Nettitude Blog

Cyber Breaches - Response In Depth (RID)

Posted by Ben Densham on Oct 28, 2014 9:42:12 AM

We know that our mind-sets need to shift these days and we must start by expecting to be hacked, but what then? How do we really manage an effective, secure environment? What steps do we need to consider?

Recent attacks involving very targeted delivery mechanisms and custom developed malware have demonstrated that people are often the weakest point in our security. Indeed, the chance of even the most seasoned security professional clicking on a link or opening an attachment, in a moment of distraction is all too real.

We also know that with an increasingly mobile borderless network, maintaining control over all our entry and exhit points, and knowing where our sensitive data resides, is becoming harder.

But if we accept that the traditional view that security assurance can be found in layers of security, (in other words, security in depth), is not enough, what is it that we should actually be doing?


 Expect to be Breached

There is a sense within some industries that we are losing control. The fight to protect our systems from malicious users appears to be too hard, or too big. The unknown unknowns seem to be too numerous. Do we just give over to the APT attacks and the targeting phishing emails? Do we resign ourselves to the fact that the risk of a breach is high and that the only response is hopefully thinking? Or are their solid, practical approaches can be taken that really will address the new level of risk we face?

Getting your business to expect a breach is the starting point, which will in itself have a sobering effect as the consequence of this becomes understood. Waking up to the level of risk your business may be in, can be painful, but it is a necessary step. Studies have been done looking at the financial and reputation impact a breach has on companies, and how this can be mitigated by an organisation waking up to the real risks and doing something about it prior to the breach taking place. (

All retail businesses, for instance, need to have a data breach on their risk registers as recent events have shown this sector to be at a high level risk. It absolutely could happen to you!

So how can organisations develop a proactive response?

Let’s review 3 cyber strategies here that will help:

  1. Response In Depth
  2. 360 Degree Security
  3. The Avocado and the Coconut


Strategy 1: Response In Depth

Response-in-Depth -Nettitude Lockheed Martin developed the ‘Kill Chain’ concept back in 2011 to map out the process through which a cyber-breach takes place. This has been adapted by various sources but now forms the bedrock of various standards and cyber strategies.

The focus here is not so much on security in depth (i.e. a reliance on your layers of patching, authentication, firewalls, anti-virus, etc.) to protect you, but rather on the ability to respond when breached. The kill chain reveals multiple steps where preventative action can be taken if they are detected.

Example from a recent high-profile retail breach: Target

Being breached does not need to be game over.

  • If Target had detected and responded when they were first under reconnaissance, prior to any POS malware entering their estate, things would have been very different
  • If Target had detected and responded when the first malware was delivered, things would have been very different
  • If Target has detected and responded when the first malware stared to export card holder data, things could have been very different

We now know that some elements of detection were in place within Target, but the response was not delivered.

The ‘Kill Chain’ in effect identifies multiple opportunities for organisations to detect, and react, to a breach. The challenge is that in many cases, hardly any of the stages are capable of being monitored or detected within organisations – let alone provide an effective response.

How does this relate to my environment?

For example, if you can identify via threat intelligence, or other external sources that your company is being, or is going to be, targeted, then you can do something about it. If you can detect when payloads are delivered into your network, you can do something about it or when the command and control functions start up, and so on.

Finding and applying the right technologies, logging capabilities and monitoring solutions is therefore critical and should be there to give you as much warning of the early stages, so that you have time to act before they have got to the point of data extraction.

But in parallel, a solid approach to the process of gathering alerts, determining the actions and responding effectively is critical.

This is where focus and attention is needed on ‘Response in Depth’. Assurance and the ability to identify risks are reduced to an acceptable level with proven methodologies, technologies and processes around response.


What is the RID model?

There are 6 steps that can be applied to Response in Depth (RID), as follows:

Response In Depth

General Approach

The steps below describe the actions needed. These may be automated activities, manual investigations, or most probably a combination of both. Having an effective response means that you are given the required actions and can carry them out in a timely manner. Tools and systems can be used to deliver this, but even at its most basic, giving an administrator an action plan can dramatically reduce the impact of a breach.

