Having personally spent a lot of time at Fortune 500’s, I know that individuals tend to develop blinders when dedicated to an organization, and begin to accept that things are done a certain way, and there is an order about things. It may come as a surprise then, when others don’t do things the way your organization does, or ignores certain areas altogether.
A quick google search will reveal there are over 45,000 companies listed on stock exchanges across the globe – this doesn’t even take into account small and medium size businesses or organizations that aren’t listed (e.g. schools, universities, non-profits, etc.). When you realize the gravity of those numbers, you begin to realize that something as specific as incident response isn’t a luxury that everyone can afford to have on staff. Let’s look at ‘House of Lies’ for a moment, to illustrate.
The team (and company) in ‘House of Lies’ is focused on management consulting- they run numbers, consider business strategies, and more, to ultimately provide recommendations and devise the best path forward for their customers. They even use technology to accomplish these goals and have some IT staff on hand.
That is why I applaud the fact they were smart enough to reach out for help when they were breached (albeit comically) by their competitor. If incident response isn’t your strong suit, you should never be embarrassed about making a phone call and bringing in external assistance. Even large and very mature organizations that have IT staff will still enlist outside assistance to help augment their organizations and recover from a breach.
Once you have the right folks engaged to assist in your breach, you should not make any hasty decisions, but rather do your best work to understand the scope of the attack, which ultimately allows you to make the best call as to how to move forward. In many cases, the path forward may require additional resources, to include tools that may be outside of your normal IT staff and existing technology sets. For example, application teams who may be required to patch and regression test their code, legal teams who may provide input and guidance, public relations personnel who may work to soften the external blow, and more could be tapped to become part of the incident response team, once a plan is developed.
As for tool sets? Visibility, containment, and environment hardening may come into play, let alone specific forensic tools to piece together the attack and track down the attacker(s).
In the show, you’ll see they called on Cisco Advanced Malware Protection (AMP). In the real-world, it actually is a tool that organizations and incident response firms use to quickly understand the full scope of a compromise and take action. AMP uses behavioral indicators and continuous analysis of file behavior to quickly detect malware if it’s already inside, and then shows you where the threat came from; what led up to the attack; when the system first saw it; where else the malware has been; and what the malware is doing. Then, with AMP’s built-in containment and remediation capabilities, you can eliminate the threat with a few clicks.
Again, given the sheer number of organizations, not all organizations will have access to all of the required resources, or even the bandwidth available to respond. In the end, it’s imperative to bring in the right people for the job- and the rights tools- even if it requires an external phone call.
While the team at Kaan & Associates may not be the best all-around role models, they would be the right example to follow this time around, in regards to reaching out and asking for help.
See how Kaan & Associates enlisted the help of Cisco to get to the bottom of their breach.
How often are malware behavior indicators updated? Daily, Weekly.
Does that come with the product or do I need to also purchase a service agreement?
When you buy AMP, you get all the great threat intelligence and behavioral indicators that come with it. Our team of threat researchers are working on behavioral indicators and indications of compromise on a daily basis, and since AMP is cloud-based, they can easily and quickly push that intelligence to AMP right away so that you’re protected 24/7.
But there was no ‘enhance’…
Nice. That is a great example for using Cisco AMP.
Awesome show and excellent product placement of AMP.
Our incident response teams are a great Cisco asset. We need to spread the message….
“better call Cisco security!”
Comments are closed.