Cyber Teams
Howard Poston,
Oct 22
2024
Publicly reporting security incidents has pros and cons. On the one hand, public reports are necessary for regulatory compliance.
They help prevent future incidents by educating users and other organizations about active cyberattack campaigns.
On the other hand, acknowledging a breach can result in brand damage, financial losses, and regulatory penalties.
Companies’ responses to security incidents have ranged from frank and helpful postmortems to attempted cover-ups that classify ransomware payments as “bug bounties.”
In recent years, several regulatory bodies—including the US’s Federal Trade Commission (FTC) and the European Union—have taken the decision of whether to disclose breaches out of organizations’ hands, instituting new breach reporting requirements.
These new requirements give organizations little time to investigate and triage breaches before the reporting deadline. This means today’s security teams need to have core incident investigation and response capabilities to ensure their ability to meet compliance requirements.
HTB powers cyber performance that meets tight incident reporting deadlines
NIS2 and other recent developments—SEC ruling, FTC safeguard rule, or the Cyber Incident Reporting for Critical Infrastructure Act of 2022—are raising the bar for incident reporting requirements. In order to meet them, companies need to shape threat-ready SOC teams and professionals.
Hack The Box workforce development plans are designed to enhance these key capabilities.
Several regulatory bodies around the world have published draft regulations or enacted laws with new incident reporting requirements.
These include:
Securities and Exchange Commission (SEC) Rules: Under new SEC rules, public companies in the U.S. must report “material” cybersecurity incidents within four days of determining their materiality.
Cybersecurity and Infrastructure Security Agency (CISA): The Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA) mandates that companies report substantial cybersecurity incidents within 72 hours and ransom payments within 24 hours.
NIS2 Directive: The EU’s NIS2 Directive requires an early warning of significant incidents within 24 hours of discovery, followed by an intermediate warning at 72 hours, and a final report within a month.
Federal Trade Commission (FTC) Safeguards Rule: The FTC Safeguards Rule mandates reporting incidents affecting over 500 customers within 30 days
Recommended read: A guide to navigating the SEC “material” reporting rule.
These regulations and standards implement much tighter reporting deadlines than the laws we had previously.
With the exception of certain industries or types of data, breach reporting was largely optional.
Now, some EU companies need to report security incidents to regulators within 24 hours of discovery.
In addition to ushering in a new era of breach transparency, these regulations also require an organization to have certain incident response capabilities in place.
Companies now need to be able to identify, triage, and contain incidents rapidly. This ensures:
They have the information needed to promptly make required reports
That a previously non-reportable incident doesn’t grow into one that is “material” or “significant”. (This also involves the ability to accurately assess “materiality” or “significance” in the absence of clear direction from regulators.)
Regulators are demanding that organizations report security incidents promptly after discovery when certain criteria are met. However, determining when and what to report requires a Security Operations Center (SOC) to have the right repertoire of capabilities.
A security team needs to be aware of its regulatory responsibilities, ideally before a breach occurs.
This includes knowing who to report an incident to, the criteria for doing so, and how to do so.
The best place to start might be the regulations themselves (and perhaps your legal team). Depending on where you’re located, those regulations may include:
United States:
European Union:
Described above are some of the far-reaching regulations with tight reporting deadlines. But they’re not the only ones. New regulations are being enacted regularly that could introduce new reporting requirements.
But knowing that these regulations exist is only half the battle. Security teams need to ensure they comply with them.
This is where developing incident response plans and performing crisis control style tabletop exercises—before an incident occurs—ensures the organization is prepared to manage intrusions while meeting critical compliance responsibilities.
The first step in the incident management process is identifying whether an incident has actually happened and when it occurred.
This involves collecting, aggregating, and analyzing alert data within the corporate SOC to differentiate between false positives and true threats.
From a regulatory perspective, prompt detection is essential to report and contain an incident.
The longer that an intrusion goes on without detection, the greater the threat to the organization. The longer an attacker’s dwell time within the organization’s systems is, the more damage they can do, and the more difficult and costly it will be to remediate the incident.
HTB Academy includes a learning path specifically designed for SOC analysts and digital forensics and incident response (DFIR) specialists.
This path includes several modules designed to support an organization’s ability to identify security incidents, including discussions of the incident handling process, security monitoring, log management, and more.
This path provides analysts with the foundational skills required to effectively identify potential threats to the organization.
After identifying an anomaly or malicious activity indicating a potential security threat, the next step is triage and assessment.
New rules state that “material” incidents must be reported or set a minimum number of affected customers that mandates reporting. So SOC teams need the right skills to rapidly determine whether an incident must be reported and detail its “significance” and “materiality.”
The Triage and Assessment portions of the IR process are closely related:
Triage is determining the severity of a breach and how imminent the SOC's response needs to be.
Assessment is determining the impact of a breach. Such as how many people were impacted and what kinds of data have been breached. Assessing the impact is also vital for regulatory reporting.
HTB’s SOC Analyst path includes content designed to support an organization's efforts to assess the potential scope and implications of a security incident.
Log management, network traffic analysis, and digital forensics are all vital skills for collecting the information required to conclusively determine what occurred on the organization’s network.
Once the security team understands what happened and its impacts, they can take action to limit the scope of the intrusion, and to restore systems.
Containment may not be explicitly a part of reporting deadlines, but it’s still important. If systems are infected with malware, you need to stop the spread of that malware.
If an attacker still has access to a system, you need to remove their access.
Without proper containment, an incident that previously didn’t meet the requirements for mandatory reporting may expand to become “material” or cross the threshold of affected users.
The remediation stage is when you begin to fix the underlying issue.
After determining how an attacker gained access to a system, you can remediate the vulnerabilities they exploited. If an outdated piece of software gave them access, patch it to a new version. If they hacked someone’s account, enforce better password policies and permission management throughout the organization.
Regulators are actively working to improve transparency about security incidents, an effort that benefits customers and other organizations alike.
Being prepared for these evolving requirements is essential to avoid potential penalties for inadvertent non-compliance.
Security teams should be aware of their reporting responsibilities and incorporate these duties into incident response plans. Performing regular tabletop exercises and other simulations to test incident response plans helps ensure that teams have the processes, tools, and knowledge required to meet regulatory requirements.
Hack The Box helps security teams build the capabilities needed to meet regulatory requirements. With tight deadlines, security teams need to be able to quickly identify, triage, and contain an incident to satisfy their reporting obligations.
Blue Teaming
Odysseus (c4n0pus), Dec 20, 2024