Top Tips: Enterprise incident response

01-04-2015-5-steps-to-enterprise-incident-responseLucas Zaichkowsky is the Enterprise Defence Architect at cyber incident response and resolution company, AccessData. and is a recognised expert in cyber security and incident response.  Prior to joining AccessData, Lucas was a Technical Engineer at Mandiant, where he worked with Fortune 500 organisations, the Defense Industrial Base, and government institutions to deploy measures designed to defend against the world’s most sophisticated cyber-attack groups.

Media reports analysing breaches at JPMorgan Chase, The Home Depot, Target, and Paddy Power have queried why it took each of these organisations at least a month to disclose that they had been hacked and even longer to reveal the scale of the breaches.

The problem faced by breached organisations is that standard incident response tools and processes are still very manual and get overwhelmed at several stages of the process, both in discovering breaches and in responding to them.

In addition, organisations still rely on various standalone security products. The lack of integration between these point solutions involves incident response teams in repetitive, manual processes to clean up after a breach. The lack of integration also impacts the visibility of what is happening across the network, to enable IT, IDS, incident response, forensics and cyber intelligence teams to work together to detect, analyse and resolve incidents across networks, endpoints and mobile devices.

These are the typical steps involved in incident response:

Step 1: Verify that your organisation has been compromised

Prevention systems such as next-generation firewalls and advanced malware detection systems are effective at discovering the majority of threats, but they don’t find everything. Because of the increase in the volume of online threats, currently, IT teams are suffering from alert overload. This problem is compounded by the fact that most vulnerability management systems do a poor job of prioritising potential threats and validating which are real, versus false positives.

As a result, unusual network activity may be detected but go un-investigated, allowing an attacker to lurk inside a network for weeks if not months.

Because IR is a still a highly manual task, with the volume of generic uncorrelated alerts growing daily, the manual alert verification stage can take weeks or months to accomplish.

Finding compromised systems one-by-one means that breaches take far too long to shut down. And while IR teams are investigating, attackers are able to cover their tracks and change their modes of operation, further complicating the effort to eradicate them. Attackers are able to exfiltrate data in a matter of hours. This is why the repetitive elements of incident response should be automated and speed of response needs to be measured in minutes and hours, rather than days and weeks.

Step 2: Isolate compromised systems

Once a malware infection or breach is detected, the first priority is to triage the situation and quarantine affected servers, desktops and tablets to prevent the spread of malware and stop exfiltration of data. The ideal is to respond to an incident in real time, minimising its impact and restoring operations as quickly as possible to limit the extent of the damage.

It is worth expending energy on identifying and investigating attacks in progress. By observing attackers’ behaviours and tools, organisations can gain valuable intelligence on their assailants.

Step 3: Undertake forensic analysis to identify the cause of the incident

Depending on the level of in-house IT expertise at the organisation, the CIO may decide to bring computer forensics investigators on site to undertake retrieval of infected devices.

This stage normally involves traditional computer forensics work, whereby hard drives are imaged and then investigated.

When a major breach occurs, it is also extremely difficult, time consuming and costly to collect, analyse and resolve cyber incidents on a company’s entire mobile fleet, because this usually requires the physical recall of company and employee-owned devices. The mobile devices then have to be sent to infosec labs to undergo forensic analysis to discover how the attack was perpetrated and which data, apps and processes were impacted.

It is worth pointing out that once a breach is discovered, incident response can take two to ten days to complete when using an external IR or forensic team.

The external team then prepares a report for the management team at the breached organisation, detailing when and how the intruder gained access, which vulnerabilities were exploited and which assets were impacted.

The same process, using automated incident response tools and trained in-house staff takes about four to five hours.

Step 4: Reimage devices

When a cyber-incident occurs, infosec teams need to conduct detection, analysis, response and resolution across their networks, endpoints and mobile devices.

For mobile devices, incident response is problematic because it entails collecting all employees’ devices, analysing the data and reimaging devices, which takes time, impacts user productivity and places heavy demands on IT resources which results in increased costs for the impacted organisation. A quicker route is to remotely remediate mobile devices, by using incident response technology in conjunction with existing mobile device management tools.

Step 5: Incident Resolution

All compromised systems must be found as quickly as possible by looking for similarly suspicious behaviour or system activity. Any verified alert should be converted into an Indicator of Compromise so that it and its variants can be identified instantly, thereby closing the loop of prevention, detection and incident response.

Once all of the compromised devices and areas of the network have been identified, the incident response specialist can build a threat profile for the incident. Batch remediation can be executed on all impacted nodes simultaneously to kill malicious processes.

Where possible, attack intelligence should be shared to alert similar organisations, industry bodies and law enforcement organisations, particularly where forensic analysis provides evidence that a previously unknown vulnerability has been exploited by the attackers.

Customers and partner organisations impacted by the breach should be informed as soon as possible, with guidance on the extent of the breach and the steps that can be taken to limit the impact, such as guidance on thwarting phishing attacks and how to protect themselves from identity theft, loss of privacy, or fraud.

In early 2014 the Ponemon Institute released a report “Threat Intelligence & Incident Response: A study of US and EMEA organisations,” which surveyed 1,083 CISOs about how their organisations handle the immediate aftermath of a cyber-attack and what could be done to improve response and remediation times. Eighty six per cent of respondents reported that detection of cyber-attacks takes too long. This has implications for compliance with the mandatory breach disclosure proposed under the new EU General Data Protection Regulation.

Once a breach has been identified, the lack of integration makes it incredibly difficult for CISOs and security practitioners to wade through the volume of alerts and data; isolate affected nodes and pinpoint the root cause of a compromise. Three quarters of the survey sample reported that lack of integration between point solutions slowed down their response to cyber incidents. Sixty one per cent complained that the alert “noise” created by different point solutions hinders breach investigations.

As a result of these challenges, thirty eight per cent of CISOs reported that it could take them a year to find the source of a breach, while forty one per cent stated that they may never find the root cause.

What is required is better integration, visibility and continuous automated incident resolution, so that security teams can more quickly identify, verify and resolve critical cyber-attacks, along with shared intelligence so that they can better anticipate the next attack.


« Gamification: Changing businesses now and for the future


This month in tech history: April - Apple »
IDG Connect

IDG Connect tackles the tech stories that matter to you

  • Mail


Do you think your smartphone is making you a workaholic?