Targeted Attack, Targeted Response: Designing and Implementing an Incident Response Plan That Works
A few weeks ago I had the pleasure of participating, as a guest speaker, in a webinar titled “Targeted Attack, Targeted Response: Designing and Implementing an IR Plan That Works.” Joe Riggins, Senior Director of Incident Response for HBGary, moderated this Q&A format webinar. We discussed the current incident response (IR) challenges companies are facing, as well as specific steps organizations can take to design, test, and successfully implement an ongoing IR plan for their specific business environment.
The webinar recording can be accessed here.
In this webinar we discussed how incident response methodologies changed in the last few years. The security landscape has changed dramatically over the last couple of years and is expected to change even more going forward and most likely at a more rapid rate than we’ve seen in the past. Subsequently, incident response methodologies have to adapt. Examples of things that are changing the incident response landscape:
- Cloud Computing
- Mobility & BYOD
- Social Media
- Advanced Persistent Threats (APTs)
The adoption of cloud computing is something that is changing the incident response methodologies. Everything is now sold “as-a-service,” whether it is infrastructure-as-a-Service, software-as-a-Service, platform-as-a-Service. When you move to the cloud in a significant way, incident response and security overall is something you should start considering long before you make the move.
Should cloud providers be offering incident response mechanisms? That’s a possibility; however, in the cloud incident response is all about data ownership, legal authority, and accessibility to affected systems, especially when some of the data can reside on-site and portions can reside in the cloud (on systems not controlled by you).
I like a statement we made in our Annual Security Report:
A few years ago, employees were assigned laptops and told not to lose them. They were given logins to the company network, and told not to tell anyone their password. End of security training.
Today, your “millennial” employees — the people you want to hire because of the fresh ideas and energy they can bring to your business — show up to their first day on the job toting their own phones, tablets, and laptops, and expect to integrate them into their work life.
Executives also expect others (including security personnel) to figure out how they can use their treasured devices, anywhere and anytime they want to, without putting the enterprise at risk. They want to have the capability to work hard, from home, on the road, or in the office, using social networks and cloud applications to get the job done, while someone else builds seamless security into their interactions.
Facebook and Twitter moved beyond just social networking sites for teens and geeks, and became vital channels for communicating with groups and promoting brands.
Fears around security and data loss are a leading reason why some businesses don’t embrace social media, but many are adopting social media as vital resource within the organization. Some of these risks can be mitigated through the application of technology and user controls. However, there’s no doubt that criminals have used social media networks to lure victims into downloading malware and handing over login passwords. In this example, incident response moves from things that you can control within your network to boundaries outside of your organization.
Advanced Persistent Threats (APTs): Most threats in the past tended to be short-lived and easy to notice; however, a lot of today’s threats are more stealthy, specifically designed to quietly, slowly spread to other hosts, gathering information over extended periods of time and eventually leading to data theft and causing many other headaches.
The sophistication of APT intrusion attempts varies and likely depends on the attacker’s objectives, the tools and techniques available to them, and the anticipated ability of their target both to detect and defend against an attack.
- Protecting against the unknown – zero-day vulnerabilities: Many targeted attacks use zero-days and other customized malware. There is no one-size-fits-all methodology of detection for zero-day vulnerabilities and exploits. The two precautionary measures of patch management and keep your security products up-to-date don’t really apply here. If a vulnerability hasn’t been publicly disclosed or the patch isn’t yet available from the vendor, there’s no fix. This is what makes the vulnerability a prime target for hackers. Network visibility and control is one of the most important pillars of incident response.
- Scalability and Agility When Responding to Incidents: Scalability and the need for a rapid response has become a challenging task for organizations of all sizes, and we find that security practitioners spend most of their time on manual processes relegating them to ineffectiveness. Security automation is the key to escaping this rut. The adoption of security automation techniques around asset, change, configuration, and vulnerability management is key.
- Never-ending Complexity: The complexity of a network makes operational mistakes and security violations more likely. This applies to both the network architecture, as well as to the methods that are in place to protect the network. From a security perspective, less complex configurations are usually preferred. This perspective also applies to the operational management of the network. Very complex operational procedures are more likely to cause problems. The previous examples of cloud computing, mobility, social networking, and BYOD also apply here.