Security Experts:

Incident Response Should Never End

Increasing resiliency to attacks is the focus for security professionals today. Despite the fact that defenders are developing technologies and tactics that are growing in sophistication, adversaries are as well…at a more rapid pace.

Well-funded cybercriminals use a combination of evolved technologies and tactics to evade detection. Defenders will continue to strive to block 100 percent of attacks before they occur – but, as history has proven, bad actors will infiltrate our networks. To boost resilience we need to not only try to prevent an attack, but we need to stop the exploitation of an attack, requiring that we think differently about Incident Response (IR). Instead of only a point-in-time set of steps to try to prevent malware from getting in or reimage an affected machine, IR must become a continuous process.

Managing Security IncidentsA recent SANS Institute Study (PDF), “Maturing and Specializing: Incident Response Capabilities Needed,” finds that detection and IR are maturing. But there is room for improvement: 45 percent of respondents cited lack of visibility into events across a variety of systems and domains as an impediment to effective IR, and 37 percent said that their teams are unable to distinguish malicious events from nonevents.

Visibility is paramount for detecting an attack in progress and responding quickly. For example, you might observe a machine collecting large amounts of data from different parts of the network. A cursory look may not trigger any level of suspicion; employees need data to get their jobs done. But what type of data is the machine accessing? Which parts of the network is it going to in order to gather this data? And, how frequently and at what time of day is this occurring?

With ongoing visibility that provides answers to these questions you can begin to investigate the source of the malicious activity – a malicious insider or a hacker using stolen credentials – and take action.

When SANS survey respondents do detect an attack, 94 percent say they use the “wipe and reimage” method of remediation. But simply pinpointing an infected machine and taking it offline is insufficient when dealing with unrelenting attacks.

Take, for example, the case of a botnet that moves laterally across the network and can remain in a dormant stage until it is deemed ‘safe’ to continue with its mission. Identifying a single machine that is behaving suspiciously, quarantining it, and reimaging won’t eradicate the threat.

Security teams must scope, contain, and remediate the full extent of the compromise. This requires the ability to identify patient zero and the origin of the attack, what that machine did after it was infected, the other machines with which it communicated, and whether the attack is still propagating on the network. But these capabilities are sorely lacking: 64 percent of respondents identified the need for better security analytics and correlation across affected systems.

Without identifying the root cause of the attack (both who and how), its path, and any ongoing activity, advanced attackers can easily reinfect machines using the same techniques.

Clearly, organizations need technologies that provide full visibility into the network and an understanding of its key components. Yet more than that, they need a continuous approach to IR to detect attacks as quickly as possible, ensure the attack is thoroughly understood and mitigated, and prevent a similar attack from happening in the future.

Continuous response begins with technologies that can provide complete, 24/7 visibility into everything within the network environment. Sophisticated security analytics applied against massive amounts of data and telemetry can baseline normal traffic and more easily detect suspicious actors and behaviors. Additional layers of context based on analysis of current and historical data about users, applications, and devices can facilitate more thorough and precise incident investigations. This analysis must be ongoing, in order to detect advanced malware that can disguise itself, pass through defenses unnoticed, and only later exhibit malicious behavior.

The ability to correlate network data with activity on the endpoint can also aid in forensics investigations and remediation. For example, with this type of analysis you can identify the actual services on an endpoint that were responsible for data leaving the environment or engaging in command and control communications.

Retrospective capabilities must also become part of incident response. These include the ability to identify patient zero, see the file’s trajectory across the enterprise, understand the scope of the attack, and then quarantine all affected devices and remediate.

Finally, you must be able to incorporate any findings back into your defenses without delay. Updating protections and addressing vulnerabilities will eliminate the risk of reinfection.

Incident response should never end. Rather than a reactive, finite event, it must become a continuous, cyclical process. Through ongoing investigation and fine tuning tools and strategies, continuous incident response can improve your company’s overall security strategy and increase resiliency to attacks.

view counter
Marc Solomon, Cisco's VP of Security Marketing, has over 15 years of experience defining and managing software and software-as-a-service platforms for IT Operations and Security. He was previously responsible for the product strategy, roadmap, and leadership of Fiberlink’s MaaS360 on-demand IT Operations software and managed security services. Prior to Fiberlink, Marc was Director of Product Management at McAfee, responsible for leading a $650M product portfolio. Before McAfee, Marc held various senior roles at Everdream (acquired by Dell), Deloitte Consulting and HP. Marc has a Bachelor's degree from the University of Maryland, and an MBA from Stanford University.