Thursday, August 15, 2013

Modeling IR Program Maturity

If you ask IT managers about improving something, you're very likely to get some kind of response that is grounded in the notion of process maturity.  One of the most common ways of considering process maturity at a high-level is the Capability Maturity Model Integration model (CMMI) developed by Carnegie Melon University.

CMMI models often contain five levels of process maturity ranging from ad-hoc processes (heroics) to processes that are highly optimized (continual improvement).

It is interesting to consider how Incident Response maturity levels might be expressed using a CMMI perspective and what type of differentiating processes might be found at each level of development.  In a recent talk, I offered my own take on IR maturity and capability levels (see diagram below).

This model takes into account two core capabilities that are critical to IR success:
  • Threat Awareness - Our ability to have accurate and reliable information concerning the presence of threat actors, their intentions, their historical activities, and how our defenses relate to all of the aforementioned.
  • Agility - Our ability to quickly and sufficiently isolate, eradicate, and return the business to normal operations.
By relating these two attributes to common and/or emerging IR program states, we can map out roughly five stages of maturity and capability:


Level 1 Reactive / Adhoc
This is the "nuke-from-orbit" approach that, unfortunately, too many organizations still employ when they discover a compromised asset.   By re-imaging or restoring the system from backups, it is possible to get back to business very quickly (high agility), but no real knowledge is gained of how the system was hacked, why it was hacked, and what it was used for once compromised (threat awareness).

Level 2 Tool Driven / Signature Based
At this phase, organizations adopt automated tools that look for potential compromises in the environment.  These are often signature driven tools (AV, IDS, etc) that provide some automated alerts of potential compromises.  Remediation of these compromised systems is also driven by tools sometimes in an effort to "clean" a system of compromise (which is incidentally not a good idea).

Level 3 Process Driven
At this phase, organizations have adopted internal formal IR roles, processes, and governance structures.  For many organizations, this is the ideal state of operations where attacks are detected, analyzed, and addressed in a cost-effective and repeatable manner.  The only deficiency with this model is that dealing with targeted attacks requires more than just good processes. 
Important Papers/Documentation: NIST 800-61

Level 4 Intelligence Driven
For many large organizations, intelligence-driven IR is the now the goal due to the prevalence of APT risks. This IR level requires having a more detailed and up-to-date understanding of threat actors including their objectives, motivation, and their TTP profile (tools, tactics, procedures).  This knowledge of adversarial disposition is then used to architect security defenses and detective controls in a manner that allows for discrete actions to be taken to disrupt, degrade, and deny the ability of an adversary to reach their objectives.
Important Papers/Documentation: Intelligence Driven Computer Network Defense (Lockheed Martin)

Level 5 Predictive Defense
Predictive defense is still an area that is very new.  Terms like "active defense" seem to also be used describe this level of operations but cause a great deal of confusion.  At its heart this approach involves convergence of IR processes and adaptive defensive architecture that can be used to "waylay" adversaries when they enter, operate, and move within protected environments.   I suspect one of the key characteristics of this model will ultimately be the ability to develop capabilities that allow deception and denial operations.

For an idea of what this might look like, check out this presentation by MITRE researchers:

Active Cyber Network Defense with Denial 

Finding The Right Level
It is important for us to consider our IR program maturity and capabilities in relation the threats that we are most likely to face and the scope of impact these threats can create.

If you are a SMB, then it probably doesn't make a great deal of  financial sense to go beyond a level 3 state of preparedness (having a maintained plan, concrete roles/responsibilities, lines of communication, established response procedures).  Getting to this point is in fact a great deal of work for many organizations and allows for cost-effective management of the lion's share of security incidents related to "drive-by attacks".

However if your organization maintains valuable intellectual property or has a highly recognized brand, then you've probably already realize that just having a formal IR plan and processes is not sufficient to deal with the risk of targeted intrusions.  For these risks, we have to begin to think more in terms of chess than checkers.  A great place to start thinking about some of these issues is the seminal paper Intelligence Driven Computer Network Defense.

Ideas/Further Reading?
What are your ideas about how IR process maturity and capabilities can be logically grouped?  Is a five stage model sufficient?  I'd love to hear your thoughts.

Active Defense Harbinger Distribution (ADHD) - ( Linux distro that SANS uses in their active defense classes.)

How Lockheed Martin's 'Kill Chain' Stopped SecurID Attack  (Short article on Kill Chain Framework)

Diagram APT Life-Cycle