Seconds and Minutes

Richard Bejtlich, an industry thought leader on Incident Response, advises us that our goal in incident response should be one hour from detection of an incident to its containment.  In other words, once we learn of a breach or intrusion, we should seek to have it contained within 60 minutes. That is a noble goal, and I would like to take a moment to discuss this concept.

To better understand what it means to go from detection to containment in one hour, let's begin by reminding ourselves of the incident response/incident handling life cycle:

• Detection
• Analysis
• Containment
• Remediation
• Recovery
• Lessons Learned

For the purposes of this post, let's assume that the detection piece is in place.  In other words, we have either detected an intrusion through our own alerting, or we have been notified by an external entity or third party in a timely manner.  Looking at the incident response life cycle, we see that before we can think about containment, we must perform analysis.  This is actually intuitive, as before we can perform containment, we need to understand what exactly needs to be contained.  The process by which we understand what needs to be contained is called analysis.

In this context, analysis may consist of network forensics, malware forensics, and/or media forensics, depending on the incident.  Let's place malware forensics and media forensics to the side for a moment and think about network forensics.  As has been discussed in previous blog postings and elsewhere, network forensics provides the means through which timely, accurate answers to important questions are uncovered in the enterprise's network data.  If we take a step back, in order to successfully answer the right questions in one hour, a few things need to be in place:

• The enterprise's network data has been collected by its network forensics platform at all required network points of presence with no data loss
• The network forensics platform allows the incident response team to ask incisive questions of the data to receive answers to the relevant questions (necessitates a powerful and flexible query language)
• The network forensics platform provides answers to the relevant questions in seconds and minutes, rather than in hours and days (necessitates performance at enterprise scale)

This is a tall order for most enterprises, mainly because the three points listed above form the modern network forensics frontier.  When an incident hits, can your organization perform incident response in seconds and minutes, or will you need hours and days?  To me, it seems important to answer that question honestly and realistically.  Once we are honest with ourselves, a strategy for incident response in seconds and minutes can be designed and implemented.  Only then can we be prepared to perform incident response in seconds and minutes.