When I started our security IR research in 2013, one of the questions I sought to answer was “how is IR today different from the old days, when most of the security incident response guidance [example, another one] was written?” Resulting research provides some examples, but here is one example that really, really did it for me:
Remember the classic DoE/NIST/SANS [whatever is its “original origin”] 6-step IR process (“Preparation, Identification, Containment, Eradication, Recovery, and Lessons Learned”)? Imagine you are following the steps and then just FAIL at Eradication stage. You try harder – and still FAIL. And then FAIL again. You the try new things – and it still does not work.
In the past, after you patched and cleaned, the 2003 threat [say Blaster worm] was truly gone, it was Eradicated and you get to progress to Recovery and then brew coffee and Learn Lessons. However, in 2016 there are cases where you never get to progress since Eradication just fails. The incident is still ongoing because the threat is still there. And you can do nothing about it! That’s 2016 for you – you can’t assume you will be allowed to proceeed to Steps 5 and 6 by the attacker….. and so you need to learn to live in that reality.
Any other striking examples on how today’s IR differs from, say, 2005?
Posts related to this research project:
- Incident Response Becomes Threat Response … OR Does It: IR Research Commencing
- My Incident Response Paper Publishes (2013)
- On Three IR Gaps
- Fusion of Incident Response and Security Monitoring?
- Survey: How Many Security Incidents Have You Had Over the Last 12 Months?
- Security Incidents vs “IT Problems”
- Top-shelf Incident Response vs Barely There Incident Response
- On SANS Forensics Survey
- Incident Plan vs Incident Planning?
- On Importance of Incident Response
- Is That An Incident In Your Pocket – Or Are You Just Happy to See Me?
- Time-tested Incident Response Wisdom?
- Incident Response: The Death of a Straight Line
- Alert-driven vs Exploration-driven Security Analysis
- My Next Research Area: Incident Response
- All posts tagged security incident response