Quantcast
Channel: information security – Anton Chuvakin
Viewing all articles
Browse latest Browse all 4

Incident Response: The Death of a Straight Line

0
0

As I am diving deeper into modern security incident response (IR) practices, one shocking realization reigns supreme: the arrow is dead.  Well, let me take this back: as we all know, nothing in security is ever dead. Password guessing, an attack from the 1970s (if not earlier), is alive and well. Stateless firewalls are not dead. No countermeasure and no threat has been fully retired – even though some say that the risk of punch cards being damaged in the mail is 100% gone…

In any case, the “arrow model” of incident response where the normal IT operation is suddenly interrupted by an incident which is then remediated has been losing steam in this day and age. Think about it! We have constant infection rates at 1-2% of systems (source), ongoing attack campaigns, persistent adversaries, (even our compliance gets to be “continuous”) – why should IR be different?

image

IR_old_times_no

image
‘Normal –> incident –> back to normal’ is no more – or at least not the only case anymore. More common today – the only case for advanced threats; multiple IR loops happening at any given time.

While some will try to draw a clear line between monitoring (before/after the incident) and incident response (during the incident), the line is getting much blurrier than many think.  Ongoing indicator scans (based on external and internal sources), malware and artifact reversing, network forensics “hunting”, etc all blur the line and become continuous incident response activities.

BTW, in this model, the question “what do incident responders do between incidents?” makes no sense…

Possibly related posts:


Viewing all articles
Browse latest Browse all 4

Latest Images

Trending Articles



Latest Images