Incident Response = Measured Response

What a week it has been! You have seen news related to incidents at FireEye, several Federal entities, and SolarWinds. We have seen some great work come out of FireEye and information from the Cybersecurity & Infrastructure Security Agency (CISA); without doubt, with much more to come.

When we see incidents like this, we immediately look to see what our exposure is; are we possibly affected? But after that, what can we learn? How can we improve?

We are witnessing good communication and coordinated efforts amongst many private organizations and public agencies. In the case of FireEye we have seen the priceless result of a methodical response to a suspected event(s). They demonstrated how gathering information and conducting an investigation are critical to successful response. In this case, what they may not have expected going in, was their investigation was the key to a much larger global incident with serious domestic national security impact.

A measured response, one that is focused on gathering information, and not panicked containment and eradication will always yield the best results. We need information to know all the aspects of loss and methods of bypass. With good information we can make good decisions on what to do to contain and eradicate. Without it, we will have only contained an acute symptom, and given ourselves a false sense of success.

Some good examples of what not to rush into during response were outlined by CISA in September of this year. Let use some of these take-aways to examine our response plans:

• Mitigating the affected systems too soon, allowing the adversary to change tactics, techniques, and procedures (TTP)

• Touching the adversary infrastructure, tipping them off that they have been detected

• Preemptively blocking adversary infrastructure, they can pivot and you will lose visibility

• Preemptive password reset. It is likely the adversary has multiple credentials and will just use another one, giving you loss of visibility

• Failure to preserve or collect log data. If not retained for a sufficient length of time, key information could be lost. Retain logs for at least one year.

• Communicating over the same network as the incident, ensure all communication is out-of-band

• Only fixing symptoms. Get to the root cause, don’t play whack-a-mole allowing the adversaries to change tactics and retain access to the network.

Simply put: Don’t Trample, Preserve! We have all seen some sort of detective mystery in the movies and on TV, none of the investigators aimlessly walk through a crime scene, and they don’t immediately go chasing after someone to arrest, they follow a calm measured methodology and focus on gathering evidence. The same for us in security, tread lightly so that you can fully and confidently contain, eradicate, and recover from the incident.

Reference: us-cert.cisa.gov - Alert (AA20-245A) Technical Approaches to Uncovering and Remediating Malicious Activity

Security Starts with a Conversation : Don’t go this alone. Reach out to have a conversation about your incident response policies, process and procedures. Remember, every organization has something worth protecting.

OCTELLIENT - Our mission: simplify information security. With a Business First approach, we want to help you and your organization get to your core priorities and make the most of your infosec investments. Our goal is to be your side-by-side partner, working together to navigate a tailored infosec strategy and bring expert advice to your toughest challenges.

Ask us about Propulsion, Deepwater, and the 8-point Dossier

info@octellient.com

www.octellient.com

Previous
Previous

#NOFUD

Next
Next

What Have We Learned?