Make the right incident-response decision using Active Response software

To respond to, manage, and recover from a cyberattack, your organization may establish an incident response plan. It’s important to recover from a cyberattack as soon as possible and reduce damage.

The SANS Institute lays out a six-step incident response plan: preparation, identification, containment, eradication, recovery, and lessons learned. Within the preparation stage, you should focus on creating policies and procedures in case of cyberbreaches, establishing alerts, and training a response team. The identification stage involves detecting the breach. Once located, it’s time to contain it, preventing further penetration and damage. Following containment is eradication. Neutralize the threat quickly and restore internal systems, then proceed to the recovery stage. In this step, you should ensure any systems affected by the breach are no longer vulnerable, determine the cost of the breach, and return systems to working conditions while continuing to monitor for abnormal activities. Finally, it may be essential to re-evaluate policies and procedures, create a detailed report to be used in future training, and review your team’s decisions to improve future responses.

You can also think about incident response as the OODA (Observe, Orient, Decide, Act) Loop. In this loop, incident response starts by monitoring your network security to identify unusual behavior. Valuable monitoring tools to consider using include network-based and host-based intrusion detection systems, NetFlow analyzers, log analyzers and managers, vulnerability scanners, and web proxies. You might also consider investing in availability monitoring, as application and service outages are often the first indicators of incidents.

Once you’ve observed a potential problem, it’s time to investigate. Performing asset inventory and threat intelligence security research will enable you to gain context and make valuable connections in real-time, allowing you to better evaluate the situation. Once you’ve gathered enough information and taken your company’s corporate security policy into account, you can decide which strategy is best for reducing damage and recovering quickly. The final step, Act, involves remediation and recovery as well as using the lessons you’ve learned to improve your organization’s incident response procedures. Using data capture and incident response forensics tools, system backup and recovery tools, and patch management tools can allow you to resume normal operations and create legal audit trails. Since many attacks are initiated by a phishing or spear-phishing email, raising security awareness within your organization via training tools and programs can also hinder future attacks.

Whether you follow the six-step incident response plan or the OODA Loop, having an effective incident response strategy should be one of your organization's top priorities.

Every organization should establish an effective incident response plan to ensure they’re prepared to handle and recover from cyberattacks and data breaches. While there are many different elements in an incident response plan, enabling active responses against abnormal activities and attacks is one of the most essential parts of any incident response strategy.

If you use the SANS Institute’s six-step incident response process, you and your team may need to take active responses during the containment and eradication stages. If you respond to incidents using the OODA Loop, engaging in active responses falls under the Act portion.

As part of your effective incident response plan, you may need to:

• Disable an agent’s access to the network
• Block specific IP addresses
• Restart machines or Windows services
• Delete user accounts and user groups from agents
• Disconnect USB devices from agents
• Enable and disable domain and local user accounts
• Escalate potential issues
• Kill processes by ID or name
• Log off users
• Reset user account passwords
• Send email messages to specific recipients
• And more

Consider investing in software with Security Information Management (SIM), Security Event Management (SEM), or Security Information and Event Management (SIEM) capabilities. An incident response tool will not only collect valuable information from your devices’ event logs, but it can also perform actions like those listed above to automatically block cybersecurity threats, allowing you to use your time more effectively during attacks.

Cyberattacks are increasing in scale and frequency, making it more difficult for organizations to defend themselves and their data. Consequently, creating procedures and training your organization’s members to react to attacks are essential, but the work doesn’t end there. You’ll also have to locate and neutralize threats before returning everything to working order and reviewing your team’s choices.

Simple changes can wreak havoc on your systems and lead to serious problems, making fast incident response a top priority for any organization. However, manually monitoring and responding to various changes, such as escalated user privileges, can be tedious and time-consuming. A powerful incident response tool like SolarWinds Security Event Manager (SEM) simplifies the monitoring process and enables you to respond quickly to any incidents. SEM is built to give you a better idea of what’s happening on your network and automatically take action to protect your system when certain predefined events occur.

Establishing and following an effective incident response strategy can save your organization time, money, and frustration. It may also protect your organization from increased government regulation. Using security incident response tools as part of your incident response strategy can optimize your organization’s ability to quickly and effectively detect, combat, and recover from an attack.

A cyberincident response tool can simplify collecting, standardizing, and cataloging data from across your network. Gathering and monitoring information from across your network falls under the Observe section of the OODA Loop (or the identification stage of the SANS Institute’s six-step incident response plan) and provides visibility into your network. This increased visibility can accelerate intrusion detection, allowing you to improve security and stop potential threats in their tracks.

In addition to collecting and analyzing data, it’s essential to act on that information. Most security incident response tools offer real-time log analysis and can automatically notify you if any events pass predefined thresholds. Security incident response tools can also automatically perform several actions in response to abnormalities, such as blocking IP addresses, restarting servers, logging users off, or disabling an agent’s access to the network. If you need a way to protect all your sites from an attack that doesn’t involve configuring multiple block IP actions for each site, some incident response software will allow you to do that, too.

SolarWinds Security Event Manager (SEM) offers key incident response capabilities, including the ability to collect, display, and alert on information in real time, as well as the ability to perform active responses. Out-of-the-box connectors and compliance reporting templates also help you stay on top of events occurring within your network and meet many security and compliance requirements.

This incident response tool enables you to configure active responses (also known as event responses) to combat attacks and other suspicious activities. For example, if your organization uses Active Directory and someone without the necessary credentials tries to access administrative privileges (one of the earliest signs of a cyberattack), you can configure SEM to immediately notify you or one of your colleagues, block the IP address, disable networking, and shut down the machine. Similarly, if an unauthorized local user joins a privileged group, SEM can automatically remove them and alert you. You can even customize your notifications to ensure you’re updated about critical issues immediately and aren’t bombarded with unnecessary alerts.

To configure SEM to execute specific responses when triggered by certain events, select Rules within the SEM Console. Choose a rule from the list and then click Edit followed by Next. Click Add to add a new action, then select a response action type before clicking Next. Choose your options based on action type from the Define Action drop-down lists. Then click Add.

If there no rules suit your needs, you can create a new rule by clicking the Rules tab on the SEM Console. Click Create New Rule and drag one or more searchable filter values (from the left) into the rule definition builder (on the right). To select a value, you can expand the rule values group or use the search field. Then click the + icon and define the condition before selecting an option from the drop-down list or typing a keyword or value. You can adjust SEM’s And operator, set the number of times specific conditions must be met within a certain time, and set the response window. Then click Next before naming, describing, tagging, and saving your new rule.

You’ll probably want your new rule to trigger an action, so click Add New Action and select an action from the list or search for one. Define and add the trigger action before clicking Create. If you want to use your new rule and the action it triggers in test mode, click on the vertical ellipsis to the right of the rule. Then toggle the test mode switch.

With these steps, you can easily set up SEM to perform the incident response actions you prefer and help automate and improve protection across your environment.

Other SolarWinds tools to help secure IT environments:

• SolarWinds Patch Manager
• SolarWinds Access Right Manager
• SolarWinds Identity Monitor
• SolarWinds Server Configuration Monitor

Related features:

• Network Security Monitoring Software
• Cyber Threat Analysis Tool
• APT Security Software (Advanced Persistent Threat Defense)
• USB Security Software
• Security Orchestration and Automation
• Advanced Endpoint DLP