Blog post

Time-tested Incident Response Wisdom?

By Anton Chuvakin | June 27, 2013 | 0 Comments

securityincident response

Have you ever read NIST 800-3 (!) document called “Establishing an Incident Response Capability”? It was published in … 1991! Some of the CERT/CC guidance on computer incident response (IR) goes straight back to that Morris Worm era (1988). The books that you see on the right, serving as my impromptu monitor stand, have been published since the mid-1990s. There is a lot of security incident response wisdom accumulated over the years. CERT/CC, SANS, NIST, FIRST, ISO – as well as  analysts  and independent consultants – produced piles of content on how to respond to security incidents.


But how much of it is relevant for you today?

To think about this systematically, let’s try to list some of the forces that affect how we respond to security incidents today:

  • New technologies (specifically, mobile computing and virtualization) affect how and where we look for evidence and what tools we use for the investigations
  • Cloud computing introduced two sources of changes: new technologies (and not just virtualization), but also environments with predominantly 3rd party control and multi-tenancy (you need both permission and ability, if you need to investigate an incident spanning “the cloud”)
  • Furthermore, I’d say that a more global, distributed nature of many organizations (as well as highly distributed locations of their valuable data) affects both investigative tools and processes  – after all investigating 1 machine and 10,000 requires drastically different tools.
  • Regulations, mandates and laws have definitely introduced changes: and not just PCI DSS (with its own mandate for IR response plans and workflows) and breach notification laws. Think “cyber-doctrines” and nation-level incident response…. Oh, fun!
  • Overall, reliance on IT (and now, OT) has been going up, thus raising the stakes of incident response – what used to be “this computer stuff” in late 1980s-early 1990s now in 2013 affects billions of lives and trillions of dollars worldwide.
  • Finally, the adversaries have changed – the key attribute of [some] attackers today is persistence: they WILL keep trying and will aim for ongoing access to the environment. If persistent compromise is the setting, how do you do IR?  Also, if attackers earn their living off successful attacks (whether as salaried “cyber-spies” or “commission-based” criminals), their motivation for both effectiveness and stealth is much higher than before …  This also means there will simply be MORE attackers.

Anything else you want to add? How has YOUR incident response practice changed in the last few years?

P.S. I am going to be using incident response (IR) and incident handling (IH) as synonyms, but will separate computer forensics out (of course!). Anybody got a problem with that?

Posts related to the same research project:

The Gartner Blog Network provides an opportunity for Gartner analysts to test ideas and move research forward. Because the content posted by Gartner analysts on this site does not undergo our standard editorial review, all comments or opinions expressed hereunder are those of the individual contributors and do not represent the views of Gartner, Inc. or its management.

Comments are closed