Matt Lawrence, F-Secure
Many attackers are savvy enough to achieve their attack objectives in mere minutes. How can attacks of this nature be stopped before completion?
Detecting, responding to, and containing a live attack is down to preparation in three key areas:
How do you achieve excellence in these areas?
Speed of response comes from having the necessary tooling available to enable responders to move faster than an attacker.
This tooling can encompass a few areas:
How are your people going to communicate during an active incident? As an incident is developing, you may not gain an understanding of what has happened until later down the line. It may be that your communications infrastructure has been compromised or is at risk. Therefore it is crucial that you consider ahead of time what other communications options you will have as back-up. There are pros and cons to the different in-band and out-of- band options – it is worth considering which of these will best meet the needs of your business.
Who is doing what?
During an incident, you need the right leadership in place to enable a fast response. This is not just about one or more individuals, but about putting these responsibilities out to many different areas of the business. You also need to have the relevant deputies in place to make sure you’re not reliant on individuals who may be on vacation or unavailable. But many incidents are slowed down by a lack of understanding and clarity over who is in charge. Decide this well ahead of an incident so that the process is not impeded.
How will it all be done?
A playbook for incident response is crucial. It means no one ever has to question who will do what, no matter how a scenario plays out. This is crucial for speed of response.
The tooling that enables speed needs to be fed by all the activity on your estate, with 100% coverage if possible. Any missed assets are potential places that attackers may reside. Getting the kind of coverage that enables a swift response almost always starts with the endpoint. It is where most modern-day cyberattacks start. An endpoint detection agent that gives both visibility and control over multiple endpoints is key.
You need to consider: what is the appropriate amount of logging on your assets to enable forensic investigators to find the right information? This encompasses volatile data sources, such as RAM, but particularly DNS logs; lots of different malware families still rely on DNS to substantiate an initial communication. If you don’t have the ability to trace back DNS query from gateway logs to the host that was responsible for it, it can delay response activities.
Logging doesn’t stop there, either. Each log type – from firewall to Active Directory, from Web Proxy to anti-virus – all add value in different ways, and provide more opportunities to gain insight.
Managing and extending coverage
The environments we work in are volatile. The threat landscape changes, new staff join, and new assets and software are being deployed on – sometimes – even an hourly basis. Organisations need to be cognizant of this incessant increase in attack surface and bring visibility practices into their standard operating model. This ensures endpoints are constantly covered, whether new, existing, or legacy.
Why does this matter?
If you have a complex gateway setup it can take many hours to deploy changes. While this is fine during business-as-usual, it can be problematic in a live response scenario. Thinking about these things in advance and planning appropriately feeds the ability to respond within minutes.
If we were to put two organisations up against each other with the same tooling and level of investment in security, the differentiating factor would be people. Good people with the right expertise and the correct mindset allow a fast and efficient response at times when stress can be high and the landscape can be uncertain. It’s not just about the ability to query endpoints and other repositories of data; it’s about interpreting that data and making the right decisions based on available evidence.
Determining the requisite ownership of the different areas of your estate is paramount. This means knowing which person to contact when you need insights on specific assets and areas of the estate – even at two in the morning.
Employees at every level will need training on what to do when you are under attack. Some will need more than others. Those who are on the front line of defence – your ‘first responders’ – will need training more regularly. Consider who in your organisation will be the key response team and take the time to conduct tabletop exercises and attack simulations so that everyone is well versed in their roles.
10% readiness is better than no readiness
Readiness touches on numerous aspects, and most organisations aren’t perfect.
However, if you can achieve clarity on who owns what, coverage of your most business-critical assets, and a set of tools for detection and response, then you are well on your way to ensuring that you are ready to stop an attack in minutes.