False Positives Lead to a Surprising Number of Incident Response Investigations
Helsinki, Finland-based security firm F-Secure has analyzed a random sample of incident response investigations conducted by its security consultants. The resulting report (PDF) cannot be considered a scientific analysis of incident response, but nevertheless provides useful observations.
Some of these observations could be expected; others are perhaps surprising. For example, successful attacks are fairly evenly split between opportunistic and targeted, F-Secure found. Since there are far more opportunistic attacks fueled by mass spam and phishing campaigns, the implication is that targeted attacks are, pro rata, very successful.
Within the industry sectors included in the analysis, there are interesting distinctions. For example, successful attacks against the financial and manufacturing sectors are evenly distributed between opportunistic and targeted. Successful attacks against the gaming and public sectors were (within the confines of this report) always targeted; but such attacks against the insurance, media and telecom sectors are always opportunistic.
It would be interesting to conjecture why this might be so. For example, gaming is almost continuously under one form or another of attack, while the public sector is highly regulated. It would be tempting to suggest that a solid security posture can effectively eliminate most opportunistic attacks.
The report notes that targeted attacks use social engineering to a greater extent than opportunistic attacks. This suggests that an important defense against targeted attacks will be user security awareness training.
Opportunistic attacks, however, are more likely to focus on external technology exploits via internet facing services.
“Opportunistic attacks,” say the report’s authors, “are often initiated with cost-effective target selection techniques, such as mass scanning the internet and attacking a vulnerable service when a new exploit comes out. This can be done in a matter of minutes using tools readily available on the internet.” The implication here is that an effective early patching regime will reduce the success of opportunistic attacks.
Another surprise is the high number of insider-instigated successful attacks. While ‘internet exploits’ tops the list at 21%, this is closely followed by insiders at 20%. Malicious e-mail attachments and phishing attacks (often considered to be the major threats) are at 18% and 16% respectively.
However, one of the biggest surprises in this report is the number of incident response calls that are false positives. False positives are a common problem during network analysis and incident triaging, but it is surprising how many of these false positives result in a call to an incident response specialist firm like F-Secure.
Thirteen percent of F-Secure incident response investigations were false positives; that is, says the report, “were conducted due to IT problems or other issues being misunderstood as security incidents by the reporting organization.”
This is nothing like the number of successful attacks that caused actual damage (79%), but more than the meager 8% of investigations into failed attacks.
These figures lead F-Secure to believe that many companies simply do not have adequate internal incident response capabilities, able to detect and stop an incident before it progresses. “Every incident response process begins with the same question: is it an incident? How fast a company can make that determination, how smooth and efficient their processes and procedures are, the quality of their forensics and technology, and how well-trained their staff is, defines the cost of the answer to that question,” says F-Secure principal security consultant Tom Van de Wiele. “Once an organization has the facts based on detection capabilities, and not rumors or assumptions, then the process can continue with the next step which is usually containment and eradication.”
In a related blog post, F-Secure’s Adam Pilkey describes three incident response recommendations for companies. The first is that breach evidence can be found in the system logs. “You’ll want to collect other evidence too, although exactly what will depend on your organization, infrastructure, threat model, and other factors.”
The second is that a method of filtering the collected data will be necessary. Manually will be too time-intensive; and requires expensive expertise. As an example of the volumes to be expected, F-Secure’s specialist sensors collected about 2 million events from one customer in one month. Correlation and analytics brought this number down to 25 genuinely suspicious events — and manual analysis found they contained 15 actual threats.
The third requirement is knowing what to look for. “Anything out of the ordinary should be a potential concern,” writes Pilkey. “You should also cross reference your logs against threat intelligence feeds to find any indicators of compromise (such as finding activity from known malicious IPs).”
Related: Using Cyber Threat Intelligence to Support Incident Response