What is a cyber incident
A cyber incident is any event that includes the following:
• Intent to cause harm
• Was performed by a person
• Involves a computing resource
That qualifies the event to be a threat or disruption that affects or is likely to affects the confidentiality, integrity, or availability of any electronic system. These systems includes information systems, services, networks and utility components.
Detection time of cyber incidents
According to national researches and studies in 2016, the average number of days an organization was compromised before the organization discovered the breach (or was notified about the breach) was 146 days. However, In the Middle East region it takes three times longer than businesses elsewhere in the world to detect a breach. During 2016, NCSC had worked and notified clients about breaches and discovered few breaches started one year earlier without any detection. This indicates a massive shortage in the maturity and detection in the region that needs to be raisin.
Incident response is an organized approach to addressing and managing the aftermath of a security breach or attack. The goal is to handle the situation in a way that limits damage and reduces recovery time and costs in addition to identifying the cause of the breach. An incident response plan includes a policy that defines, in specific terms, what constitutes an incident and provides a step-by-step process that should be followed when an incident occurs.
Incident response phases
The incident response stages as stated in “NIST SP 800-61r2Computer Security Incident Handling Guide” contains 4 major phases illustrated in the figure below:
• Preparation before the incident:
The goal is to get the organization ready and prepared for any incident which includes establishing the process, people and technology to handle such incidents. This includes defining an IR plan, the IR team, Place, adequate tools/controls to assist during the incident, IR documentation and management support.
• Detection and Analysis
Identify potential computer security incident and perform Initial investigation to verify the incident, record the basic details surrounding the incident, assembling the incident response team, and notifying the individuals who need to know about the incident.
• Containment, eradication and recovery
Containment is important before an incident overwhelms resources or increases damage. Most incidents require containment, so that is an important consideration early in the course of handling each incident. Containment provides time for developing a tailored remediation strategy. An essential part of containment is decision-making (e.g., shut down a system, disconnect it from a network, and disable certain functions). Such decisions are much easier to make if there are predetermined strategies and procedures for containing the incident. Organizations should define acceptable risks in dealing with incidents and develop strategies accordingly.
After an incident has been contained, eradication is necessary to eliminate components of the incident, such as deleting malware and disabling breached user accounts, as well as identifying and mitigating all vulnerabilities that were exploited. During eradication, it is important to identify all affected hosts within the organization so that they can be remediated. For some incidents, eradication is either not necessary or is performed during recovery.
Administrators restore systems to normal operation, confirm that the systems are functioning normally, and (if applicable) remediate vulnerabilities to prevent similar incidents. Recovery may involve such actions as restoring systems from clean backups, rebuilding systems from scratch, replacing compromised files with clean versions, installing patches, changing passwords, and tightening network perimeter security (e.g., firewall rulesets, boundary router access control lists). Higher levels of system logging or network monitoring are often part of the recovery process.
Eradication and recovery should be done in a phased approach so that remediation steps are prioritized. For large-scale incidents, recovery may take months; the intent of the early phases should be to increase the overall security with relatively quick (days to weeks) high value changes to prevent future incidents. These actions should be performed together in a remediation weekend to test the new systems and configuration in addition, to make sure the adversary’s access are all blocked or removed. The later phases should focus on longer-term changes (e.g., infrastructure changes) and ongoing work to keep the enterprise as secure as possible.
• Post actions after the incident
This is considered the learning and improving phase. Each incident response team should evolve to reflect new threats, improved technology, and lessons learned. Holding a “lessons learned” meeting with all involved parties after a major incident can be extremely helpful in improving security measures and the incident handling process itself. In addition to Reporting the incident to relevant stakeholders and Updating key information, controls and processes.
Incident Response services
Incident Response preparation
The NCSC provides guidelines and procedures to prepare an organization to properly handle cyber incidents. The IR preparation covers all aspects of preparing the incident response plan, the IR team and preparing the infrastructure.
Incident Response supervision & consultation
NCSC provides Incident Response supervision and guidance for the infected organization during an incident. Also, NCSC ensures the right scoping and planning with other IR vendors and companies.
Technical Incident Response Analysis
NCSC performs initial Response and perform the required analysis to identify the root cause of the incident and scope the infection in a fast manner. The analysis varies from Host-based investigation, Log analysis, alert and traffic Analysis and network devices forensics. A report will be submitted to the organization with a recommended remediation plan. the report includes the following:
• The initial attack vector
• Malware and tools used
• Infected Systems
• Damage assessment
• Time frame of the incident
Cyber Incident remediation
During the last two years NCSC has worked on more than 80 Cyber incidents, from responding and analyzing to these incidents NCSC has built a comprehensive mitigation list that includes technical and practical procedures that can be easily implemented and deployed in any network to protect from known attacks.
NCSC reverse engineering team provides three levels of analysis for submitted samples:
• Static analysis
• Dynamic analysis
• Full reverse engineering of samples.
The level of analysis and time spent depends on many factors.
NCSC provides a capability to assess a network at a given time for any breach or hidden backdoors in the environment. NCSC performs scans for known bad behaviors and analyze any possible infection. NCSC has multiple tools and software to perform this capability that depends the scope and the size of the environment.