Issue link: https://insights.oneneck.com/i/1517358
Enhancing Your Response Capabilities Fortra.com 6. Use Cases: Every organization is at a different stage in their automation journey. Your ability to incorporate human interaction for response actions allows adoption at a pace that is comfortable for you. Review the following scenarios that include both human-guided and fully automated response actions: • Indicators of Potential Insider Threat: An IT administrator's credentials are being used to access and modify previously untouched systems. This either could be an early warning to a potential insider threat or be nothing. The anomalous activity triggers a playbook which sends a push notification to the IT admin and their supervisor on their mobile devices. They have the choice of disabling the user credentials on Active Directory or investigating further by opening a ServiceNow ticket. • Privilege Access Management Anomaly: The privileged credentials of a senior executive are used to manipulate company information from an unusual geography. The incident triggers a playbook to contain the potential threat and notify the security team. The privileged credentials are restricted, a push notification is sent to the security administrator, and a message is distributed via Slack to the security team to verify legitimacy of the activity. • Complex Indicators of Compromise: A healthcare clinic's patient admitting system is demonstrating abnormal PowerShell activity consistent with known ransomware attack campaigns. The incident instantly triggers a playbook to isolate the compromised host and block communication from an external source at the edge to prevent spreading to other hosts. In each scenario, multiple actions are taken. The number of human decisions, conditions, and triggers in the playbook should be customizable to align with the organization's business requirements. 7. Communication: Carefully consider appropriate communications. For your response strategy to be effective, communicating the action you are taking to stakeholders who need to be informed or provide additional forensic detail as part of the process is key. Users should be notified with collaboration tools such as Slack, Teams or email, or advanced ticketing systems like Jira and ServiceNow. Integrating your response strategy into these collaboration and ticketing platforms enables effective and efficient dissemination of critical information. Once the seven pillars of effective response have been addressed, implementation and execution of your plan can begin. It is essential that the plan be carefully crafted, easily iterated, and improved as needed. More sophisticated organizations should have the ability to design playbooks with the flexibility to create decision trees with multiple conditions and actions. Page 3