Is Your Incident Response Plan Ready for a Cyber Security Breach?By: Jeff Multz
Nearly every day the media report on organizations, companies and nation states that are dealing with information security breaches.
From the smallest companies to the largest conglomerates, organizations around the world are attacked every second of every day and many do not have an incident response plan in place. Cyber threats are evolving within hours, when previously it took days or even weeks. We've experienced a 24-hour-a-day hand-to-hand combat war for many years. Cyber attackers don't stop working when your business closes down for the day.
Complex hacking tools allow attackers to conduct Distributed Denial of Service (DDoS) attacks that do the following things:
- Flood your pipelines and crash your website
- Crack passwords that are longer than 15 characters
- Enter your website in numerous different ways including your website applications
- Administer spear-phishing attacks on unsuspecting employees and attacking vulnerable hardware.
Develop an Incident Response Plan Ready for Advanced Persistent Threats
The old belief was that if you secure your network better than your neighbor, you'll be less likely to be attacked as cyber attackers go for the low-hanging fruit. Not so much anymore. Nowadays, if you've got valuable data or intellectual property attackers want—credit card numbers, financial information, trade secrets, and personally identifiable information such as social security numbers—attackers will stalk your network night and day until they find a way into your network and access your data.
Advanced Persistent Threats are attacks that occur upon your network nonstop until the attackers get what they want. The defensive tools, procedures and other controls commonly put in place to handle commodity security threats are often ineffective against targeted advanced threats. This is because the actors behind the intrusion are focused on a specific target and are able to customize and adapt their Tactics, Techniques and Procedures (TTP) to predict and circumvent information security controls and standard incident response practices. No matter what types of defense mechanisms you have in place, the cyber threat actors will adapt their tools and strategies to your entire network until either they achieve their objectives or decide the cost of the attack operation outweighs the perceived value of their objectives. The attackers are focused on earning a return on their investment for their tradecraft and efforts.
It's nearly impossible to protect yourself from attackers who are intent on gaining entrance into your network without maintaining good defensive controls and postures, and watching your network 24x7x365. Even if you think you are protected, it is always a good measure to be proactive. Targeted Threat Hunting dives into your network to actively search for any presence of a cyber attacker hiding within your systems. These attackers burrow malware inside your network so well, that most organizations have no knowledge of the intruders' presence (outside of a “slow network”), and the attackers can live there for months or years before you or quite embarrassingly, a third-party notices. If your network is being monitored by your company or an outsourced IT security partner, you are more likely to discover that your network has been invaded. You'd likely notice suspicious network activity, prompting you to examine the situation. You would also likely notice when an attacker has either entered your network or left it. The best time to stop cyber attackers is upon their entrance, before they can access or exfiltrate any information. Our incident response best practices set a new bar and allow a responder to react to your suspected breach within minutes and can put a cyber-insurance manager at your site between 24 and 36 hours.
How Threat Actors Enter Your Network
An attacker can get in the front door, or inside your network, but he still has to find a way to where you house your most valuable data. When he enters, he most likely has to take measured steps to discover where your valuable servers are, which he wants to access. Think of your network as a palace. If someone breaks into your palace and enters the foyer, he has to discover where you hide your treasures. Then, he has to physically go to that room and search for the loot. If your loot is hidden inside a safe within a locked home office, he has to pick the lock to the door and then the lock to the safe. Discovering where you hide your treasures takes the attacker time, so does accessing the location. Compare it to the thief in your house who has to walk down hallways to peer into rooms, bypassing inside laser security traps in your home just to get to the rooms where your valuables are stored. So, the moment the thief arrives in your palace, is not the moment he accesses your valuables. That part could take the thief a lot of time, especially, if you have security alarms and locks throughout the palace. So, too, the longer a cyber-attacker is in your network, the more time he has to explore and discover where you store your valuable data, such as your financial information and your customer data base. The longer an attacker is in your network, the more time he has to access your information and to build secret “back doors” that will allow him to secretly re-enter your network when you finally discover his presence and close off the door in which he entered. That is the biggest problem we see when organizations try to remove malware themselves. They don't realize that a cyber-attacker has likely planted more malware than they see and aren't aware of all the backdoors he has created to easily re-enter the network.
How to Handle a Data Breach
According to the Ponemon 2013 Cost of a Data Breach Study, the average per capita cost of data breach in the U.S. is $188. Those organizations that hired information security consultants to help them contain and resolve the incident were able to reduce the cost an average of $13 per compromised or exposed record.
The study found that the most profitable investments companies can make is to have the following things:
- An incident response plan
- A strong information security posture
- The appointment of a Chief Information Security Officer (CISO) with enterprise-wide responsibility
- Engagement of outside consultants
The sooner you call an experienced incident responder, the better. Plenty of organizations have tried to remediate a cyber-security breach on their own only to have a second malware outbreak after they thought they had purged all infected systems. Today's malware is stealthier than ever before, making it a challenge to ensure all systems are truly clean after an incident, and it often takes someone who had daily experience handling IR incidents to discover all the malware. The classic example of the “Undead” Incident is when an infected server gets wiped, re-imaged and redeployed, only to be infected again by the same malware a few days later. After further investigation, it turns out there is another infected machine on the network that was never detected during the initial incident response process. Had a thorough investigation been done the first time to determine the source of the infection, the organization would have found the other compromised system and been able to avoid a repeat incident. Because our IR team works hand-in-hand with our Counter Threat Unit, which has a view of the threat landscape of our 3,500 customers and relationships with other IT security teams around the world, it is familiar with many attack groups and the way they operate. Often, if one type of malware is found, the CTU security intelligence team will be able to surmise where else in the network the attackers are hiding other malware because it has been tracking similar types of attacks.
Incident response can be a very high-stress process, even if you have a well-defined plan from which to work. The process can take several days, with key individuals working around the clock. With a Dell SecureWorks Standard IR retainer, an organization is guaranteed to have Dell SecureWorks incident responders onsite within 36 hours and support through our Security Operations Center (SOC). With the upper-level Marquis IR retainer, you can have responders onsite within 24 hours, a dedicated IR handler for your incident and direct phone support to the Incident Response team. You will also receive an initial onsite engagement with a security consultant who will familiarize our team with your network environment, personnel and process flows to speed up the remediation process.