Incident Detection and Response

As the cyber threat landscape expands, it’s no longer a question of if your organization
will be attacked, but when. To ensure that you’re not caught unawares, you must
prepare for such incidents with a comprehensive Incident Response (IR) plan.

Executive summary

What is the IR The process of preparing for, detecting, mitigating, and preventing
process? cyber threats and data threats

What is an IR A comprehensive document that details how an organization will

plan? detect and respond to cybersecurity incidents, and prevent
recurrence

What is the IR A series of steps that enable enterprises to anticipate, detect,

life cycle? remediate and contain security events

IR life cycle Popular frameworks are: NIST, SANS, and ISO

frameworks

NIST IR life Consists of 4 phases:PreparationDetection and

cycle AnalysisContainment, Eradication, and RecoveryPost-incident
activity

What’s the difference between IPS and IDS?

IPS is an active cybersecurity measure, while IDS is passive security. IDS primarily
focuses on detection and alerting, while IPS goes further by actively preventing
or mitigating threats.

IPS and IDS are security systems used to protect computer networks from various
threats, but they serve different purposes and operate slightly differently. Here are the
key differences between IPS and IDS.

 Active vs. Passive Security: The primary purpose of an IPS is to actively block
or prevent malicious activity and network intrusions in real time. It monitors
network traffic for suspicious or unauthorized activity and immediately blocks or
prevents it, such as dropping packets, closing connections, or reconfiguring
network rules. An IDS, on the other hand, is designed to detect and alert on
suspicious or potentially harmful network activity but does not take any active
 measures to prevent or block the detected activity. It provides alerts or logs that
are analyzed by security personnel, who then take appropriate action based on
the alerts.
 Blocking and Prevention vs. Observation and Analysis: IPS actively takes
action to prevent or block malicious activity. This can include blocking network
traffic, modifying firewall rules, or resetting connections to protect the network
from threats. Meanwhile, IDS passively observes and analyzes network traffic,
generating alerts when it detects suspicious or potentially harmful activity.
Security analysts or administrators must review these alerts and decide on the
appropriate action.
 False Positive Rates: Because an IPS actively blocks traffic based on its
analysis, it may have a higher likelihood of generating false positives, potentially
blocking legitimate traffic if misconfigured or if the detection rules are too strict.
Conversely, IDS systems tend to have fewer false positives since they do not
actively block traffic. However, they may generate more alerts that need to be
reviewed by human operators.
 Network Performance Impact: The active blocking nature of an IPS can have a
direct impact on network performance, and it may introduce latency if it is
processing a large volume of traffic or if it's incorrectly configured to block
legitimate traffic. IDS, being a passive monitoring system, has a lower impact on
network performance since it does not interfere with network traffic.
 Deployment: IPS is typically placed in-line with network traffic, meaning that all
traffic passes through it, allowing it to actively block threats. It's considered a
security gateway.

However, IDS can be deployed in various ways, including in-line (similar to IPS), out-of-
band (where it monitors a copy of network traffic), or as a host-based IDS on individual
devices.

What Are the Benefits of Deploying IDS and IPS?

Intrusion Detection Systems (IDS) and Intrusion Prevention Systems (IPS) offer a range
of benefits to enhance the security of a network, including:

 Threat Detection: IDS monitors network traffic and system activities in real time,
looking for suspicious patterns or behaviors. An IDS detects various types of
threats, such as malware, unauthorized access attempts, and unusual traffic
patterns.
 Early Warning: IDS provides early warning of potential security incidents,
allowing organizations to take proactive measures to mitigate threats before they
escalate into full-blown attacks.
 Incident Investigation: IDS logs and stores data related to detected threats,
which is valuable for forensic analysis. This information helps security teams
understand the nature of the attack, its origin, and its potential impact.
 Compliance and Reporting: Many regulatory frameworks and industry
standards require organizations to have IDS in place to monitor and report on
security events. Deploying IDS can help organizations meet compliance
requirements.
  Reduced Downtime: By detecting and addressing threats early, IDS can help
reduce downtime and minimize the impact of security incidents on business
operations.

