When your network gets breached – and I do mean when and not if – the first question that needs to be answered is whether the breach is still ongoing – meaning, does an unauthorized person or group continue to maintain access to your environment? If the answer is yes, the next question is typically how to prevent the attacker from continuing to access the environment and the organization’s data?
In an ongoing breach, the best IR approach can differ from the typical incident response approach to a breach which has previously occurred and is no longer ongoing. The typical approach – which has been to answer all investigative questions and identify the full scope of compromise prior to taking any remediation actions – many times means that the attacker continues to have access to the environment for weeks or months.
This approach can be effective for breaches that have previously occurred and are no longer ongoing. For breaches that will result in legal or regulatory compliance and notification requirements, the organization and the IR team must ensure that due diligence is completed through the appropriate level of forensic analysis and investigative activity.
During an ongoing breach, however – one in which you know the attacker is still in your environment and is either continuing to take action or at minimum monitor your response – the one thing you need to focus on is limiting the adversary’s access to your data and further performing any theft or destructive actions.
The true security of your business – your ability to maintain competitive advantage, managing your company’s reputation, and retaining your customers – depends on this ability to mitigate and manage risk. Incident response (IR) must be fast and agile; and there are situations where complete forensic analysis of all assets is not practical prior to taking steps to begin mitigating the attackers’ access to the environment. The tactics used during “ongoing breaches” must mitigate current attacker access as soon as possible while continuing forensic and live response analysis. During an “ongoing breach”, companies may find it difficult to accept the loss of intellectual property while IR partners or staff are gathering evidence, and they may have business needs – i.e. pressure from the Board of Directors – that dictate taking some deterrent action sooner than weeks or months into the investigation. To help limit the loss of intellectual property, client data, and/or monetary loss, IR and remediation should be conducted with near-real-time detection visibility combined with techniques that remove attackers’ access to critical credentials and systems.
Getting back to business with a secure network will depend primarily on the how quickly the company’s IT organization can make changes. However, “business as usual” is not a phrase that should be uttered in today’s environment. “Business as usual” is what typically allows attackers to infiltrate a network. The CrowdStrike approach is to triage the volatile data and forensic images as quickly as possible while beginning remediation planning activities on day one. This approach provides a new way to conduct remediation against advanced adversaries. A focus on mitigating attacker access to the victim environment saves time, money and, most importantly, prevents the further loss of intellectual property. With an agile IT team and the right detection capability, the company can get back to business sooner and more securely than with an IR approach that focuses on collection of and sweeping for IOC’s and tactics that can take months.
In addition to agility, a company should look for a partner that offers visibility into real time activity on the endpoints. This capability provides organizations the ability to look through “the windshield” to identify what is currently occurring while still employing the “rear-view mirror” capability that sweeping for IOC’s provides. For detection to be truly effective, it needs to be employed everywhere the employees, and subsequently the endpoints, are located. If they are at home, in the coffee shop, on an airplane traveling to a conference, , you need visibility into the activities on their endpoints.
Appropriate visibility also accelerates recovery time and remediation planning. If you can see the attackers’ actions and anticipate their next steps, you can effectively mitigate their activity and deploy the appropriate level of logging and detection to identify their next steps. The information that is gathered helps determine the objectives of an adversary. If you can see them accessing a system and performing actions to obtain a specific piece or set of data, it is easier to thwart their attacks and prevent them from succeeding.
A critical complement to detection capabilities is the ability to employ and establish controls on privileged credentials. In today’s network environment, which is constantly under attack, there should be no account that has access to all systems. Layered accounts and segregation of account duties are an excellent way to control and limit lateral access. Adjusting those accounts so that passwords are constantly changing and accounts are only functional when needed provides additional protections.
Protecting your network begins with understanding your adversaries and their tactics, techniques and procedures (TTPs). Threat intelligence allows companies to understand who they are facing. These adversaries do not target just one business and this is the power of the Crowd. As we gather more and more data, we become smarter and faster, allowing for the discovery of adversaries more rapidly. Near real-time visibility and intelligence-powered detection provide the building blocks for faster remediation.
Forensic and live response analysis continues to be a key component of the IR process, and a core element of developing threat intelligence. However, waiting six months to complete forensic and live response analysis prior to taking any remediation action is not typically in the best interest of the victim.
Watch our recent CrowdCast, Playing Chess Against Pandas and Bears, to learn more about our approach to incident response and how to employ effective defensive strategies to counteract the latest attacker TTPS.