The use and development of automation is great for log analysis and alerting of indicators of compromise (IOC’s). It is almost impossible to manually review this amount of data. However, the remediation and response actions will often require more manual action as the disparity in tools, interfaces, protocols and platforms remains.

RID Step 1: Detect

Detection can come from a number of bases and touch points but includes the collection and retention of source data. This includes technical log sources (servers, databases, security products, etc.), threat intelligence, proactive investigations and from hunting on the network.

Log Source DataKey Log Sources

Your logs and information sources are critical. Not only do you need to be collecting the right amount of information for each system but also for the right systems within your environment. Log collection can be taken as a panacea to security, but the following considerations must be met for this to be effective:

  • The right log sources must be plugged in to your centralised logging reporting system (no black holes within your environment).
  • The volume must be set at the right level so that your security events are not missed (‘’Are you seeing all the events types and follow on actions required?’’).
  • The correct events from each log source must be reported (often too much log data is collected but this is because it’s the wrong data).

But information from other processes and systems should also be considered.


Threat Intelligence Data

Threat-Intelligence-DataThreat Intelligence data is still an emerging market and definition but this often falls into a number of types including technical data, such as IP blacklists, domain names and email addresses, criminal/hacktivist data, from monitoring the IRC channels and dark web communications and public databases, such as scanning for documents and information published on the web about employees or the organisation.

This enables the ability to analyse this data from multiple feeds via defined messages and services, such as TAXI - Trusted Automated eXchange of Indicator Information). Threat data can be represented through the use of a standard, structured language (STIX - Structured Threat Information eXpression) and all events and statuses represented within a standardised schema (CybOX - Cyber Observable eXpression).

Proactive hunting for suspected breaches, investigating process failures and investigating third party activities can all lead to sources for detecting helpful information.

The first step is to ensure the right logs are being captured. Knowing why log data is being collected is important too. Often the logs required for detection of malicious or unwanted events are different to the logs required for forensic analysis and investigation – but if you don’t plan to collect them, you will not be able to go back afterwards!

[av_icon_box position='left_content' boxed='' icon='ue83f' font='entypo-fontello' title='TYPICAL ACTIONS:' link='' linktarget='' linkelement='' font_color='custom' custom_title='#8da8e3' custom_content='#8da8e3' color='custom' custom_bg='' custom_font='#8da8e3' custom_border='']

Logs generated on firewalls, domain controllers, proxy devices, databases and security tools/systems are confirmed to generate the right level of logs. This includes physical door entry systems, CCTV alerts and threat intelligence regarding your organisation. Information from external sources is gathered and made available in the right format.

RID Step 2: Aggregate

Log data needs to be collected at source and then collated together. In order to establish a common format, it needs to be normalised into defined meta data and structures.

The conventional way to do this aggregation is through some form of centralised log collection system, which can correlate and normalise this data into a format that can be standardised.

Once centralised and normalised, the aggregation of data from logs, threat intelligence sources and other systems can be evaluated together. This aggregated data will generate events which require focus and investigation. These will all be indicators of compromise that will be highlighted for further analysis.

[av_icon_box position='left_content' boxed='' icon='ue83f' font='entypo-fontello' title='TYPICAL ACTIONS:' link='' linktarget='' linkelement='' font_color='custom' custom_title='#8da8e3' custom_content='#8da8e3' color='custom' custom_bg='' custom_font='#8da8e3' custom_border='']

Data from all sources is aggregated in order to determine if events affecting one system are linked to events on another system. Logs are sent to a centralised platform where they can be normalised (put into a standard, common format) and correlated (duplicates removed, time stamps aligned etc.)

RID Step 3: Analyse

Collecting your log data, threat intelligence data and other information is one challenge. However, in order to do anything useful with it, some form of analysis needs to take place. Value needs to be assigned to the data, metadata generated and its worth in terms of the mission understood.

