After a rocky start with Week 1, we are now onto Week 2.
During the week 1, the focus was to understand “what is an incident?” what are the basic steps in an attack. There are various attack life cycles: Mandiant Attack Life cycle and Lockheed Martin’s Cyber Kill Chain methodology. While they are similar , there are some differences. The two methodologies emphasize different aspects of an attack life cycle. Kill Chain methodology’s emphasis on weaponization and delivery are very crucial. Mandiant’s lifecycles focuses on the steps after the initial breach.
During this week, we will assume that a breach has occurred. The discussion will be to understand the processes that need to exist to deal with a breach. We will discuss the roles of the Help Desk, SOC, CSIRT, etc.
Lockheed Martin adapted a military concept of (Find, Fix, Track, Target, Engage and Assess) and applied it to Cyber as(Reconnaissance, weaponization, delivery, exploitation, installation and command & control) and there is no concept of internal reconnaissance and lateral movement in it whereas mandiant attack cycle mentions about cyclic process of maintaining foothold through lateral movement and internal reconnaissance.
The response time isa critical consideration in assembling, maintaining and deploying an effective CSIRT and dealing with a breach. Fortunately with a rapid, accurately targeted, and effective response many companies can minimize the overall damage to finances, hardware, and software caused by a specific incident.
Regarding processes, in case If a company has been breached, depending on the company type and size, it may be responsible not only for following internally defined processes within CIRT, but also responsible for contacting affected customers about the breach and may have to be prepared for litigation. In this case, company would be worrying about all required processes to be taken for the purpose of restoring company’s reputation. Also, company and CIRT team should be aware of all applicable law enforcement directives to make sure investigation is done right.