Breach Readiness Framework
Every organization is going to experience a breach. Be prepared.
Whether your security program is well-funded and well-resourced, and you’ll only experience breaches that that fall under tolerable risk and unknown unknowns or if your security program is underfunded and you’re struggling to patch known exploited vulnerabilities, on a long enough timeline, you’re going to experience a breach.
Using This Framework
This framework is a collection of security programs critical for breach preparedness designed to make sure you’re thinking about the important things. What you include in your breach readiness program and what effective and mature looks like for each control will be different based on organizational and risk factors. I recommend grading each of your programs/controls “Not Functioning”, “Partially Functioning”, or “Fully Functioning” based on how effective/mature it is during your breach readiness exercises.
Detection
An organization’s ability to detect security breaches. The quicker and earlier you can detect a security incident, the faster you can triage and respond to it, to prevent it from turning into a reportable breach or contain it before it affects more data and becomes more costly.
Detection Engineering
Technology/Process/People: SIEM, SOAR, EDR, Secure Email Gateway, Detection Engineering and Security Operations Teams
The ability to implement and write detections for malicious activity. You may have out of the box detections from your EDR, identity provider, SIEM, and more. But in order to be effective at detecting breaches, you need to be able to identify and respond to malicious activity that is unique to your organization, technology, and environment. You also need to be able to tune standard alerts to your organization, to ensure that true positives are properly triaged and false positives are filtered out.
Threat Intelligence
Technology/Process/People: IoCs, Reports, ISACs, TIP, Threat Intelligence and Security Operations Teams
The ability to collect, analyze, and disseminate threat intelligence. In addition to enriching detections and helping identity malicious behavior, threat intelligence should inform your detections, controls, and overall security strategy to effectively mitigate breaches.
Endpoint Security
Technology/Process/People: EDR, Incident Response, Detection and Response and Enterprise Security Teams
The ability to collect telemetry from and detect/prevent malware on endpoints.
Email/Communications Security
Technology/Process/People: Secure Email Gateway, Incident Response, Detection and Response and Enterprise Security Teams
The ability to detect malicious and social engineering activity over communications platforms like email and Slack.
Vulnerability Scanning and Discovery
Technology/Process/People: Vulnerability Scanners, Application Assessments, Penetration Testing, Vulnerability Management, Product Security Team
In the event that a new vulnerability is introduced into or discovered in your environment, you should be able to detect and remediate it.
Deception Technology
Technology/Process/People: Canaries and Tokens, Incident Response, Detection and Response and Enterprise Security Teams
The ability to position canaries that adversaries are likely to trip and effectively respond to those alerts.
Indicators and Warnings
Technology/Process/People: Brand Monitoring, Dark Web Scanning, Compromised Account Detection, Threat Intelligence, Threat Intelligence and Security Operations Teams
A good indicators and warnings program starts with understanding an organization’s risk profile and what are the things that could happen that would change that risk profile. Then implementing effective monitoring and analysis to detect changes to your risk profile.
Training and Development
Technology/Process/People: Online Learning Platforms, Security Operations and Enterprise Security Teams
In order to better prepare for detection, response, and recovery, the security team needs to improve with education, conferences, training courses, and more. All employees need to reminded about roles, responsibilities, and policies with training and more.
Triage
Triage is the immediate and preliminary assessment made about incoming detections or reports. Triage may result in an alert going to investigation or deemed a false positive.
Automated Incident Response
Technology/Process/People: SOAR, Detection Engineering, Detection and Response, and Security Operations Teams
The ability to automatically triage, review, enrich, and correlate alerts. The less work required to determine which alerts are true positives and false positives, the more effective your incident response team can be.
Detection and Response
Technology/Process/People: MDR, Incident Response and Security Operations Teams
Manual triage and response is important too. Ensure that your incident response team has the right telemetry, tools, and skills to effectively triage and investigate alerts.
You must decide if your detection and response capability will be 24/7 or less, what your SLA will be, if incident response will be handled internally or by an external vendor, what on call schedules will be, and more.
Investigation
Once a detection, report, or alert is deemed potentially serious in some way, it is brought for investigation. Investigation assumes an increased level of rigor, reporting, and gravity.
Investigation Management
Technology/Process/People: Investigation Management Platform, Incident Response and Security Operations Teams
Staying organized is critical during an incident, when reviewing past incidents, and preparing for future incidents. The proper technology and process will help with collecting evidence, preparing reports, and tracking investigation action items.
Incident Response Retainer
Technology/Process/People: IR Firms, Incident Response and Security Operations Teams
In the event of an emergency incident that your team is unequipped to handle, you may need to request the services of a trusted external firm. You should have legal documents and agreements squared away and an existing relationship, so they can assist as quickly as possible.
