November 30, 2021 by Jean Schaffer
CISA recently released a set of playbooks for the Federal Civilian Executive Branch (FCEB) to provide improved cybersecurity incident response (IR) and vulnerability response. As was demonstrated by the SolarWinds SUNBURST attack in December 2020, coordination and reporting across the FCEB continues to be a challenge. Adding to this challenge is the situation where agencies have differing playbooks on how to handle confirmed malicious cyber activity where a major incident has been identified. This CISA publication is an additional step forward in meeting the actions laid out by the Executive Order on Improving the Nation's Cybersecurity.
You may be thinking, “why is Corelight blogging about this?” The simple answer is Corelight provides a fundamentally different perspective from traditional AV, EDR, DLP, IDPS, and PCAP systems: instead of providing you data only when we detect an attack, Corelight logs metadata about all activity on your network as a baseline, with alerts as a layer on top of that. This leaves us uniquely positioned with regard to the Incident Response Playbook, which begins with a foundational step of preparation.
Agencies must understand their IT environment. To achieve this level of situational awareness requires visibility of the IT environment, including assets and infrastructure that are not covered by traditional EDR products such as IP-based IoT and OT devices. High-functioning SOCs build their security ecosystems using the best data; data that is curated, normalized, and security-relevant, that is collected continuously from across the entire diverse network environment. A network instrumented with Corelight provides security teams with turnkey access to exactly that type of data, in open source Zeek®, and Suricata, formats that many analysts already have experience with and know how to use. Designed for ease of integration with off the shelf and custom SIEM/XDR/data lake technologies, Corelight data makes it easy to establish a strategic network data reserve that your defenders can use to improve their situational awareness for years to come.
The IR playbook continues through the remaining phases including detection and analysis, containment, eradication and recovery, post-incident activities, and coordination. Corelight data dramatically improves the ability to analyze and respond to detections - whether directly generated by our platform, or in conjunction with other alerting technologies in the environment - by providing easy access to all of the network context before, during, and after a given alert. This deeper understanding of incidents also leads to greater confidence that a threat has properly been eradicated (and not just updated to avoid a detection), as well as an improved ability to understand what needs to be fixed going forward to prevent similar incidents in the future.
Complementary to the IR playbook, the Vulnerability Response Playbook stresses that the playbook is not a replacement for existing vulnerability management programs but is instead focused on identifying and eradicating vulnerabilities that are being exploited in-the-wild. Corelight is designed to integrate with an agency’s vulnerability management product (e.g., Tenable), and can highlight attacks where hosts are actually vulnerable, so that defenders can focus their efforts on exploits that were likely to have succeeded. The ability to quickly analyze the attack and determine if it is limited to one host or has spread across the enterprise, will determine how to contain and remediate the threat. Corelight solutions make it easy to pivot between the alert, grasp the context of the event, and provide the information needed to quickly take defensive actions.
Corelight, a favored partner for serious threat hunters and incident responders, looks forward to helping the FECB agencies reinforce their security postures. Contact us today.
By Jean Schaffer, Federal CTO, Corelight