Benefits of Deploying IPS (Intrusion Prevention System):

 Real-time Threat Mitigation: IPS goes a step further than IDS by actively
blocking or mitigating detected threats in real-time. It can drop malicious packets,
block access to malicious websites, or trigger other security measures to prevent
attacks.
 Automated Response: IPS can automatically take action to protect the network
and systems, reducing the need for manual intervention. This is especially
important in the case of fast-spreading or automated attacks.
 Improved Security Posture: IPS helps maintain a proactive and robust security
posture by preventing known and emerging threats from compromising the
network or systems.
 Reduced Attack Surface: By actively blocking malicious traffic, IPS reduces the
attack surface and minimizes the potential impact of security breaches.
 Enhanced Network Performance: While there may be some overhead
associated with IPS, it can help optimize network performance by preventing
resource-intensive attacks and ensuring that legitimate traffic flows smoothly.
 Compliance Adherence: Just like IDS, IPS can assist organizations in meeting
regulatory compliance requirements by actively protecting against security
threats.
 Zero-Day Threat Prevention: Some advanced IPS solutions are capable of
detecting and preventing zero-day attacks or previously unknown threats through
advanced threat intelligence and behavioral analysis.

How Incident Response Works:

Suppose your organization is hit by a ransomware attack. According to the NIST IR life
cycle, IR doesn’t start when the attack actually happens; it starts before, during the
Preparation phase.
Preparation: The IR team develops the processes for the incident, ensuring a quick and
efficient response should an attack occur.
Identification and Analysis: The team focuses on early identification of a possible
attack as well as quick analysis to expedite containment, eradication, and recovery, thus
minimizing the impact on the organization.
Detection: Following an attack, the team identifies the attack vectors, calculates risk,
and implements detection measures for the identified attack vectors. They also
implement prevention measures where applicable
Containment, Eradication, and Recovery: The IR team attempts to remove the
ransomware, try to prevent its spread or lateral movement, isolate any systems that may
be affected, and restore affected systems and data. They also try to prevent the
beaconing of communication channels that may lead to malicious communication
between the malware and the cyberattacker.
Post-Incident Activity: The team assesses the IR process to ascertain whether they
could have done anything differently or better. For example, could stronger security
controls, that may have prevented the attack, been installed? Could employees have
been better trained, or prepared more thoroughly for such incidents? Also, are there any
processes or policies that need to be implemented or updated to make future incident
response more efficient, effective, and timely?

Incident response best practices:

The threat landscape is constantly expanding and evolving. To keep up with new
threats, it is vital to keep updating the IR plan. Also, make sure to incorporate any
lessons learned after each security incident, thus improving the plan over time with hard
earned experience.
Evaluate your IR program regularly, to gauge its effectiveness. To do this, you could
implement the following testing strategies:
Tabletop exercises: Create multiple breach scenarios to highlight any weaknesses in
the IR plan, and generate meaningful ideas to address them
Walkthroughs: In this test, the team checks if the plan and its various activities are
being carried out correctly by the relevant stakeholders
Cutover: An IR leader discovers how the team handles a crisis, by forcing a particular
alternative action, e.g., a restore of data from backup
For effective IR, it’s important to establish clear workflows, communication plans,
reporting procedures, escalation paths, and standard operating procedures (SOPs).
These elements will help ensure that the process works smoothly and without costly
mistakes. A clear and detailed plan will also help managers make informed decisions on
security investments that strengthen cyber defenses.
It’s also important to regularly review IR processes and policies to find areas of
improvement. Also assess systems and procedures (for example, those related to email
communications, access controls, etc.) to ensure that there are no security gaps that
may open up new attack vectors and make the organization vulnerable to attack.
Finally, don’t be tempted to skip the Preparation Phase. If bypassed, you risk
continuously operating in a stressful cycle of firefighting and response. In such cases,
the business concentrates on reacting to security incidents, rather than proactively
improving their IR capabilities and security defenses.

Reference:
- https://www.devo.com/threat-hunting-guide/incident-response-life-cycle/
- www.sophos.com/en-us/cybersecurity-explained/ips-and-ids