The environmental factors around the situation where the data is collected, or the system to which it relates, will also need to be factored in. What are the areas of risk or concern for your environment? What type of behaviour indicates/warrants investigation?

However, log data at this stage may not have significant value until it is brought together with other correlated events.

The purpose of the analysis stage is to investigate trends, baselines and behaviours from the environment

[av_icon_box position='left_content' boxed='' icon='ue83f' font='entypo-fontello' title='TYPICAL ACTIONS:' link='' linktarget='' linkelement='' font_color='custom' custom_title='#8da8e3' custom_content='#8da8e3' color='custom' custom_bg='' custom_font='#8da8e3' custom_border='']

Multiple sources of information will be correlated together. A common timeline of actions will be built up showing the root cause and the final effect of activity and actions within the environment. An analysis of trends and behaviours can then be completed and anomalies indicated.

RID Step 4: Identify

The IoC’s generated from the aggregated data will allow the identification of breach events, malicious activity and security breaches. From this, actionable events will be determined which will then allow an effective response to take place.

[av_icon_box position='left_content' boxed='' icon='ue83f' font='entypo-fontello' title='TYPICAL ACTIONS:' link='' linktarget='' linkelement='' font_color='custom' custom_title='#8da8e3' custom_content='#8da8e3' color='custom' custom_bg='' custom_font='#8da8e3' custom_border='']

IoC will be determined showing potential system settings that have changed, applications that were installed, beacons that left the environment, data that was being exported, etc. These events can be fully investigated and escalated as required.

RID Step 5: Respond

The actual response can be broken down into three further sub steps, as follows:

RID Step 5.1: Contain

The initial actions will be designed to contain the breach. These actions must identify affected systems, confirm the extent to which the environment has been affected and isolate, or prevent the breach from delivering on its indented goal. It may not be possible to fully understand the breach intent at this stage, but the focus is to contain the affected systems until this can be determined.

An investigation into the purpose and operation of any malware, compromise or change in settings/process must be understood in order to move on to the next step.

[av_icon_box position='left_content' boxed='' icon='ue83f' font='entypo-fontello' title='TYPICAL ACTIONS:' link='' linktarget='' linkelement='' font_color='custom' custom_title='#8da8e3' custom_content='#8da8e3' color='custom' custom_bg='' custom_font='#8da8e3' custom_border='']

Malware analysis, sandboxing, host/network based investigations. The isolation of systems from the network, preventing user activities and/or third party/customer access.

Example: Phishing email delivers a PDF payload that is forwarded to three internal staff. Emails and end points need to be isolated until the investigation has been completed.

RID Step 5.2: Remediate

Once the purpose and actions of the compromise have been determined, remediation needs to be conducted. This may include the patching of any vulnerabilities exploited, the reversing of any settings changed, the removal of any rootkits, malware, Trojans or implants and the updating of any FIM, whitelisting, other security signatures or configurations.

A method of preventing the compromise re-occurring, the ability to detect if any other system has been compromised and the ability to return to a secure, uncompromised state needs to be achieved.

[av_icon_box position='left_content' boxed='' icon='ue83f' font='entypo-fontello' title='TYPICAL ACTIONS:' link='' linktarget='' linkelement='' font_color='custom' custom_title='#8da8e3' custom_content='#8da8e3' color='custom' custom_bg='' custom_font='#8da8e3' custom_border='']

Workstations rebuilt from secure image, system patches applied, whitelists updated, signatures for AV/IPS/IDS updated.

RID Step 5.3: Recover

The final stage is to recover any services that have been affected. This may involve rebuilding systems, recovering from any DR capabilities and testing operational systems’ security.

