“You better check yourself before you wreck yourself.”
Only when you know, and can describe, exactly what you are trying to protect can you develop an effective playbook and incident response program. You must have a solid understanding of what needs protecting. Starting with tools and technology is truly putting the cart before the horse. Remember that as defenders, we do not have the luxury of defining the attacks used against us. We can only decide what we believe is most important to protect and react when it is threatened. The attackers have their own ideas as to what’s valuable, but it’s up to us to determine where they are most likely to strike, and what’s at stake if we lose.
When we originally developed our playbook, some of our earliest requirements demanded that it enabled us to:
Detect malware-infected machines
Detect advanced and sophisticated attacks
Detect suspicious network activity
Detect anomalous authentication attempts
Detect unauthorized changes and services
Describe and understand inbound and outbound traffic
Provide custom views into critical environments
It’s impossible to determine your risk (and subsequently how to manage it) if you are not aware of what you have and what you have to lose. The risk of an unknown system, with no log information and not even a reasonable way to trace back to the host, presents a significant risk to the organization. Imagine a datacenter filled with a ...