When thinking about the value of incident response, most people focus on how it limits the potential damage of recent attacks, or even attacks that are currently underway on the network. This is for good reason: proper incident response can help reduce risk, limit the scope of disclosures (should the investigation show that no PII was actually accessed, for instance), reduce the costs of each incident investigation, and cut the costs of breaches significantly.
Yet, what many don’t consider is how the information that is
gleaned from the investigation can not only go a long way to understanding the
source and scope of any specific incident, but that these findings can also
provide the valuable insight needed to shore up defenses for future attacks.
Consider some of the findings of the 2012 Data Breach Investigations Report, a study conducted by the Verizon RISK Team. It found that 81% of
breaches occurred through some form of hacking, and most by external attackers.
Additionally, nearly 70% of attacks incorporated some type of malware, and many
used stolen authentication credentials and also left a Trojan behind on the
network as a way to gain re-entry.
If, for instance, you were breached in that way you’d know to
keep a close eye for any suspicious logins (such as time, geographic location,
failed attempts, etc.), as well as any files or network communication that
aren’t normal in the environment. Yes, you should be taking care of those
things anyway, but if you know you are being targeted, or have been recently
targeted - it doesn’t hurt to tune the radar to look for such anomalies.
One thing about security is that system defense is often like
squeezing a water balloon, when you squeeze and tighten in one place, it gets
bigger someplace else. So as you harden certain areas of your infrastructure,
it’s likely that attackers will quickly target another area. That’s why it’s
important to consistently analyze security event data: Especially data from the
most recent incidents and breach attempts.
Here’s a sample of ways incident data can help you thwart future
incidents:
Data gleaned from incident investigations can provide a complete
understanding of an incident and will inform IT security exactly how an
attacker managed their way onto a system or network as well as how they
operated once inside. Ideally, the collection of such data should be automated,
to ensure real-time response before attack related data has a chance to disappear.
Event related data that can be gathered in such a way gives analysts useful
indicators they can use to quickly understand the spread of malware throughout
their organization without having to go through the time-consuming task of
malware analysis. This type of data includes ports tied to running processes,
artifacts spawned by the malware once on the endpoint, logged on users, network
card information and much more.
With this knowledge, you gain the ability to conduct conclusive
scope assessment, blacklists can be maintained to protect against reinfection
and other specific defenses against similar attacks in the future can be
developed. For example, if you see more attacks through infected USB devices,
it may be necessary to block such devices. If there are a number of phishing
attacks, an organization can launch an employee
awareness campaign. If it’s an attack against certain server services
left on, close them when possible and put in place mitigating defenses. You get
the idea: Use what you learn to harden your infrastructure.
Data from the response can be used to develop signatures specific
to your own intrusion detection systems and even used to tune alerts sent by
your security information and event management system. That same data can be
shared with anti-virus vendors so that they can craft specific signatures
against new threats. For instance, an organization may be the only one to
experience a particular kind of attack, or the attack may be vertical specific,
but a thorough incident response process may be the only way to obtain data
needed for a signature to protect one’s own systems and those of the community.
The investigation may indicate the attack came through a supplier
or partner, or through a path within the organization once thought to be
secure. With the right information steps can be taken to notify the breached
partner, or potentially close security gaps you didn’t know existed on your own
systems.
It now should be clear, when considering the value of incident
response, that it’s important not to view this data in a vacuum, and that the
processes in place can not only to contain the damage of the incident at hand,
but make sure the data gathered is used for lessons learned and incorporated to
make one’s infrastructure more resilient to future attacks.
No comments :
Post a Comment