[av_icon_box position='left_content' boxed='' icon='ue83f' font='entypo-fontello' title='TYPICAL ACTIONS:' link='' linktarget='' linkelement='' font_color='custom' custom_title='#8da8e3' custom_content='#8da8e3' color='custom' custom_bg='' custom_font='#8da8e3' custom_border='']

Reverting from any DR actions, recovering operational applications/system access determining the larger business effect of any compromised systems or data.

RID Step 6: Improve

Once the incident is complete and the systems are recovered, a process to review the impact of the compromise is enacted. Any lessons to be learnt, processes to be adapted, areas of improvement identified. Questions to be asked are:

  1. Could we have detected this breach earlier?
  2. Did the right systems generate the right alerts at the right times?
  3. Was the action taken appropriate for the compromise?
  4. What was the overall impact of the compromise?
  5. Was the response effective is dealing with the compromise?

[av_icon_box position='left_content' boxed='' icon='ue83f' font='entypo-fontello' title='TYPICAL ACTIONS:' link='' linktarget='' linkelement='' font_color='custom' custom_title='#8da8e3' custom_content='#8da8e3' color='custom' custom_bg='' custom_font='#8da8e3' custom_border='']

Governance teams and security groups meet to review the incident, actions taken and the response delivered. Changes are updated to the system and process to ensure the right level of assurance is being maintained.


Strategy 2: 360 Degree Security

Your Response in Depth (RID) process needs to be understood within a holistic approach to security. Knowing what to protect (assets of value), and ensuring the right controls are in place to address the risk is a vital first step. Once you have secured your assets, you need to verify their protection through appropriate testing and simulation. A process of improvement, governance and change management will provide ongoing confidence in the controls whilst a proactive monitoring and response mechanism allows for  events and suspected breaches to be dealt with as they occur.

Many organisations start with their controls, especially their technical controls, but until a risk assessment on your assets of value has been conducted, you may not know which controls will be effective and where they should be placed or configured.

360 Degree


1: Assets

Assets to protect may include people, data, locations and IP (Intellectual Property) as they all have value.

Understanding your assets, where they are, how they are accessed is vital.


2: Secure – (Technology & Processes)

First, you then need to secure your assets. You implement controls, processes and technology to protect them. You deliver firewalls, access controls, applications and products – as well as third parties and procedures to protect your assets of high value.

Like anything in IT – your technology cannot stand still. New threats and ways of being breached mean that your controls must be kept up to date to be effective.


3: Test (Intelligence-led Testing)Test-intelligence-led-testing

How do you know you have configured your firewall correctly? Or that the last change to the AD Group policy, didn’t break your password controls? If a phishing email is opened or malware introduced, how and when would you know it?

You simulate the threats coming after your assets of high value and determine if they are protected, based on context and risk, through intelligence led testing. Next generation testing must be led by the real threats and attack vectors used by malicious users.

This is far more than just another compliance control.


4: Improve (Security Governance)

Why are you protecting your assets? What are the risks? How have these been measured?

A point in time test may not be valid, appropriate or relevant a few months later. You must constantly review, improve and evaluate your environment.

Manage your risks, conduct audit activities, and ensure through governance that the controls and testing is really protecting your assets of high value.

You will train your staff around security best practice; you will meet industry guidelines and best practice advice. You will verify third parties and see the big picture concerning your assets of high value.


5: Monitor (Incident Response)Nettitudes 360 Degree policy

How do you know what is going on in your network/environment? Are you aware of when the threats are getting close or knocking on the door?

Data breach reports (e.g. from Verizon, Mandiant etc.) show that the majority of breaches go undetected for 160 – 240 days! That is over six months – for all this time the hackers are in and taking data from their victims.

Can you identify a breach? Can you contain it before any data extraction/full system compromise?

Having eyes on your network, applications and systems is vital. Proactive monitoring leading into a well-developed incident response plan where training, simulation and feedback develops your response to ensure it is effective if ever needed.

Often in a penetration test we may compromise a server, access sensitive data or elevate our privileges to admin/root. We often ask people – Did you know that on Tuesday at 4pm we had full control of your database? Did your logging system alert you to this fact and would you have known about it/been able to take action? Do you staff know how to deal with these events?


