Emergency Response
Emergency response is a series of procedures, methods, and techniques used to delay or block attacks that occur or are in progress after a security incident. Emergency response also includes three stages: pre-, middle-, and post-emergency response.
The stages of emergency response are usually divided as follows:
Pre-emergency response: It is necessary to develop the classification, grading, contingency plans, response scenarios, and other aspects of the emergency response events. This is also the most difficult part of emergency response.
Middle-emergency response: By monitoring the relevant events, security incidents can be identified in real time. Emergency plans can be activated immediately to quickly block or delay risks.
Post-emergency response: After a security incident, the company should conduct a review and optimize and update emergency response processes, plans, scenarios, etc.
Classification of Emergency Response
Emergency response in the cloud should be defined and classified based on different types of security events. It should quickly respond based on pre-made contingency plans and response scenarios. Based on past security experiences and cloud security threats, emergency response events can be roughly divided into the following categories according to the type of attack:
Category | Example | Description | Suggested Level | Reference Level Explanation |
Application security incidents | Web intrusion | When the server is subjected to SQL injection attacks | High | Application security incidents can be identified or intercepted by security devices such as WAF. The severity level of the event is included in the WAF alert, and the level of severity should be determined based on the category of the attack event. |
Network security incidents | DDoS attacks | When the server is subjected to DDoS or CC attacks causing the business system to be unavailable | High | DDoS attacks are generally defined as high-level events based on the impact on business. DDoS itself affects business stability and reliability. |
System security incidents | Ransomware | When the system is subjected to ransomware attacks and the core data is encrypted | High | System events usually come from the cloud security center, which also grades intrusion events. It is recommended to refer to the grading explanation of the cloud security center. |
Fault and stability incidents | Cloud stability incidents | Network or application downtime | High | Stability incidents are usually high-risk events. |
Other incidents | Data leaks | External intelligence monitoring or public sentiment shows that confidential internal core data is leaked | High | The severity of data leaks depends on the content, authenticity, actual business risks, and public sentiment risks of the leaked data. |
Vulnerability incidents | log4j vulnerability | Major impact vulnerabilities | High | The severity level of the event should be determined based on the impact of the vulnerability. For example, the cloud security center will release emergency vulnerabilities. Once such vulnerabilities are discovered, they should be handled as high-priority issues. |
Emergency Response Contingency Plans
Emergency response contingency plans include the processes and methods for emergency response. Generally, the process of emergency response should include the following stages:
Monitoring and discovering emergency events
Verifying the authenticity of vulnerabilities and events
Confirming the scope of influence, responsible parties, and related businesses of vulnerabilities and events
Determining response plans, delay or control plans, etc.
Analyzing events, tracing their sources, and recording information
Conducting a post-event review
Automated Emergency Response Execution
The design and execution of automated emergency response scenarios can help security operation and management personnel take quick action in the first time once an emergency event occurs. Generally, based on the classification of emergency events, some automated scenario trigger conditions and strategies can be set. These scenarios can be coordinated with SIEM products and other related event alerting products. Common emergency events that can trigger automated emergency response scenarios include:
DDoS attack events: After a DDoS attack event, DDoS emergency response can be triggered to quickly connect to Alibaba Cloud DDoS protection to filter attack traffic.
Vulnerability events: Based on the type of vulnerability and whether it involves system reboot, automated vulnerability repair processes can be set for a group of servers, and vulnerability updates can be executed within a designated timeframe.
Network attack events: Network attack events can automatically block attacker IPs based on the severity of the attack. In this scenario, an automated response scenario can be configured to extract the attacking IPs from network attack events and quickly intercept them on firewall, WAF, and load balancer products.
Simulated Attack Verification
To verify the processes, classifications, contingency plans, and response scenarios of emergency response, an enterprise can launch simulated attacks against its core business systems using red and blue teams to assess its overall emergency response capabilities.
Red Team: The Red Team, also known as the attack team, plays the role of attackers in the process of simulated attack verification. Starting from the perspective of hacker attack and defense, the Red Team simulates intrusions into target systems based on the ATT&CK attack chain. In this process, the effectiveness of the overall security defense system built by the enterprise can be evaluated, and the ability of security operation personnel to identify, monitor, and respond to security incidents can be verified.
Blue Team: The Blue Team, also known as the defense team, consists of members from the company's SOC (Security Operation Center). They are responsible for defining and grading security events, and for identifying, monitoring, analyzing, and responding to security incidents. In the red-blue exercises, the Blue Team should quickly respond to alarms generated during the attack process based on pre-defined monitoring rules, analysis methods, and emergency response processes. This allows the team to combat attacks in a simulated environment and enhance their capabilities for real-world emergencies.
Simulated attacks can be used to verify and optimize the effectiveness of defense and emergency response measures.