What is Incident Response?
Incident response is a process that allows you to respond quickly and effectively to a cybersecurity breach. The objective of incident response is to detect attacks, mitigate the damage to the organization, and eliminate the root cause of the security incident. A security incident is any violation of an organizational policy, law, or accepted behavioral standards related to an organization’s data and digital assets.
Responding quickly to a security incident helps reduce the losses incurred by your organization. It allows you to rapidly restore services and business processes, contain attacks, and reduce exploitable vulnerabilities. Failing to control security events can result in catastrophic data breaches, damaging your business operations and reputation.
Incident response is a first-line defense against data breaches and other security incidents, helping establish countermeasures to protect against a long-term breach.
What is Web Application Security?
Web app security, a growing field within application security, protects web applications, websites, and web-based services from malicious actors attempting to exploit vulnerable application code. It protects against malicious threats by applying application security principles to Internet-facing systems.
Cybercriminals view web applications as an attractive target for the following reasons:
- Complexity—web apps have inherent complex source code, making it likely that an app contains unpatched vulnerabilities or is open to code manipulation.
- High-value rewards—attackers can manipulate source code to access valuable data, including personal and sensitive business information.
- Easy execution—attacking web applications is usually easy with automation and large-scale attacks targeting multiple sites simultaneously.
Failing to secure your web applications adequately leaves you at a high risk of attack. Web-based attacks can lead to data theft, damage to customer relationships, revocation of licenses, and legal penalties.
Web application vulnerabilities can expose your organization to these common attack vectors:
- SQL injection—the attacker manipulates the back-end database with malicious SQL code. It can result in unauthorized data listing, deletion of tables, or unauthorized admin-level access.
- Cross-site scripting (XSS)—the attacker targets the application’s users. It allows the attacker to install Trojans, compromise user accounts, or modify page content. Stored XSS is an especially dangerous vector that continuously injects malicious code into applications. Reflective XSS occurs when an application reflects a malicious script to the browser.
- Remote file inclusion (RFI)—the attacker remotely inserts files into the web application server. It enables the execution of malicious code in applications, compromised web servers, and data theft.
- Cross-site request forgery (CSRF)—the attacker exploits an open user session to induce the user’s browser to perform malicious actions without the user’s knowledge. It can result in unauthorized money transfers, data theft, and password changes.
Incident Response Steps for Web Application Security
SANS and NIST are the most widely used frameworks for incident response—these frameworks have slight differences but use the same core processes. The following key steps form the basic incident response process for a web application security program.
This step is the most crucial part of the incident response process. Before protecting your web applications, you must identify all your assets and locate all data—map data based on its storage location, access privileges, and business criticality.
Conduct a risk assessment to identify potential attack vectors and prioritize security events. You might use threat intelligence and modeling to inform your security policies. Identify vulnerabilities and security gaps in your system, for example, by running vulnerability scans.
The preparation stage is also when you establish an incident response team to implement the plan. In a smaller organization, this could be the same team that manages the website. In a larger organization, it could be a dedicated computer software incident response team (CSIRT).
Many data breaches and web-based attacks go undetected for weeks or months. Identifying threats that don’t directly impact your operations is especially difficult.
Monitor and log all application-level activity to detect unusual behavior, such as the suspicious creation of user accounts or repeated attempts to access restricted assets. A security information and event management (SIEM) tool can help coordinate your monitoring efforts.
Use a current web vulnerability scanning solution to test your web apps regularly. Scanners help prevent exploits of known vulnerabilities and can identify new, previously hidden vulnerabilities and zero-day attacks.
After detecting a security incident, the incident response team should triage it and determine the appropriate course of action to reduce the short-term impact and stop minor incidents from escalating into large-scale attacks.
For example, the security team might block the attack using web application firewall (WAF) rules. The web application firewall can block active exploits and prevent further damage.
Once you’ve contained the immediate threat, you must address it more permanently, applying long-term fixes and eradicating the threat from the system. For example, the security team might use a vulnerability report to inform developers of the fixes required.
After a data breach, you might also have a legal obligation to notify data owners (i.e., per the GDPR). The jurisdiction and data class will determine whether you must report the incident to the relevant authorities and provide updates when new information is available.
Not all security incidents require comprehensive disaster recovery processes but having a recovery plan is essential to prepare for all possible threats against your web apps. IT security involves a highly interconnected environment—web application breaches might be a part of broader attacks that affect other systems and jeopardize business continuity.
The main objective of the recovery process is to restore normal business operations and services with minimal disruption. It also involves verifying the full eradication of the threat.
After eliminating the threat, you can learn from the incident by conducting a root cause or forensic analysis. This step is especially important for enhancing your organization’s security posture in the long term, allowing you to block future attacks that reuse or adapt old techniques.
Analyze every security incident to identify the weaknesses that enabled the exploit. Now you can return to the first step and prepare for future threats.
In this article, I explained the basics of web application security and showed the steps you should take to create an incident response process for your mission critical websites:
- Preparation – create an incident response plan and define roles and responsibilities.
- Detection – ensure you have logging and monitoring systems in place to detect unusual or potentially malicious activity on your websites.
- Containment – ensure you have both automated tools, such as a WAF, and manual processes to immediately respond and limit the impact of a security incident.
- Remediation – take action to identify the root cause of the incident and eradicate it.
- Recovery – recover affected systems to working production state.
- Post-recovery – learn from each incident to improve your security controls and processes.
I hope this will be useful as you level up your web application security process.