your organization understand and prepare for the future challenges and opportunities in incident response.