With the advancement in technology, cybersecurity incidents have increased both in oftenness and sophistication. Practically every second somewhere in the world someone is trying to infiltrate or rather hack a particular computer system. A cybersecurity incident can be defined as an act of malice whose intention is to compromise or disrupt either the physical or electronic security perimeter of a critical cyber asset. Cybersecurity incidents may be grouped into social incidents, misuse incidents, hacking incidents, and malware attacks. Cyber-attacks may target things such as domain name systems, network infrastructure, and websites or even applications. Due to the increased cases of cyber security being compromised, individuals, businesses and organizations are looking for ways of being better protected against cyber-attacks. Cyber incident response is often a multi-step process that involves detection, recognition, analysis, appraisal, restraint, obliteration, recovery and finally post-incident recovery. This article will focus mainly on the analysis of cyber incidents.
What Cyber Incident Analysis Means
Cyber incident analysis refers to the carefully orchestrated process of identifying what happened, why and how it happened and what can be done to prevent it from happening again. From a cyber incident analysis report, both the goal of the cyber-attack and the extent of damage it has caused can be determined. It is a very crucial step of cyber incident response and paves way for the other subsequent steps. This means that without the analysis part then the response plan is deemed to fail. The OODA loop can be used to describe the incident analysis process and the tools involved therein. The OODA loop simply involves observation, orientation, decision, and action.
Observe
Here, an individual or organization is required to pick up on any abnormal behavior that may require attention. Various tools can be used including log management tools, intrusion detection systems, net-flow analyzers, vulnerability scanners, intrusion detection systems, and web proxies. Log management is all about understanding what is going on in your network. This includes the people visiting it. Intrusion detection systems (IDS) employ the use of attack signatures to identify and issue an alert on any suspicious activities in the server. Net-flow analyzers track the traffic in your network by analyzing a particular thread of activity. Lastly, vulnerability scanners point out areas of weakness that might have predisposed an organization to an attack.
Orient
Deals with an evaluation of what is going on in your cyber threat landscape to make coherent connections and prioritize events. The tools used for orientation include threat intelligence security inquiry and asset inventory. Asset inventory allows gaining of in-depth knowledge of all the critical systems in your network and the specific software installed on them. To assess the criticalness of a cyber incident, you would need to have an understanding of your immediate environment and this is what the inventory offers. Threat intelligence keeps you abreast of potential cyber threats in the real world. They include things like compromise indicators and IP addresses with a bad reputation and can be used to provide a full context for the threat.
Decide
Focuses on the use of your observations and context to devise a response that would cause minimal damage yet achieve faster recovery. Here, only two tools are involved i.e. the company’s corporate policy and documentation. Both of these tools are supposed to give information on what is acceptable and what is not. Based on this you are supposed to categorize the threat then devise a response that is recommended by the company’s policies and any other documentation.
Act
Involve the use of lessons learned from cyber incidents to initiate incident response and recovery. Many tools are involved here including backup and recovery tools, system management tools, security awareness tools, and incident response forensics tools. Incident response forensic tools serve the purpose of identification, analyzing and presentation of facts about digital information to scrutinize digital trails. Security tools, on the other hand, are aimed at improving the security of the system such that the likelihood of occurrence of another similar incident is reduced.
It is important to note that cybersecurity is never an after-the-fact issue but rather begins even before an attack is launched. Organizations should, therefore, work round the clock with their IT team to ensure that their security practices are tuned up and are technologically relevant.
