[BreachExchange] Hackers in your network? Why kicking them out straight away is not always the best approach

Mon Jun 13 18:20:24 EDT 2016

http://www.zdnet.com/article/hackers-in-your-network-why-kicking-them-out-straight-away-it-not-always-the-best-approach/

It's time to face the facts: no matter how secure you might believe your
corporate network to be, sooner or later, cybercriminals will find their
way in.

They could enter using stolen credentials, they could find their way in
using malware, or they could be in the system for some time before you
realise something is wrong.

You understandably panic when hackers have infiltrated your network and
look to shutdown the infected PCs, because that's the correct thing to do,
right? Wrong. The FBI has warned that while this might be an understandable
impulse, it's not always the right decision.

"When we come into an incident, most people want to immediately fix it,
they want it to go away as fast as possible," said Kurt Pipal, assistant
legal attaché at the Office of the Legal Attaché for the FBI in the UK,
speaking during panel on law enforcement and cybercrime at Infosecurity
Europe 16 in London.

"I get that, it's a driver from a business perspective. However, not
understanding the true intrusion events could mean you don't clear it out
-- they're called 'advanced persistent threats' for a reason."

If possible, businesses should allow investigators to look into the breach
before the evidence is destroyed.

"Understand where they [hackers] are in your network, let law enforcement
understand that threat, and be able to give you tips on how these actors
move through your network, then get them off it," said Pipal.

"It's not a mistake, but a business decision. There's definitely a drive to
mitigate it as fast as possible, but to understand what it is before you do
that is important," he explained.

For Andre McGregor, a former FBI cyberspecial agent and now director of
security at endpoint protection firm Tanium, suggesting to a breached
company that they don't do anything is "one of the hardest conversations"
to have in cyberlaw enforcement -- as the organisation just wants the
hackers out of their system. But that can just make the situation worse.

"The minute you unplug a device -- because instinct is 'something bad is
happening and I don't want it to happen anymore' -- the adversary is aware.
So as long as you're not actively losing data, you have some time to
actively look at where the adversary is going," McGregor told ZDNet.

"That's exactly what we do with terrorism: we observe, we obviously want to
get to the point before anything bad happens, but up until that point we
want to get as much information as we can so we understand the adversary.
But the minute they unplug the machine, the adversary is aware," he said.

McGregor recalled an incident where a large company was the victim of a
cyberattack: it acted quickly and only inflamed the situation.

"We identified ten computers in the environment with ATP malware on, so
[the company's] immediate response was to turn off the machines. Meanwhile,
on the other end, we in the intelligence community monitoring what the
adversary was doing, saw 50 more machines pop up as infected. They were
doing their work on ten machines, but the infection laid persistence in 60
machines," he said.

"It's not that you're not doing anything, but that we can set up walls
around it, segment their activity so we can still see what they're doing,
allow them to give us more evidence, but not navigate further," he said.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160613/1360d28e/attachment.html>