III.C Incident Identification and Assessment
Management should have a process to enable the following:
- Identify indicators of compromise.
- Analyze the event associated with the indicators.
- Classify the event.
- Escalate the event consistent with the classification.
- Report internally and externally as appropriate.
Incident identification involves indicators and analysis. External indicators may arise through contact with customers, law enforcement, card organizations (e.g., credit or payment cards), other financial institutions, media, or others. Internal indicators may arise when internal users contact the help desk, IT operations follows up on anomalies, or security operations follows up on anomalies identified through security devices and network and systems activity. Indicators may also arise through the use of "hunt teams," or dedicated analysts who actively search for indicators of compromise. Examples of technology-based intrusion identification systems and tools include the following:
- Threat intelligence data feeds (e.g., STIX/TAXII).There are efforts to automate and structure operational cybersecurity information-sharing techniques across the globe. Of these, STIX (the Structured Threat Information eXpression) and TAXII (the Trusted Automated eXchange of Indicator Information) are two of the technical specifications that allow an automated exchange of threat source data using standardized language.
- Intrusion detection and prevention systems for networks and hosts.
- End-point visibility tools (tools that can identify the function of end points and which end points contain or have access to sensitive information).
- DLP tools.
- Log correlation and analysis tools.
- File integrity tools.
- Malware detection tools.
- Network behavior analysis systems.
- "Big data" tools and analytics that aggregate and allow pre-formed and ad hoc analysis.
Technology-based indicators of compromise generally are anomalies in host state, host activity, and network traffic. A few examples are unexpected (1) processes, (2) changes to files, (3) packet source or destination, (4) protocols, (5) ports, (6) encryption, (7) log-ins, and (8) packet content. Other indicators include alerts triggered by black lists in anti-virus and network-monitoring products.
Management should have a process for identifying indicators of compromise and rapidly reporting those indicators for investigation. The report should instigate an analysis that seeks to confirm whether a compromise took place and how that compromise should be classified. Investigation may require additional information from outside and inside the institution, such as a forensic review. Management should perform due diligence to identify external assistance in advance of incidents to ensure available resources. Classification of a compromise may require information on the specific hosts affected, data lost, and business processes affected. Information developed in the analysis may be useful to guide response activities.
Analysis should result in a classification of the event, implementation of escalation procedures, and reporting. Analysis should be guided by the following:
- Classification policies should be sufficiently clear to enable timely classification of incidents by level of severity, enabling the use of response teams and responses depending on the type and severity of events.
- Escalation, response, and reporting should be commensurate with the level of severity.
- Escalation policies should address when different personnel within the organization will be contacted and the responsibility those personnel have in incident analysis and response.
- Escalation policies should include when to request or obtain external assistance, from both third parties and the federal government.
- Reporting policies should address internal and external reporting, including coordination with third parties and reporting to external organizations (e.g., FS-ISAC).
Additionally, a policy should address who is empowered to declare an incident. A defined process should guide responses to incidents. The institution should develop procedures to test the incident escalation, response, and reporting processes.
The sharing of attack data through organizations, such as FS-ISAC, also has the potential to benefit the industry at large by enabling other institutions to better assess and respond to current attacks. Management should consider whether to include such information sharing as a part of its strategy to protect the institution.
Management should determine whether the institution's or its managed security service provider's analysts are sufficiently trained to appropriately analyze network, host, and application activity and to use the monitoring and analysis tools made available to them. Additionally, security analysts should coordinate and collaborate with others in the institution with knowledge and authority for specific types of malicious activity, such as fraud.
III.B Threat Monitoring
III.D Incident Response