Incident response for a cyber attack is a complex process, which requires pre-planning. Brian Hussey looks at why organizations should have an incident response in place and provides an overview of the steps to take.
In the world of cyber security, one of the main aims of a hacker is to negatively impact a business without being noticed. The longer they can spend undetected in an organization’s system, the more damage they can do. Every organization is a potential target, regardless of size, however, not every organization is equipped with a comprehensive incident readiness and response (IR) plan. Without an IR plan in place, your business is being left wide open to cyber attack.
Effective incident response isn’t achieved overnight, however. Cyber security is a fast-moving discipline which is constantly changing. To get an incident response plan in place and infuse some stability into the process, it’s advisable to slow down and take the time to assess and identify the areas that require the most attention.
As documented in the 2017 Trustwave Global Security Report, we observed the median number of days from first intrusion to detection of the compromise fell from 80.5 days in 2015 to 49 days in 2016. In some cases, a compromise went undetected for almost 2000 days (more than five years), however, there were also compromises detected immediately.
What drives incident readiness and response?
There are several factors that drive incident readiness and response. Advanced threats are hitting companies from all directions. Historically, these attacks were opportunistic, but now they are far more targeted at specific organizations. This is most likely because the required tools are easily accessible, very sophisticated and designed to make detection difficult. The ever-growing attack surface is enticing cyber criminals to look for a pathway into an organization. A rising number of endpoints, applications, mobile devices and the Internet of Things devices, as well as potentially vulnerable third-party vendors, all represent possible entry points.
The skills shortage is a contributing factor which can drive an organization to prepare an IR program. Many companies do not have enough skilled employees to keep them safe from cyber criminals. The abundant supply of services readily available on the dark web for hackers only adds to the need for an IR plan. Many organizations will have first line defences in place such as firewalls and anti-virus and that is a good starting point, but to defend against today’s sophisticated cyber threats, a more offensive approach is necessary. Penetration testing, threat hunting and endpoint detection and response will strengthen an IR plan.
Implementing more offensive services, such as threat hunting and penetration testing, is what is needed - but some organizations may not have the manpower or budget for this. With the EU GDPR coming into effect in May, many businesses will choose to implement an IR plan as part of their preparations to ensure they will be compliant. This is where managed security services providers can assist and work alongside the existing security team to deploy these services.
Are you ready?
Getting your organization in good shape requires a lot of work. This work load can be reduced if there is an existing security framework in place. Conducting a risk assessment should be first on the list. Documenting systems inventories to identify the assets you have and where they reside is essential – if you don't know what you have or where they are, how can you defend them? Incorporating regular internal security scans and penetration tests to understand your attack surface and weaknesses, will help you with incident readiness.
Educating all levels of non-IT employees, from the C-Suite to junior members of staff, in security best practices will add to your defences. The more people who are security savvy, the more likely suspicious activity will be picked up and reported on.
Shifting focus from prevention to detection and incorporating proactive threat hunting techniques will uncover malicious activity, which could otherwise be missed by traditional firewalls and antivirus. Early detection is key to mitigating the cost and damage of an attack, not to mention the negative impact it can cause to the organization's reputation.
You've been hit, what next?
So, the worst has happened, and your organization's network has been compromised - what should be done next? Containment and eradication of the threat is the primary concern. The breadth and scope of the incident needs to be verified so the case can be assessed. Once the security team know what they are dealing with, they can stop the attackers in their tracks and prevent any further damage being done, then begin gathering data and information.
Identifying and acquiring potential sources of data, such as laptops, mobile phones and hard drives, needs to be done. This is a challenging area of work, all the data/evidence must be handled so that it is not compromised as it may need to be handed over for more detailed investigation. Proper chain of custody must be followed throughout the whole process, this may involve locking away physical evidence in a safe or other secure place.
Once the IT security team has conducted their investigation they will issue a report. The report will document all actions performed and any others which need to be conducted. Any further recommendations for policy, guidelines, procedures, tools or other aspects of the forensic process will be included in the report.
What can be learned from a security incident?
Once the dust has settled and the security team has completed their investigation, it is a good time to reflect on what has been learned from the incident. This is often when businesses realise that their incident response process needs to be reassessed and the processes improved. Bolstering internal detection capabilities is often necessary but misunderstood and underfunded. Adversaries rely on the fact that they can roam a network, undetected, for hours or even days. Lack of visibility and failure to eradicate the threat early is what increases the severity and cost of response.
Incident response is a complex process, with even organizations operating the most proficient networks, still struggling to get it right. Often, partnering with a managed security services provider (MSSP), with in-depth incident response capabilities, has almost become a security best practice recommendation.
Brian Hussey is VP of Cyber Threat Detection & Response of SpiderLabs at Trustwave. Brian is responsible for leading the Global Incident Response and Readiness team. He has extensive experience in computer forensics and cybercrime investigation, six years of which involved leading an FBI advanced analysis unit tasked with computer forensics for major crimes, network intrusions, malware analysis, counter-terror and counter-intelligence cyber investigations.