NZ Incident Response Bulletin February – 2020

Subscribe for free to our new service “Cyber Alerts and Tips” on the Web or YouTube

We have also improved the user experience of our entire Website

Our Views:

This month’s theme is “Cyber Incident Detection using NIST and the Cybersecurity Framework”.

Cyber Incident Detection

Recent news shows that the cost to businesses of cyberattacks such as data breaches are growing.  Incident detection time is one area which contributes to the ultimate cost of a breach to the impacted business. The longer a system breach remains undetected,  the longer an attacker has to cause damage, and the harder it becomes to investigate the event. According to IBM,  the average time taken to identify a breach was a full seven months in 2019.

As cyberattacks continue to grow in complexity, businesses require proactive strategies to combat them and minimise risk. The NIST cybersecurity framework was created to support businesses to protect their critical assets and “Detect” is the third function in this framework.

Cyber detection methods act similarly to physical detection methods such as smoke alarms and CO2 monitors in that they alert you to pending danger. They act as an early warning system highlighting any potential and active cyber threats in your environment.  The ultimate goal is to detect any cyber incident in a timely fashion and reduce its impact.

“The Detect function involves the development and implementation of appropriate activities to identify the occurrence of a cybersecurity event.” – NIST

Detect Key Considerations

There are three general areas for consideration under Detect in the NIST framework as follows:

  1. Detecting Anomalies and Events – “Anomalous activity is detected in a timely manner, and the potential impact of events is understood.”. This area includes the ability to recognise and subsequently detect anomalous activity. Establishing thresholds and alerts for system activity is critical here.
  2. Continuous Security Monitoring – “The information system and assets are monitored at discrete intervals to identify cybersecurity events and verify the effectiveness of protective measures.” This area involves monitoring of the network, physical environment, and personal and service provider activity for any anomalous activity including unauthorised access, actions, connections, devices and software.
  3. Detection Processes “Detection processes and procedures are maintained and tested to ensure timely and adequate awareness of anomalous events.”This area includes defining appropriate roles and responsibilities to ensure accountability, testing detection processes and continuously improving them.

Practical Actions for Detection

Examples of immediate actions we recommend a business take to increase their detection capabilities include:

  • Reviewing any cloud-based systems to ensure that thresholds for activities such as spend, storage or use are configured and that these thresholds trigger an alert when exceeded. Cloud service providers offer products and solutions that allow you to monitor activity and receive alerts. For example Azure Monitor or AWS Cloudwatch
  • Reviewing systems such as Microsoft Office 365 to ensure alerts are triggered when actions such as mail forwarding rules are changed, or passwords reset.  More information about the kind of activity you can monitor and how to set and manage alerts can be found here. Alert Policies can also be created to simplify this activity across a network.

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.