NZ Incident Response Bulletin – February 2022

Our Views:

Cyber Incident Detection

In 2020, the New Zealand National Cyber Security Centre (NCSC) part of the Government Communications Security Bureau (GCSB), published guidance in Cyber Incident Management. Incident response involves tactical practices to detect, respond to, and recover from cyber incidents.

Cyber incident risks cannot be solely managed through preventative measures. Accepting that a cyber incident could occur, we recommend adopting and adhering to a cyber incident framework that recognises the importance of ‘detection’ and ‘response’ functions. These functions require you to have the right data at the right time.

First up, you need a capability to collect and manage logs, events, alerts, and incidents. Identify these sources of data and then determine how this will help you inform your first steps in an incident in order to expedite the processes of containment, eradication and recovery.

So, you received a security alert; what now?

The cyberattack surface is constantly expanding, and attackers are continually adapting and escalating the threat landscape, making it almost inevitable that you will experience malicious activity inside your network at some stage. As we know, detecting this activity quickly and enabling a fast response is key to minimising damage. There are many tools designed for this purpose, such as Security Information and Event Monitoring (SEIM), Intrusion Detection Systems (IDS), Intrusion Prevention Systems (IPS), Data Loss Prevention Systems (DPL) and Network Behaviour Anomaly Detection (NBAD). Each of these tools are intended to act as an early warning system to alert you and initiate a suitable response.

So…how do you respond effectively to a security alert?

Threat Intelligence that comes from reliable and reputable sources is essential to understanding the steps to take after receiving a security alert. In addition, timely intelligence can help you clearly identify which alerts indicate genuine malicious activity and which may be false positives.

Obtaining up to date indicators of compromise and recent typical attack profiles can assist you to stay ahead of new threats as they emerge and take fast preventative action. For example, Cobalt Strike (a legitimate penetration testing framework) is often used as a command-and-control mechanism during an attack. However, it is an early step in the attack kill chain. Therefore, if you know to search for this tool and subsequently find it residing illegitimately on your network, you may be able to act and stop an attack before further damage is done.

If you are wondering what to do next, the NCSC pose a number of questions to ask yourself and then act:

  • How would our organisation detect an incident?
  • Are we responding to all the alerts we are receiving?
  • Are we receiving too many alerts because we aren’t tuning them correctly?
  • If something happened, would we be able to go back and find the information in our logs?
  • How far back can we go? Is it one week, one month, one year, or might we need longer?
  • Have we produced reports for our security incidents?

About the Bulletin:

The NZ Incident Response Bulletin is a monthly high-level executive summary containing some of the most important news articles that have been published on Forensic and Cyber Security matters during the last month. Also included are articles written by Incident Response Solutions, covering topical matters. Each article contains a brief summary and if possible, includes a linked reference on the web for detailed information. The purpose of this resource is to assist Executives in keeping up to date from a high-level perspective with a sample of the latest Forensic and Cyber Security news.

To subscribe or to submit a contribution for an upcoming Bulletin, please either visit https://incidentresponse.co.nz/bulletin or send an email to bulletin@incidentresponse.co.nz with the subject line either “Subscribe”, “Unsubscribe”, or if you think there is something worth reporting, “Contribution”, along with the Webpage or URL in the contents. Access our Privacy Policy.

Subscribers to the premium edition also obtain access to the following additional information:

  • Cyber Governance
  • Cyber Incident Landscape
  • Cyber Incident Response Resources
  • Cyber Framework and Control Updates, Surveys and Research

Click here if you wish to subscribe to our Premium Edition of the Bulletin.

This Bulletin is prepared for general guidance and does not constitute formal advice. This information should not be relied on without obtaining specific formal advice. We do not make any representation as to the accuracy or completeness of the information contained within this Bulletin. Incident Response Solutions Limited does not accept any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, when relying on the information contained in this Bulletin or for any decision based on it.