Processes

The processes that an organization should follow when maintaining an information security posture are like those outlined in the Blue Team Kill Chain section of the previous module. These processes can be categorized as follows:

• Pre-incident process
• Intra-incident process
• Post-incident process

Pre-incident processes

The pre-incident process essentially involves maintaining the organization’s ongoing baseline security posture. The pre-incident process represents the organization’s default security stance. This means ensuring that existing organizational policies and procedures are followed including:

• An effective patch management strategy. Most breaches could have been prevented if organizations kept their information systems up to date with vendor patches and updates.
• Effective monitoring and alerting. Ensure that the appropriate telemetry is being generated by information systems and that this telemetry is effectively analyzed for anomalies that may indicate an intruder’s presence. Only an effectively calibrated monitoring and the alerting system can warn an organization that an incident is occurring.
• Ensuring good administrative practice. Ensuring good administrative practices, such as only using privileged access workstations, just enough administration, privileged access management, least privilege, and other techniques of limiting the usage of administrative rights reduces the chance of an attacker successfully leveraging privilege escalation should they gain a foothold within the organizational infrastructure.
• Restricting possibility of lateral movement. Configure information systems so that the possibility of an intruder moving laterally through those systems is minimized. This can be accomplished by implementing and maintaining effective code integrity policies as well as ensuring that networks are segmented so that only necessary communication between hosts can occur.
• Ensure good data classification and protection practices. Configure automatic classification mechanisms that apply classification labels to data as that data is generated and automatic protection systems that secure that data based on the assigned classification label.
• Performing red team exercises on a regular basis. When not under attack by an intruder perform regular intrusion drills to ensure that the information security staff and appropriate stakeholders are well versed in how to react when an intrusion occurs.

Intra-incident process

After considering their information security posture and performing regular red-team exercises, organizations should develop clear policies and procedures on how to react when an intruder is detected in organizational information systems. Described in more detail in the previous module, these include:

• Determine the extent of the compromise. Determine the degree to which the intruder has infiltrated the organization’s information systems. Perform a detailed and thorough investigation to ascertain which systems the intruder has compromised, how those systems were compromised, and when those systems were compromised.
• Plan a response. Ensure that the attempt to evict the intruder from the organizational systems only occurs after the extent to which the intruder has compromised the organization is determined. Developing and then implementing an effective response plan gives an intruder less latitude to react than attempting to deal with the intruder on an ad-hoc basis before the full extent of the intrusion has been determined. In most cases, the intruder has been present on the network for some time before being detected, so spending extra time determining the extent of the compromise and planning a response will not impact the overall severity of the breach.
• Enact the response. Once the plan to respond to the intruder has been developed, it should be enacted. Enacting the response should not only involve evicting the intruder from the organizational network but remediating the vulnerabilities that allowed the intruder to gain access to the network.

Post-incident process

The post-incident process should involve further investigation as to the “how,” “where,” “when,” and possibly the “why” of the intrusion. It should involve an analysis of what was lacking in the implementation of the baseline security posture that allowed the intruder to gain access to the network. Once this analysis has been performed, steps should be taken to improve the policies and procedures involved to minimize the chance that an intruder will be successful in the future.