Cyber Incident Response
What is Cyber incident response?
- Cyber Incident Response complements the advanced detection & response domain with a focus on technologies, processes and frameworks aimed at the discovering, eradicating and recovering from cyber attacks and exploited vulnerabilities within an organization.
- It covers the key functions and operations expected by CERT/CSIRT teams and is increasingly important to a mature cybersecurity strategy in many organizations.
Why it matters
- Identifying technological trends will help outline and prescribe threat discovery, attack mapping, threat modelling, and threat and vulnerability management.
Adversary profiling with MITRE Att&CK:
Organizations are increasingly adopting the MITRE ATT&CK
framework and moving to a Threat-informed defense strategy. Such
framework will help organizations understand the behavior and
tactics of threat actors and proactively tailor-cut their protection strategies.
Threat hunting for proactive protection
With the digital transformation going full speed and the continously expanding attack surface, the old school approach of “building the defenses and waiting in the trenches” is no longer sustainable. Neither is the static approach of waiting for the published IoCs and running unitary searches. Organizations will have to adopt threat hunting, especially red teaming activities to proactively identify vulnerabilities in their environments before they are exploited by threat actors. With red teaming, organizations will get better insight on the weaknesses in their environments and will be able to proactively mitigate them.
Automation and enrichment
In order to efficiently uncover threats and vulnerabilities in their expanding digital environment, organizations will have to automate their threat hunting activities. This will also enhance and facilitate the job of CERT/CSIRT teams and accelerate threat detection. Organizations will be able to enhance threat hunting by automating and consolidating threat intelligence through different sources, from own-SOC detection, to threat intelligence sharing and cyber deception tools.