Every year the percentage of security breaches that take several months to be discovered and contained increases – a statistic that clearly highlights companies’ inefficiency in identifying and responding to adverse events. Why?
Being able to handle a security breach requires two main components – a well-defined attack detection capability and a structured response phase. Currently, most enterprises are failing in at least one of these components. This article will focus on issues surrounding the response phase.
As soon as an Information Security Incident is declared, a specific procedure must be followed to ensure that it is treated and mitigated in a consistent way.
In general any adverse event that affects CIA (Confidentiality, Integrity and Availability) is considered an Information Security Incident. A significant number of incidents that an IT infrastructure faces usually impact one of these three attributes therefore a consistent methodology has to be adopted to track their progression during their entire lifecycle.
If the adverse event is caused by a system outage or as a consequence of human error, IT departments are usually able to deal with the incident and recover the situation. Generally, this is achieved through the engagement of subject matter experts from the IT team. Examples of these incidents include:
Unwanted change on core systems leading to a loss of integrity
The tracking and classification of these incidents is conducted by either the Incident Management or the Incident Handling team, while the IT Security team usually acts as a trusted advisor to ensure that Information Security Incidents are progressed until closure.
Technical actions are generally accomplished by someone outside the Security Team, usually the technical owner of the particular platform that caused the adverse event.
This works for well-defined Information Security Incidents. But is this process applicable to adverse events caused by external attackers also known as Cyber Incidents?
As previously noted, Incident Management and Incident Handling teams can apply an overall framework to ensure the tracking and progression of an Information Security Incident. Technical owners of potentially compromised systems are subject matter experts from an administrative point of view, but they are not trained to deal with the unique situations caused by an intruder. IT Security team members usually act as advisors, supporting IT development and infrastructure teams through security assessments, vulnerability reporting and both high-level and technical guidelines to fix the issues.
However, identifying a Cyber Attack that leads to an unauthorised access requires specialised people who can spot anomalies across systems and implement successful containment actions. These skills are generally not covered by IT security personnel or by pure forensics people.
For these scenarios, a specific set of skills is required, ranging from defensive and offensive security, mixed with forensics techniques and methodologies that can be applied to both networks and hosts. In simple terms, people designated to deal with these types of adverse events must have Intrusion Forensics skills.
Intrusion Forensics is not a new discipline but it still quite rare and definitely not a skill that is easy to develop in SOC-style environments or in internal Incident Handling teams. This is because it requires continuous exposure to a certain number of intrusions to develop the correct investigative mindset and enough experience in dealing with crisis situations.
Attackers just need to leverage a single vulnerability to gain access to a corporate environment and the footprint left behind could be pretty small. The challenge for Intrusion Forensics is to spot the single anomaly across a vast number of systems and technologies that could prove an intrusion attempt. Knowledge of what normal behaviour looks like for systems and networks helps a lot. However, the gap between knowing an IT infrastructure and being able to identify an intrusion and respond to it in a consistent way is quite substantial.
Cyber Incident Responders and Investigators are people specifically trained in Intrusion Forensics and able to apply this discipline to unauthorised access to corporate systems. These techniques can be applied to a wide range of scenarios, from non-targeted malware outbreaks to state-sponsored attacks involving lateral movements across different systems and networks.
The output from this methodology will generally help to define the number of compromised systems and the attack vector. From here, a well-defined set of containment and investigative actions can be implemented based on the type and sophistication of the attack.
It is important that the investigation activity feeds all of its findings back into the response actions as soon as they become available: this ensures that containment time falls within an acceptable window.
Classic Incident Management and Incident Handling are currently failing against Cyber Attacks as they base decisions and incident progression on feedbacks provided by IT personnel not prepared to deal with intruders. To successfully handle these kinds of adverse events, Cyber Incident Responders with Intrusion Forensics skills are required. This will help enterprises to deal with unauthorised access attempts in a consistent way with the goal of containing incidents in a timely fashion, whilst trying to avoid mistakes that could worsen the situation.
During a complex compromise, well-trained Incident Responders may be the only defense that remains, and the only personnel with the ability to contain the crisis situation.