Every day we evolve our capabilities to respond to security incidents, however, it is necessary to highlight that hacker tools and techniques are also constantly evolving: They are increasingly stealthy and camouflaged.
Cybersecurity experts indicate that in the current scenario the best practice is to use ethical hacking by analyzing your networks and operations always from the perspective of the attacker, looking for the main indicators and areas of exposure before they are explored.
It all comes down to how skillful your team can screen for security incidents.
This article aims to continue our series Communicate, Respond, and Prevent (you can access the first article by clicking here). Today we are going to talk about how to identify types of security incidents.
The best way to determine the appropriate incident response in any situation is to understand what types of attacks can be used against your organization.
Check below the attack vectors NIST list:
External/Removable Media» An attack performed from removable media (for example, flash drive, CD) or a peripheral device.
Email» An attack carried out via an email message or attachment (for example, malware infection).
Attrition» An attack that employs brute force methods to compromise, degrade or destroy systems, networks or services.
Improper Usage» Any incident resulting from the violation of an organization's acceptable use policies by an authorized user, excluding the categories above.
Web» An attack performed from a website or application on the web (for example, download drive-by).
Loss or theft of equipment» The loss or theft of a computing device or media used by the organization, such as a laptop or smartphone.
Others» An attack that does not fall into any of the other categories.
Now that you are familiar with NIST's list of attack categories, it is important to review your security, control, and mitigation policies to ensure that these attack vectors are covered. Use this list to guide your team through the classification process for various types of security incidents.
It is also important to identify what types of equipment that may cause the greatest risk in the event of loss or theft, this includes CFO laptops, as well as any HDD Server that contains IP or sensitive data.
In our next article, we will talk about Security Triage Options, highlighting how to combine local and global threat intelligence for more effective screening, and how to categorize and mitigate incidents from an attacker's perspective.