This article contains several important notes regarding Incident Response.
Recognizing Malicious Behaviors
SSProtect offers a variety of mechanisms that can indicate the presence of an attacker or malicious intent, including but not limited to:
- :Assess Reporting - Data Access auditing is securely generated and managed in the cloud, isolated from potentially compromised hosts. Reports reflect all data access attempts, both successful and failed, and can show trends in questionable behaviors and failed access attempts, exposing malicious behaviors. Certainty is a function of isolating required resources and auditing controls in the same, external resources specialized for exceptional security.
- SIEM Integration - When tying periodic and regular report generation to SIEM correlation engines, "low and slow" approaches, used by attackers to avoid detection, become far less effective. SIEM solutions will discover related events that occur in different areas of the Enterprise, over time, and can isolate the presence of attackers where human review is less reliable.
- Honeypots - Honeypots are used to attract attacker interest without putting sensitive resources at risk. Honeypots are also deployed on-demand as a way of determining if suspicions can be verified. These suspicions often result from SIEM correlation exceptions and analyst review of access history, and can provide direct evidence of malice.
Third Party Notification
In the past, most breach notifications come from third parties, often as a result of investigating issues in another Organization and recognizing similar patterns from an attacker's use of a common Command and Control infrastructure. This often results in a phone call from the FBI or the investigating firm, and sometimes this reality is based on prior relationships with individuals on each team. Familiarity carries tremendous value due to the sensitive nature of these dynamics.
Notification Well After Entry
In these cases, notification occurs well after initial penetration, and in most situations means that most of the immediately available information has already been compromised. This allows attackers to lie in wait and continue to discover new materials, siphoning them off for continued use over time. History teaches us that attackers can be present inside company networks for years before they are discovered.
Corporate Liabilities and Incident Response Plans
Every company needs an Incident Response plan that assigns specific individuals to different responsibilities while responding to critical security incidents. Well beyond the scope of this article, the underlying principle stems from legal liabilities a company carries when data breaches occur. Based on regulatory stipulations and reporting requirements that can vary greatly from one region to another, and from one industry to another, it is imperative that teams understand who to contact, and what information to disclose. Check with your company's policies before making any assumptions, as often times response plans utilize a reporting structure and team members that diverge from what one might assume based on traditional org charts and reporting structures.
IMPORTANT: First Action
Perhaps the most critical aspects of Incident Response occur early in the discovery of a problem. It is not uncommon for newcomers to feel the need to immediately disconnect or shutdown affected systems with the intent to, "stop the bleeding". However, this is almost never the right first move, as it only serves to inform attackers that they have been discovered, allowing them to refrain from further action. This action is exceptionally useful when quietly observed, as it can lay out a clear path for understanding the depth, breadth, and overall scope of a breach. This is incredibly useful when putting together plans to cleanse affected systems and, "close the door" on further attacker action.
This cannot be stressed enough. In almost every situation, discovery happens well after initial attacker entry, which means most of the damage has already been done. Disconnecting systems doesn't limit further damage to the extent that one might think, and the resulting cost of losing visibility and contextual clues dramatically increases resulting costs.
When being made aware of a data breach, or suspecting that your Organization has been compromised, it is critical to follow your company's response procedures to adhere to regulatory stipulations and legal requirements. Deviation can cost a company a tremendous amount of money, both in lost time and in unmanaged outbound communications
First response is critical, and best left to those who understand the best path forward as a result of qualifications and experience. Going about it ad hoc often results in catastrophe, and breaches have cost many businesses their entire future.
For More Information
Contact our support team for assistance in understanding how you can formulate an effective Incident Response plan. We can refer you to partners and external resources who specialize in these areas, and can guide those who use our products to better understand how to make effective use of the protections and information available. Email firstname.lastname@example.org for details.
This article was updated w/ v5.5.1 of the :Foundation Client