6: Policy

Policy and procedures cover all of this information. Not only do you need to know what you’re doing but so does the guy next to you. The company needs to be clear to all staff, third parties, contractors, etc. what is expected of them.

Third party security assessments, knowing both their responsibilities and yours – and knowing that they are maintaining the standards you expect. Third party security and access is often a key area of high risk.


7: Interlinked

All these areas are interlinked and overlap – proving a cohesive, holistic security-in-depth approach to protecting your assets of high value.

8: Summary

The parts of the wheel deliver these holistic security services to your business. The strength of a wheel comes from the sum of its parts:

  1. Oversight & governance
  2. Technology & processes
  3. Intelligence led testing
  4. Response in depth


Next steps?

So, you need to protect your assets by:

SECURE your network, people and processes. You need to deploy and configure Firewalls, IPS, FIM, Encryption and anti-virus. Consider next generation technology and controls – Whitelisting, payload detonations, single pane of glass actionable events, etc.

You need to TEST your network, systems, applications and people. Focused penetration testing on your web server right through to social engineering and red teaming exercises that simulate the real threats out there.

You need a GOVERNANCE process that seeks to evaluate and improve your IT security through risk assessments and risk methodologies, security awareness training, security governance and compliance/audit activities.

You need to MONITOR your environment and provide proactive monitoring of your security events. A Response in Depth (RID) process allows effective actions when a breach is detected.

All of this should be clearly documented in your POLICY, procedures and third party contracts to ensure everyone knows what they are doing and why.

Final Thought

Above all, you need to deliver a holistic approach to securing your assets of high value.

The focus here is on security assurance. You need to be assured that your network, systems, applications and people are protected against the threats and real risks presented.

[av_hr class='full' height='50' shadow='no-shadow' position='center' custom_border='av-border-thin' custom_width='50px' custom_border_color='' custom_margin_top='30px' custom_margin_bottom='30px' icon_select='yes' custom_icon_color='' icon='ue808' font='entypo-fontello']

Strategy 3: A Hardened Core (The Coconut and Avocado)A-hardcore

To assist with delivering an effective Response in Depth (RID) within a holistic security approach, a fresh look at our data protection is required.

The way in which most organisations interact with their customers, users, suppliers and other third parties is via email and the internet. Social media, collaboration tools, cloud services and mobile/BYOD environments all contribute to a risk which is often unacknowledged or at the very least glossed over.

A simple, well-constructed phishing email can penetrate the most well configured firewall, IPS and network perimeter. As a business you need to recognise that some areas carry higher risk.

Traditionally, organisations would have hardened their perimeter in order to offer a level of security and safety. However, the hardened shell of a coconut can these days be full of holes through legitimate business approved means.

Harden the core

Harden the coreAccepting a level of risk in your internet connected and email environment is important. This part of your network is in effect your DMZ. Recognising that any secure data needs to be protected beyond this, is a key concept to take on board.


Within your hardened core, set out to:

  • Protect your important data - like products, IP, client PII and contracts
  • Protect their key processes
  • Protect their critical applications, like finance and HR, etc.
  • Protect overall infrastructures and systems



You don’t leave home with your most precious valuables left on the kitchen table, with the doors open, lights on and alarms off. For your business, knowing what needs to be protected, that it is properly secured, the controls tested and the response if the alarms go off are working, is just as important.



To contact Nettitude's editor, please email

Topics: Security Blog, Uncategorized

About Nettitude

Nettitude is the trusted cyber security provider to thousands of businesses around the world. We stop at nothing to keep your data and business secure in an age of ever-evolving cyber threats.

In 2018, Nettitude became part of Lloyd’s Register, an 8,000 person strong professional services organisation, with 300 years of heritage in safety and risk management. Nettitude now provides true global coverage, through a network of over 180 offices strategically placed around the globe.

Subscribe Here!

Recent Posts