Engaging All Layers of Defense: Incident Response in Action
The Cisco 2015 Annual Security Report highlights many creative techniques that attackers are exploiting to conceal malicious activity, often taking advantage of gaps in security programs. They are continually refining and developing new techniques to gain a foothold in environments and, increasingly, they are relying on users and IT teams as enablers of attacks to persistently infect and hide in plain sight on machines.
Given this complex and dynamic threat landscape, organizations need a mature and adaptable incident response process.
Here are a few examples from the 2015 Annual Security Report that highlight how attackers are infiltrating networks.
- In 2014, spam volume increased 250 percent and difficult-to-detect Snowshoe spam is now emerging that sends low volumes of unsolicited messages from a large number of IP addresses. Spam has also become more malicious and is often the first step in phishing schemes that harbor malicious links, sometimes containing personalized content, making it harder for even experienced end users to spot faked messages. For example, Cisco Security Research recently observed a small number of spear-phishing messages purporting to originate from a well-known company containing a link redirecting users to a known phishing website.
- Another way that attackers are devising ways to gain a foothold in environments is through browsers. Malware creators are using web browser add-ons as a medium for distributing malware and unwanted applications. This approach to malware distribution is proving successful for malicious actors because many users inherently trust add-ons or simply view them as benign. Users also do not tend to update their browsers, particularly Internet Explorer (IE) – only 10 percent of requests originated from the latest version of IE. This was one of the drivers behind the most recent online banking guidance from the US regulators and the mandating of the use of transaction anomaly detection, which many users notice through an increase in requests to independently verify financial activities.
- Finally, we are all familiar with the security talent shortage, estimated at more than a million professionals across the globe. Security organizations are stretched beyond their limits and are having difficulty hiring and retaining highly trained security staff. Despite their best intentions, understaffed security teams often can’t keep up with the volume of alerts, compliance, and other business requirements. In fact, the Cisco Security Capabilities Benchmark Study, included in the Cisco 2015 Annual Security Report, finds that while CISOs and SecOps managers are showing confidence in their security operations, they also indicate that they cannot always find the resources to deploy important tools that can help thwart security breaches. Less than 50 percent of respondents effectively implement the following processes:
- Identity administration or user provisioning
- Patching and configuration
- Penetration testing
- Endpoint forensics
- Vulnerability scanning
These are just a few examples that point to the fact that it is harder than ever to keep malicious actors out and why every organization needs a competent response mechanism to increasingly potent attacks.
Even with reasonably sophisticated layers of defense, many organizations are facing a shift in thought process of what to do “when” an attack or data breach takes place rather than “if.” With a greater variety of attacks that may even evolve during an attack (as happened with the Distributed Denial of Service attacks launched against a number of banks) greater creativity and flexibility in detecting and responding to incidents are required. According to studies by Cisco, 75 percent of all attacks take only minutes to begin data exfiltration but take much longer to detect. These numbers are consistent with other studies as well as information being released related to recent high-profile data breaches.
This points to the fact that Incident Response (IR) approaches must be solidified or supplemented with appropriate external resources given the skills shortage.
When considering an Incident Response approach, you want to make sure best practices are in place to addresses issues and questions such as:
- What is the appropriate level of reaction?
- Have we engaged the right extended team for a complete and effective response?
- What outcomes are needed for a successful response?
- How do we adapt our response as the issue evolves?
- How is the threat propagating and exploiting?
- What systems have been compromised?
- What data is being exfiltrated and how do we stop this threat?
- How do we prevent this threat in the future and proactively monitor for others?
To do this, a critical first step is to evaluate the readiness of the organizations and the supporting infrastructure, including the network, security operations, communications, and incident response employee training. Rather than relying upon a prescriptive process to address a catalogue of issues, an effective Incident Response strategy needs to equip and empower responders with the tools and methods to:
- Understand the nature of the event or incident
- Evaluate the significance and urgency
- Determine appropriate or acceptable outcomes
- Implement necessary measures to achieve objectives
- Evaluate the effectiveness of the response and refine as necessary
- Engage internal and external resources to provide an efficient and effective reaction
As attacks become increasingly complex, methods become more guileful, and events achieve greater notoriety, organizations need to build mature, adaptable Incident Response processes that embrace complementary approaches in order to effectively manage operational risk in real time. Security tools alone will not provide a solution; good processes, effective stakeholder partnerships, and well-prepared and empowered staff will enable an organization to be more effective in using the available layers of defense, to adapt to events as they evolve, and to achieve more successful outcomes.