Cyberattacks are regarded as the main challenge to the security on the state level. The increasing frequency and new trends in cyber threats require proper protection using the best practices and technologies in the organizations. Although it is impossible to prevent all the attacks, an incident response team should react quickly to cyber threats and incidents. The team’s efforts should be revamped according to the demands of the organization.
Over the past decade, a number of security tools were developed to help organizations to fight cyberattacks. It is also essential to utilize the skills of the appropriate specialists who work for the organization. Some researchers emphasize that “incident response teams exist in a dynamic and constantly changing environment in which they must eff actively engage in information management and problem solving while adapting to complex circumstances” (Steinke et al., 2015, p. 20).
The incident response team formed in the company should include the specialists from the IT department to provide competent decisions and solve the occurred problems. It is also crucial to interact with other departments such as human resources and legal departments, as well as software vendors. It would be beneficial to include representatives of these departments into the incident response team to secure timely and proper reaction to the incidents.
Nevertheless, it is stated that it is not easy to implement a team, that the formation of a team consisted of the skilled members does not guarantee success and that it is difficult to ensure teamwork (Van der Kleij, Kleinhuis, & Young, 2017). Therefore, the team members should participate in specific training programs to be able to solve complex problems effectively. Such aspects as the process flow, tools, and individual efforts play a significant role in achieving positive results as well.
It is crucial for the team to be provided with instrumental and technical resources to react to the threats effectively. Thus, the team should use the guides provided by National Institute of Standards and Technology to handle the incidents. Each incident should be properly studied to transfer the knowledge about it within the organization for further prevention. It is advisable to measure the effectiveness of the team in handling the incidents. For example, the team might use advanced technical tools and solutions based on standardized protocols. There should also be tools to estimate the risk of a cyber threat and the size of damage caused by an attack.
To protect its network and built an effective security system, the organization should use the knowledge provided by the scholarly research of previous attacks. Some researchers state that “streaming of data through a network is the main source of an attack on that network and its aim is to disrupt the traffic going through that network making the network vulnerable to other attacks by reducing its integrity and confidentiality” (Rodrigues, & Shobayo, 2017, p. 49). Usually, the security system of a company includes firewall system as the first level of defense and intrusion detection system (IDS) and intrusion prevention system (IPS) as the next level of protection.
IDS is used to monitor and detect attempts of unauthorized access to the company’s infrastructure. Such attempts are usually logged as the events which generate an alert to enable an appropriate response. IDS can be host-based protecting a single local system or network-based analyzing packets and protecting multiple systems on the network. IPS is defined as a new generation of IDS systems.
Such system is capable of stopping an intrusion attempt or eliminating a threat by interacting with some external system. IPS includes countermeasures in real time to prevent active threats. There are many IDS/IPS solutions available nowadays. For example, such software as Snort IDS/IPS open-source network-based tool could be recommended for the organization to build an architectural model and log the activities of the attacker providing their analysis and categorization to assist in event notification and escalation process.
To secure an effective process of handling and classifying the incidents, NIST Standard Publication 800-61 Revision 1 is recommended. It provides guidance for the appropriate handling of various network security incidents to determine a timely and proper response to them. It also provides the information about performing an initial analysis of an incident with the recommendations to make it more easy and simple.
It is generally recognized that logs are a rich source of data to analyze the events that occur in the network of the organization for troubleshooting actions. Therefore, many vendors have focused on building new solutions for log management that would provide storage and reporting for event logs. For example, such software as Spunk is able to index the data automatically, including unstructured and complex log data, making it easy to search for specific events without additional connectors and limitations for scalability.
Some researchers also note that it is beneficial to use cloud services for log management systems to minimize the risks of data loss (Duela, & Sivaraman, 2015). If the organization does not utilize any log management system, it will cause problems in timely detection and analysis of events connected with cyberattacks.
The given report provided some suggestions for revamping the efforts of the incident response team in the organization. The structure of the team was specified, as well as the necessity of the appropriate training of its members. Specific tools and software for attack prevention and detection and log management were reviewed.
References
Duela, J. S., & Sivaraman, K. (2015). Cloud services for efficient log management. Indian Journal of Science and Technology, 8(32), 1-5.
Rodrigues, M., & Shobayo, O. (2017). Design and implementation of a low-cost low interaction IDS/IPS system using virtual honeypot approach. Covenant Journal of Informatics & Communication Technology, 5(1), 48-64.
Steinke, J., Bolunmez, B., Fletcher, L., Wang, V., Tomassetti, A. J., Repchick, K. M.,… Tetrick, L. E. (2015). Improving cybersecurity incident response team effectiveness using teams-based research. IEEE Security & Privacy, 13(4), 20-29.
Van der Kleij, R., Kleinhuis, G., & Young, H. (2017). Computer security incident response team effectiveness: A needs assessment. Frontiers in Psychology, 8 (1), 2179.