Use a combination of manual and automated, real-time responses to anomalous activities that match incident patterns.
To gain an advantage the organization should have pre-defined steps to reduce the risk from someone conducting a known pattern of malicious activity. The steps could be a manual checklist or automated series of actions using scripts or other technology. Organizations may call these pre-defined or automated lists a playbook or runbook. They help to establish a formalized incident response that can be performed. Organizations should balance the speed of response against the possibility of unintended side-effects in determining whether automated responses are appropriate. Example You are the security operations center (SOC) lead for your organization. Recently your organization has had a problem with staff inserting personal USB drives in their computers. The SOC has had to wait for the Helpdesk notification to respond. To reduce the response time to these incidents you build a workflow to respond to the use of personal USBs. First you identify the USB events from the host detection tool. The events are forwarded to the SOC event management application. Once identified, you create an alert that is triggered when the USB event is detected. You create a script to call the host detection management API to block further use of a personal USB. ADDITIONAL READING NIST Computer Security Incident Handling Guide: https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final Integrated Adaptive Cyber Defense: https://www.iacdautomate.org/
Response activities are necessary because the defenders of an organization’s information technology tend to be at a disadvantage compared to the attacker. Defenders must maintain awareness of the latest vulnerabilities, be aware of the vulnerabilities in the organization, have the vulnerabilities remediated, and respond if an attacker finds a vulnerability before it is remediated. Once a vulnerability is discovered, the attacker tends to operates faster than a defender can match. To reduce the time to mitigate an organization should have plans in place to mitigate an attack. Plans must be comprehensive of manual and automated responses.
NIST SP 800-53 Rev 4 IR-4(1)