2013 was a significant year for the IT security industry, due in large part to massive attacks on companies like Target, Michaels and Yahoo. Prior to these near brand-crushing incidents, terms like “hacker,” and “data breach” had yet to make their appearance within mainstream media. Security experts predict that more and more organizations will fall victim to similar attacks; hackers spend 100 percent of their time looking for vulnerabilities to capitalize on, and defenders are tasked with multiple competing priorities and need to closely protect all of their vulnerabilities. As a result, organizations must maintain vigilance against such nefarious behavior. Hexis Cyber Solutions, a provider of advanced cybersecurity solutions for commercial companies and government agencies, outlines 10 steps organizations should take to improve their response strategy and better mitigate the impact of attacks in the future.
Click through for 10 steps organizations should take to improve their cybersecurity response strategy and better mitigate the impact of attacks in the future, as identified by Hexis Cyber Solutions.
Step 1: Detect and identify
Once the IT security team has validated that the organization is faced with a malicious situation and not just ‘noise,’ they need to react quickly and establish a cross-functional team to oversee all aspects of the response process.
If possible, locate “patient zero,” and then find any device that has been compromised. Without this information, the risk of reinfection is almost definite. Team members should begin to analyze the malware to determine how it got in, how it is behaving and if it has ex-filtrated any data.
Step 2: To contain or not to contain?
After identifying the nature, extent, and severity of the attack, team members are faced with two options: Contain it or proceed directly to removal.
It is recommended that the team contain and stop the attack. This involves quarantining the compromised host(s) or system(s) or disabling certain functions, removing user access or login to the system, and determining the access point and blocking it to prevent ongoing damage.
Keep in mind that containment is appropriate when dealing with a ‘drive-by’ type attack, however, in the case of advanced malware or an APT that watches and alters its techniques depending on the organization’s reaction, the more effective approach could be to proceed directly to step three and coordinate the removal process.
Step 3: Remove and recover
To remove the threat and recover, the team must identify all infected hosts on the network and then must take necessary precautions to effectively stop and kill all active processes of the attacker.
All files, backdoors and malicious programs created by the attacker must be removed but saved for investigatory purposes. Sensitive data must be saved and set aside as a means of separating the “good” from the “bad.” Next, teams should check all associated systems, apply patches and fixes to eliminate vulnerabilities and correct any misconfigurations to prevent subsequent similar attacks. Teams should also perform a damage assessment on each system/file and then reinstall the affected files of the entire system as needed. Lastly, infected hosts should be disconnected and quarantined for forensic analysis.
Step 4: Be proactive
APTs often return with nuanced versions of the attack, so it is absolutely critical that organizations take a proactive stance to break the cycle.
Enterprises can defend proactively against cyber attackers by changing the mindset from ‘if’ an attack will happen to ‘when’ an attack will happen. Teams must be actively investigating the environment for IOCs by continuing to collect data from multiple sources and looking for known malware via signatures and unknown malware via behavioral detection algorithms. Additionally, staying current with the latest threat intelligence and available countermeasures and deploying them as required, within the context of the environment, maintains the ongoing employee education of the landscape.
Step 5: Automate incidence response
Automation goes hand in hand with a proactive approach. Automation eliminates the need to perform manual work and provides an opportunity for huge cost savings.
To begin to incorporate automation into incident response, organizations must select and invest in trusted solutions that integrate well into existing security infrastructure. Over time, incident response teams will become more comfortable with the notion of automated malware removal and abandon legacy practices such as manual malware removal.
Step 6: Don’t needlessly tip your hand
Once an incident has occurred, make sure the team does not use the compromised network to coordinate incident response efforts, instead of establishing out-of-band communications first. While a hacker’s goal is typically to ex-filtrate data, it can also include using the compromised system as a launching pad to compromise other systems or networks such as third-party systems along the organization’s supply chain. Once hackers sense that they have been detected, they may deploy another technique while the team is distracted and busy dealing with the first attack.
Step 7: Don’t fight fire with fire
You may decide to contain the attack, but be careful how you respond and react. Actions such as hacking back or submitting the malware to a reporting site will inform the adversary they’ve been discovered. These actions won’t help fix the breach or secure the network, which needs to be the main priority. Fighting back with the hacker lets them know they need to alter their attack methods and buys them more time to further infiltrate your system. The less information the hackers have, the better off your network will be.
Step 8: Don’t start investigating without a plan
An overzealous response can compound the damage. For example, utilizing an external tool to attempt to find the threat can taint the data required to perform proper timeline analysis and inspect other important information such as pre-fetch data (data that is preloaded to speed the boot process and shorten application startup time). Pre-fetch data can provide valuable forensics artifacts that might help answer the “what,” “where” and “when” of an attack.
Step 9: Don’t keep it to yourself
Inform management and the right people using the incident notification call list and call tree. Collaboration can help to more effectively deal with the situation. The organization can work best together when everyone is on the same page. For organizations that choose to hire professional services to help, make sure knowledge transfer is part of the process to help keep costs in check.
Step 10: Don’t stick with status quo
Organizations that only take security measures that the majority of other organizations are taking will find themselves at a constant and mounting disadvantage against attackers. Attackers are increasingly creative in their methods of attack. To truly gain an advantage against attackers, security and IT teams need to become more creative in how they identify and remediate the growing number of security incidents the organization continues to face.
By adopting a proactive approach that includes the option of policy-based automation, organizations can reduce the time and costs the team spends on incident response. Only then can they shift the bulk of resources from focusing on what happened in the past toward creating a safer future.