The Incident Response Taxonomy
What should you do following a cybersecurity breach? Fortune 100 Incident Response expert Tim Bandos explains one of the key tiers of an incident response classification framework: the incident taxonomy.
Your incident response framework should consist of two tiers: classification at the highest level and taxonomy. Utilizing both will help you prioritize your actions during an incident and enable an efficient response. In a Digital Guardian webinar, Digital Guardian's Director of Cyber Security Tim Bandos presented one of his hottest topics: the Incident Responder's Field Guide. You can watch the full webinar on demand here. Check out a sneak preview of the webinar below.
An incident has occurred and you've triaged it based on the category, the type and the severity. What do you do next? Classifying the incident based on the following criteria of the taxonomy tier of the framework will help you decide on a plan of action to resolve the incident and avoid similar ones in the future.
The Seven Criteria of Incident Taxonomy
1. What was the method used to detect the incident?
Detection methods include: end users, 3rd party services, a DLP solution, law enforcement, etc. It's important to identify the method of detection so that when you look back across all your incidents, you have visibility into which tools, technologies, or users are effectively reporting your incidents. You can determine if you're investing your money in the right places.
2. What was the attack vector?
Did the breach occur via a phishing email, an end-user action, or weak password? If the attack vector was an email, then maybe you should invest in technologies that detect vulnerabilities at the email gateway layer. If it was a weak password, you could invest more in employee training. Knowing the attack vector will help determine where you need to focus your security initiatives.
3. How did the incident impact your organization?
Did an employee get dismissed? Was the brand image negatively affected? Or was there a compromise of IP? The impact will dictate the appropriate path to recovery.
4. What was the intent of the incident?
Was it malicious? Accidental? Espionage? Figuring out the intent of the incident will help you develop meaningful metrics as you continue in your incident response.
5. What kind of data was exposed?
Was the data public? Confidential? PCI or PII? Determining the type of data that was exposed will tell you what types of information in your organization are potentially targeted.
6. How did you mitigate the incident?
Did you have to do an OS patch? Did you require user awareness and training? If you find that more incidents need user training to remediate the situation, any controls that you can do from a preventative method to decrease that risk will be beneficial. If many of your incidents are fixed by software updates and OS patches, perhaps you should develop practices where you update and patch software on a more regular basis. How you mitigate an incident, especially if a pattern develops, can help you determine what preventative measures you need to put in place.
7. What was the root cause of the incident?
The root cause of an incident could be theft, disregard of company policy, security control failure/gap, service provider negligence, or user negligence among other things.
Taxonomy provides an additional layer of information about an incident so that you can identify the root cause and patterns. The information you'll gather in this stage of the incident response classification framework will make it easier to contain the incident and correctly handle it. Enjoyed this clip? Get the full webinar here.