Chapter 2. What Are You Trying to Protect?

“You better check yourself before you wreck yourself.”

Ice Cube

Only when you know, and can describe, exactly what you are trying to protect can you develop an effective playbook and incident response program. You must have a solid understanding of what needs protecting. Starting with tools and technology is truly putting the cart before the horse. Remember that as defenders, we do not have the luxury of defining the attacks used against us. We can only decide what we believe is most important to protect and react when it is threatened. The attackers have their own ideas as to what’s valuable, but it’s up to us to determine where they are most likely to strike, and what’s at stake if we lose.

When we originally developed our playbook, some of our earliest requirements demanded that it enabled us to:

• Detect malware-infected machines

• Detect advanced and sophisticated attacks

• Detect suspicious network activity

• Detect anomalous authentication attempts

• Detect unauthorized changes and services

• Describe and understand inbound and outbound traffic

• Provide custom views into critical environments

It’s impossible to determine your risk (and subsequently how to manage it) if you are not aware of what you have and what you have to lose. The risk of an unknown system, with no log information and not even a reasonable way to trace back to the host, presents a significant risk to the organization. Imagine a datacenter filled with a ...