There is no shortage of incident response frameworks in the security industry. While the processes may vary, there is relatively universal agreement on requirements to remediate an incident and conduct lessons learned. Remediation falls towards the end of the incident response cycle because security teams must fully analyze the incident to understand several dynamics:
Who is the attacker?
When did the incident occur?
Which user, asset, or data are being targeted?
Which attack techniques were leveraged?
Which of our defenses detected it?
Is this the full scope of the compromise, or are more factors involved?
Security teams respond after understanding these and several organizationally aligned information requirements. The incident is closed when there is confidence the attacker was expelled from the environment and respective actions completed. The difference between a young Security Operations Center (SOC) and a mature one often lies in the way incident response teams conducts lessons learned. This process evolves from a “rinse and repeat” type approach to proactive threat modeling. Proactive threat modeling is critical to understanding where the attacker maneuvered through a network. TheMITRE ATT&CK®framework allows security teams to understand the methods attackers employ against networks. Recently MITRE Engenuity published theNIST SP 800-53 Controls to ATT&CK Mappingswhich provides an actionable approach to implementing defenses based in theNIST SP 800-53controls framework.