A Peek into the Future of Incident Response


A Peek into the Future of Incident Response


A Peek into the Future of Incident Response

Daryl Thompson,

Critical Infrastructure Security Project Lead

Cybersecurity constantly invites us to look into the future. Where will the next attack come from? Where’s the next vulnerability that hackers will exploit? But even while looking into the future, there’s immediacy with cybersecurity. What’s next is looked at in terms of weeks, months, maybe a year. In order to be well-positioned with cyber, we need to think in terms of multiple years, of the major shifts on the horizon.

To that end, what will incident response look like in the year 2020? We have a few clues to go on, thanks to the 2020 networking vision. Applications will be cloud-based and provide services to an Internet of Things (IoT). This IoT will consist of network-connected devices, vehicles and buildings, all collecting and exchanging data.

This has a few positive impacts: communications are not bandwidth limited and network topologies can be reconfigured at a moments’ notice. But there’s another side to the coin: Security by obscurity does not exist. Incident response must detect and mitigate threats to cyber assets anytime, anyplace, and anywhere without regard to system boundaries. Additionally, both public and private organizations will undergo enhanced governmental regulation, particularly in the financial and critical infrastructure sectors.  

IoT provides an increased attack surface for targeted, sophisticated critical infrastructure attacks from advanced persistent threats (APT), exponentially increasing the indicators of compromise (IOC) that incident response must analyze and correlate. IoT provides so many targets that the APT attack stages are compressed to just exploitation, leaving fewer pre-attack signatures.  Vendor antivirus software and patches are ineffective in combating these zero-day attacks.

An increased attack surface necessitates that incident response transform from a step-wise process to a persistent cyber security risk analysis proactively detecting security incidents and minimizing their impact. Risk analysis is dynamic and automated, implementing remotely managed security services consistently adapting to threat intelligence gained from analytics, system audits, and information sharing.  Incident response will engage automated tools to process external events and identify previously undetected system infiltrations.  

Effective incident response programs will have the following features: 

  • Skilled and trained staff
  • Integrated threat intelligence and incident handling between enterprises, middleware, and cloud service providers
  • Regular incident response reviews to incorporate lessons learned
  • Continuous active monitoring of system endpoint and infrastructure  
  • IOC detection thru permission based whitelisting of access and authentication controls
  • Detailed system baselining
  • Collecting large amounts of attack signature data across various domains (IoT, critical infrastructure, Cloud infrastructure, etc.), cultivating that data into training sets and feeding it to machine learning algorithms which eventually become the front line of IOC detection.
  • Automated incident handling supporting  maintenance activities such as network configuration, endpoint policing, and other operations

Leidos is uniquely positioned to provide fast, hands-on technical remediation for almost any compliance or regulatory situation. Leidos helps customers develop incident response processes, perform risk analysis, build security operation centers and managed security services. We have extensive experience with forensic tools, security analytics, and Security Information and Event Management (SIEM) systems that identify, assess and report on threats continuously at a rate of 75,000 to 100,000 indicators per hour. Give us a call to learn more.