Reasons to have an IR process in place

Before we dive into more details about the process itself, it is important to be aware of some of the terminology that is used, and also what the final goal is when using IR as part of enhancing your security posture. Why is it important? Let's use a fictitious company to illustrate why this is important.

The following diagram has a timeline of events(2) that leads the help desk to escalate the issue and start the incident response process:

The following table has some considerations about each step in this scenario:

While there is much room for improvement in the previous scenario, there is something that exists in this fictitious company that many other companies around the world are missing: the incident response itself. If it were not for the incident response process in place, support professionals would exhaust their troubleshooting efforts by focusing on infrastructure-related issues. Companies that have a good security posture would have an incident response process in place.

They would also ensure that the following guidelines are adhered to:

• All IT personnel should be trained to know how to handle a security incident.
• All users should be trained to know the core fundamentals about security in order to perform their job more safely, which will help avoid getting infected.
• There should be integration between their help desk system and the incident response team for data sharing.
• This scenario could have some variations that could introduce different challenges to overcome. One variation would be if no indication of compromise (IoC) was found in step 6. In this case, the help desk would easily keep troubleshooting the issue. What if at some point things started to work normally again? Is this even possible? Yes, it is!
• When an attacker infiltrates the network, they usually wants to stay invisible, moving laterally from one host to another, compromising multiple systems and trying to escalate privileges by compromising an account with administrative-level privileges. That's the reason it is so important to have good sensors not only in the network, but also in the host itself. With good sensors in place, you would be able to not only detect the attack quickly, but also identify potential scenarios that could lead to an imminent threat of violation (3).
• In addition to all the factors that were just mentioned, some companies will soon realize that they must have an incident response process in place to be compliant with regulations that are applicable to the industry in which they belong. For example, FISMA requires federal agencies to have procedures in place to detect, report, and respond to a security incident.