[BreachExchange] Why a Dog Bite is a Lesson in Handling Cyberattacks

Destry Winant destry at riskbasedsecurity.com
Tue Nov 6 02:23:55 EST 2018


https://www.securityweek.com/why-dog-bite-lesson-handling-cyberattacks

A few weekends ago, my dog bit me. In his defense, it was dark and I
had tackled him unexpectedly to stop him from walking off our
under-construction, railing-less deck. It hurt, but at the time I
didn’t realize how critical my next actions would be. It was late, I
had house guests, and I decided to dress the wound myself. But by the
following afternoon, my hand was in clear need of professional medical
attention—and antibiotics—fast.

Like dog bites, the negative impact of cyber incidents can go from bad
to worse quickly—and the first 48 hours are critical. Here are four
areas to consider when attacks occur:

Assess the scope and scale of the impact: Discovering a cyber incident
can be a challenging time for any company but calling on a seasoned
incident response (IR) team can help. Typically, an IR team would
begin an engagement with a scoping or triage call to get a better
understanding of what’s happened. They would need to know what
activity has been identified, what technology is used in the
environment, and whether any external parties have been involved, for
example, solution vendors or law enforcement organizations.

Plan and act to limit damage: Following an initial assessment, the IR
team (often, a primary IR investigator and a support investigator)
would meet with a system administrator, IT manager, or a member of the
C-suite to define objectives for the first 24, 48, 72 hours, and the
longer term.

The IR team’s efforts generally focus on the basics—getting critical
systems up and running, restoring normal operations, expelling the
attacker. Dependent on the type of incident, these workstreams could
include data collection, acquisition of memory and hard drive images,
and log and triage-level analysis. Of course, incidents are highly
stressful, meaning they are rarely , straightforward or issue-free.
For example, a company may have never looked at the data that the IR
team is requesting or, worse, does not know where the data exists
within the environment, in which case the team may need to spend
precious hours working with the company to identify the location.

Be aware of the big picture: A common mistake many organizations make
is trying to respond to an incident without first understanding its
full scope. Too often, initial steps to block an attacker or “contain”
an incident can backfire and give attackers the advantage. For
example, if an attacker senses an intervention, he could easily embed
deeper into the environment and become harder to track and stop.

It’s important not to declare victory too soon. Incident responders
can often discover that a compromise is much broader than initially
thought. Some victims may think that if they’ve identified where or
how an attacker got in—for example, they’ve discovered patient
zero—only remediation is necessary. But an attacker has likely used
more than one method to gain access to systems and without further
investigation and a proper root cause analysis (RCA), it’s unlikely
the organization is seeing the big picture.  Adversaries who make the
effort to get into an organization will make even more effort to
maintain their foothold. To improve cyber resilience, it’s imperative
for organizations to gather as much intelligence about an incident as
possible, and to feed that intelligence back into an overall security
program.

Expect the unexpected: Every company, environment, and incident is
different. Some companies will have a more mature cybersecurity model
and better understanding of their environment, making the IR team’s
job easier, while others will need a lot of help to navigate the
crisis.

Like seasoned emergency room doctors, IR professionals have “seen it
all”; they are calm in a crisis and can apply their knowledge and
skills to put things right.  So, although many of us like to think
that cyber incidents can resolve themselves, the truth is that seeking
professional help from the outset is more likely to deliver the best
outcomes—not to mention the peace of mind that comes from acting fast.


More information about the BreachExchange mailing list