Telemetry/Log Management/Tooling
Technology/Process/People: SIEM, DIFR, Detection Engineering and Security Operations Teams
Your incident response team needs the right telemetry and tools to effectively perform investigations. This can include specific types of telemetry such as access logs, audit logs, etc. and specific tools such as log management, digital forensics, and other analytics tools.
Threat Hunting
Technology/Process/People: IoCs, Reports, ISACs, TIP, Threat Intelligence, Detection Engineering, and Security Operations Teams
Your Security Operations Team should be consistently running threat hunts that detect existing malicious activity that may have been missed by other detection systems.
Response
When an investigation concludes that there has been an incident or a breach, it must be responded to. Response may include eviction of an adversary, cleaning of devices and environments, and more.
Endpoint Security
Technology/Process/People: EDR, MDM, Incident Response, Detection and Response and Enterprise Security Teams
The technology and processes you will use to prevent persistence or stop malicious activity by cleaning, wiping, and/or quarantining endpoints.
Digital/Cloud Forensics
Technology/Process/People: Digital Forensics and Incident Response Teams
The technology and processes you will use to collect evidence, images, backups, and telemetry/logs for post-incident use. Digital forensics in the cloud may be tricky and may require specialized tools.
Subject Matter Expertise Collaboration
Technology/Process/People: Entire Organization
More often than not, while responding to a security incident, your incident response team will need subject matter experts from different parts of the organization to assist. You should identify who those people and teams are and how you will request their assistance in advance. Examples include IT, Engineering, SRE, Customer Success, Finance, Legal, etc.
Incident Response Training and Tabletop Exercises
Technology/Process/People: Incident Response and Security Operations Teams
Incident response activities are conducive to accidents, mistakes, and disasters. Tabletop and live exercises help to normalize incident response activities and catch errors in a supervised environment.
Recovery
Once the incident is handled and response is complete, the next step is to get any business systems or processes back up and running to their full effectiveness. This may include rebuilding systems and environments.
Resilience/Redundancy/Refreshability/Backups
Technology/Process/People: Information Technology, Site Reliability Engineering, Incident Response, Security Operations, Product Security, and Enterprise Security Teams
Expand on your Business Continuity and Disaster Recovery Plan to include specific tactical processes for recovering lost infrastructure, environments, endpoints, and more.
Communication
Internal Incident Communications
Technology/Process/People: Email, Slack, Incident Response and Security Operations Teams, Subject Matter Experts
Ensure that you have a clear way to escalate a detection to an incident, declare an incident commander, and communicate effectively and securely with the appropriate parties.
Internal Company Communications
Technology/Process/People: Email, Slack, Incident Response and Security Operations Teams, CEO, Board of Directors
Once an incident or breach is declared, you may want to remind all employees that any information regarding a security event is confidential, to follow company policies about trading, confidential information, responding to and talking to journalists, and discussing ongoing situations with customers and third parties.
Emergency Call Tree
Technology/Process/People: Business Continuity Planning, Disaster Recovery, Incident Response and Security Operations Teams
You may already have a call tree or executive rolodex as part of your BCP/DR plan. In a crisis, you may need multiple ways of reaching different parties, including customers, vendors, subprocessors, and local law enforcement.
Crisis Communication Training/Media Training
Technology/Process/People: Incident Response, Security Operations, and Enterprise Security Teams
In the event of an incident or breach, you may want specific teams or all employees trained for how to communicate clearly and effectively during a crisis and how and when to respond to comments and talk to journalists.
Breach Notification
Technology/Process/People: Legal, CEO, CISO, Board of Directors, Incident Response and Security Operations Teams
Once a security incident is deemed a breach, you may have legal, regulatory, and customer obligations to notify. A runbook should be kept to help determine under which circumstances, which parties need to be notified (such as law enforcement, regulatory agencies, federal/state/local governments, vendors, customers, and individuals) and how (such as email, 8-K, written letter, etc.). You may also want drafts of breach notifications, risk disclosures, and other legal notices.
Breach Readiness Exercises
During your breach readiness exercises, make sure to touch upon each section and control listed above, focus on what you are missing, what will be effective/ineffective, and what are the specific gaps you have and potential improvements you could make.
Your breach readiness exercises should be realistic, likely, and comprehensive. They should be specific to your environment, your technology, and your adversaries. Here are some examples:
- An engineering lead’s device is compromised with malware. This engineer has access to your cloud infrastructure, your datastores, your code repositories, and more.
- An employee has been reusing passwords. This employee’s personal account is compromised and sold on the dark web. This employee has access to sensitive SaaS accounts such as email, chat, CRM, cloud infrastructure, ticketing systems, internal documentation, and business intelligence tools.
- A malicious insider steals sensitive customer data. This data is advertised for sale on a dark web forum.
- A new low-entropy insecure direct object reference vulnerability is introduced your product. Successful exploitation of this vulnerability would allow for an adversary to download arbitrary customer data.
