Many organizations are struggling to apply some of the new cybersecurity technologies and capabilities coming to the market. Incident response is one such area. An investigation into a cyberattack usually begins after a business suffers financial, reputational and operational damages from an attack. But why wait? Why not capture attackers red-handed instead?
One reason the cybersecurity industry is placing more emphasis on incident detection and response is that advanced capabilities are now finding their way into the hands of common cybercriminals. We could go as far as saying the Advanced Persistent Threat (APT) label is no longer useful. Even small-time cybercriminals and hacktivists are acquiring capabilities that used to be limited to nation-states.
Anybody can now acquire the capabilities to be an APT.
Not all potential threat groups will target the same companies with the same methods, or at uniform times. Targeted attacks can take weeks, even months, of planning leading up to an attempted breach where they will try to attempt to access and determine the best entry points for specific information or assets. Additionally, attackers are broadening their range of payloads, such as remote access trojans and malware to shortened URLs that can download malicious programs.
The U.S. Army War College coined a term to view the post-cold war landscape: VUCA (volatility, uncertainty, complexity and ambiguity). It’s a perfect framework for viewing cyber threats in today’s corporate world. Namely, it means battling attackers that use stealthy techniques and tools to achieve a number of objectives. Is a company ready to battle nation-state level attacks, and are there protocols for immediate action when a breach has been detected? What exactly could the attackers be targeting in a company (be it IP assets or invoices for financial gain or private information)? How is the evolving digital surface of a company managed (such as during updates or upgrades and determining what elements are most critical)? And through what channels are the attacks conducted (such as social engineering and phishing or malicious attachment distractions)?
The dynamic is asymmetrical given the simple fact that attackers have plenty of time to plan attacks, whereas companies have limited resources for defense. A VUCA mentality can help to make for a solid but fluid security strategy.
Managed Detection And Response
The emergence of managed detection and response has upped the ability to react more instantaneously and further up the kill chain. Managed detection and response (MDR) has become the next generation in the fight against cyberattacks, with the ability of a company to use a cybersecurity vendor to handle the heavy threat detection and response workload in lieu of in-house experts. MDR is equipped with more or less the same tools as endpoint detection and response (EDR), but with more human expertise in the mix. Many solutions can detect attacks but are significantly limited in what they can do to stop attackers from achieving their objectives. While some measures can be taken, such as isolating the affected host(s), this often serves as an alert to the attacker that they have been detected, allowing them to flee the scene without leaving much useful evidence of how they compromised the company or what their objectives were. It’s this kind of information that is crucial to avoid a repeat attack that will, in all likelihood, be much sneakier next time.
It's time to be proactive.
The time is well and truly over for the discovery of a breach after the damage has been done. When an attacker has been detected sniffing around your estate, you need skilled personnel with the right technology and processes to take them immediately. Evidence fades over time. However, many organizations feel that they are experiencing a cybersecurity skills gap that includes the “first responders” necessary for proper response.
A continuous response approach helps your company reduce, if not eliminate, the response gap. This includes a strategy that:
• Prioritizes response from the top down. Companies should invest as much in responding to threats as they do predicting, preventing and detecting them. But most don’t. This will never change unless your CEO and board understand the business case for being prepared to handle a breach as it happens.
• Takes an inventory of the tools you have in place. You may already have the resources to aid response in your organization, they just need to be activated. For instance, identify how much logging you want to do based on your risk profile and check to make sure right elements of your endpoint protection are activated to aid response.
• Implements basic readiness across people, processes and technology. Basic readiness includes knowing how to manage the incident as it occurred, how to understand the impact of certain actions (such as shutting down certain machines), and how to gather evidence, intelligence and forensics as the attack unfolded.
Continuous response means that companies no longer have to pick up the pieces after the damage has been done. With expert help, detection can happen quickly and crucial forensic evidence can be gathered while the attacker(s) sniff around, before we close the door on them.
