[BreachExchange] Cauterise or Collect: the post-breach dilemma

Wed Apr 10 01:51:12 EDT 2019

https://www.cso.com.au/article/659756/cauterise-collect-post-breach-dilemma/

The phone rings in the middle of the night. It’s the Security
Operations Centre and a server containing vital data has been hacked.
It isn’t known how the attackers got in, how long they’ve been active,
or what else might have been compromised. In the heat of the moment
emotions and adrenaline are running high, and a well-rehearsed
Incident Response Plan helps keep heads calm and avoids knee-jerk
reactions with unforeseen consequences.

Vital first steps are followed precisely and immediately: key
stakeholders are engaged, log files are pulled, and lawyers are
mobilised. At this point, cyber incident responders face a difficult
fork in the road: monitor the situation, or lock everything down while
you still can? Each approach has benefits and drawbacks, and as this
year’s major cyber security incidents have shown, the most difficult
decisions are those that are often the most challenging to plan for.

Monitoring a live attack invariably helps an organisation gain a
better understanding of an incident, including compromised accounts,
lateral movements, and the data being targeted or accessed. However,
this approach can be fraught with legal and reputational risk, due to
the potential for further data loss or compromise. Further, this
approach requires the collection, analysis and reporting of
intelligence, which takes valuable time that is in short supply after
a breach.

With the benefit of hindsight, such a course of action can appear
complacent or downright irresponsible. Even still, sometimes this risk
is acceptable, especially where attribution is critical or where state
actors may be present and national security is at stake.

On the other hand, while cauterising an incident as soon as it is
detected appears more sensible on the surface, it is not without its
own dangers. Containing an incident by isolating the affected network
may impact customers, drastically reduce operational effectiveness, or
worse still, alert the adversary they’ve been sprung, potentially
causing them to cover their tracks by destroying data or
infrastructure. If information has already been compromised, it is
also possible a panicked attacker might react maliciously and
disseminate data.

This year, the German Federal Office for Information Security received
public condemnation for not notifying politicians and officials of an
incident that ultimately resulted in the public disclosure of hundreds
of their personal records. Whether notifying the victims earlier could
have allowed affected individuals to better prepare themselves or
would have simply compromised an ongoing investigation is an open
question.

In the wake of this year’s hack against Australia’s Parliament and
major political parties, the head of Australia’s Cyber Security
Centre, Alastair MacGibbon, highlighted exactly this dilemma faced by
cyber responders. His statement that a calculated decision to take
‘overt action’ to secure the system, at the cost of forensic evidence,
underscores the ‘cauterise or collect’ predicament following a major
incident.

Myriad variables impact the better path to follow, such as the type of
data potentially affected, the risk tolerance of the organisation, the
nature of the suspected threat actor (including potential extortion
attempts), and the duration and method of compromise. Identifying such
variables in advance, mapping out responses, and frequent rehearsals
means security professionals can react quickly and effectively,
freeing up vital time and resources to ensure a bad situation isn’t
made worse.

The increased regulatory pressure from the Privacy Amendment
(Notifiable Data Breaches) Act has only compounded the necessity for
organisations to be prepared for a cyber incident, as well as the
pressure placed on first responders. While such schemes have been a
huge step in the right direction for increasing accountability and
bringing the reality of cyber threats to the public eye, there is a
real risk of organisations focussing on self-preservation rather than
meaningful remediation. This has only amplified the stakes of the
post-breach dilemma.

An unfortunately common story for technical staff navigating an
increasingly complex regulatory environment is being forced to wait
for the legal team to determine culpability prior to undertaking
technical remediation. In at least one case, this delay has resulted
in the exfiltration of data hours after the detection of compromise.

It is only by planning for when, not if, a breach occurs that cool
heads can prevail in a time of crisis. Nonetheless, organisations must
be aware of growing complacent in an ever-changing threat environment.
Through workshopping and planning, and informed investment in security
technologies, businesses can proactively prepare for the edge-cases
that test our assumptions or break our response plans. Deciding
whether to collect or cauterise following an incident is a delicate
balancing act that defines the lives of security analysts. Armed with
a comprehensive and well-rehearsed incident response plan, it is a
tightrope that can at least be walked with a safety net.