Evaluate Proactive Monitoring Capabilities

Security appliances need to be properly configured, tuned, updated and maintained regularly to detect threats. The alerts generated from the device need to go to the proper handler. System logs should be reviewed regularly to spot suspicious activity.  In many cases, basic monitoring can detect threats, but it needs to be done regularly, said Christopher Porter, a managing principal at Verizon. "The key with monitoring isn't necessarily investing in technology to detect faster, it is investing in technology or practices to configure these things in a more secure manner," Porter said.  "A lot of these attacks are on small and medium businesses; they don't have the expertise in place typically to carry this out effectively themselves."

Assess Investigative Capabilities

Investigative controls take the information identified from incident detection and verify whether the organization has the information required to conduct a meaningful response, according to the NTT Group study. The organization needs to first determine if an alert is a false positive, then define the scope of the incident and what systems and data is potentially impacted, Kraus said. The activity requires a skilled professional and the right tools to analyze the incident indicators, he said.

Review Incident Response Capabilities

An organization that has the skilled staffing and thorough incident response plan in place can quickly assess and reduce the scope of an incident. Following an initial infection, an attacker will attempt to move laterally through an organization, said Raj Shah, CEO of Morta Security, which was recently acquired by Palo Alto Networks. Shah said that there are stages of an attack that cybercriminals always need to conduct when they seek out and attempt to get into more sensitive systems. The goal of the incident response team is to surround and cut off the attacker to minimize the loss or exposure of data.

Test Incident Response Capabilities

Forward-thinking organizations not only dust off their incident response plans annually, they conduct a drill to ensure that it can be followed properly, said Solutionary's Kraus. One of the chief recommendations of the 2014 Verizon Data Breach investigations report is to log system, network and application activity to provide a necessary foundation for incident response.  It is especially important in containing a sophisticated threat and addressing Denial of Service attacks to minimize impact on system availability, according to the report. A test should go through a scenario to ensure jobs and duties are appropriately assigned and address any issues, such as a breakdown in communication.  The Sans Top 20 Security Control recommends periodic incident scenario sessions to test how well personnel associated with an incident handling team understand current threats and risks and their responsibilities in supporting the team.

Ineffective Incident Response Is Costly

The NTT Group study highlighted an incident it got involved with following a worm infection released by a system administrator at an organization. The firm had not tested its incident response and had no tools or processes in place to minimize the impact of the worm. After four months of problems and troubleshooting, the incident cost the firm $109,000. The expenses included the price paid for forensics investigators, legal support, public relations help and remediation of the issues that enabled the worm infection. The worm was a member of the Dorkbot family, malware that attempts to steal account credentials and spreads through instant messaging or a USB flash drive. A simple problem caused the incident to grow out of control, according to the study. The organization had systems with no antivirus or with antivirus that didn't have the latest signatures to detect the known worm.

Bad DDoS Incident Response, Mitigation Timeline

Poor detection capabilities caused one organization to fail to detect an ongoing distributed Denial-of-Service attack against its systems for 2.5 hours. The company was ultimately alerted to a problem by its clients who could not access a client portal. The organization was focused on its PCI compliance activities and didn't have detection for its network that wasn't in-scope, according to the NTT Group study. Once detected, the investigation took a half hour and the firm took steps to filter out the flood of bad traffic. It took 10.5 hours to mitigate the attack and ultimately a costly call to the organization's upstream Internet service provider, which took hours to implement effective filtering. The total time to mitigate the incident was 13.5 hours at a cost of $5,000 an hour, bringing the total loss to $67,500, according to the study.

Good DDoS Incident Response, Mitigation Timeline

An incident response plan that is firing on all cylinders compresses the threat mitigation timeline, according to the NTT Group report. Organizations need to focus not only on reducing the response timeline, but also on reducing the detection and investigation times of security incidents.  Detection of the attack took place in under 30 minutes. A half hour investigation window and a response timeline of 2.5 hours to filter out the malicious traffic, the total mitigation time of the incident was limited to 3.25 hours, according to the report. By reducing the time to detection, investigation and response capabilities the total loss would be reduced to $16,260.  Solution providers need to help clients look at risks using a formal risk assessment, said Solutionary's Kraus. It will help businesses identify the areas that are at the greatest risk of an attack and could produce the largest financial costs, he said