In situations where a breach has just been discovered, an incident responder is typically unable to determine whether a particular host was the initial entry point, how the attackers got in, or if they used it as a pivot point to another system. Our BlackBerry IR team has observed multiple cases where an IT team thought they took the right steps by reinstalling prior to taking forensic evidence, but that decision eventually led us to an investigative dead end. In the case of a serious incident involving an APT attack, for example, valuable evidence will be destroyed by reinstalling or reimaging the infected host. This is often a default policy for any kind of commodity malware that is detected on a “system of interest.” Again, it can also be a big mistake, depending on the circumstances. This ensures a service provider will assist within the contracted service-level agreements (SLAs) and help guide your initial response.Īnother common panic reaction is to immediately reimage or wipe the affected system. If the in-house team lacks the capability or experience to weigh the factors swiftly and make these tough decisions, sign an incident response retainer as soon as possible - preferably before a breach occurs, or at least when it is discovered. On the other hand, if an organization is dealing with a human-operated ransomware attack, time is of the essence and swift action is needed. At this time, an investigator who is experienced with nation-state attacks should methodically and fully scope the incident before doing anything that alerts the threat actor that they have been discovered. Multiple back doors can be a sign of an advanced persistent threat (APT) or nation-state attack. As soon as the actor moves laterally and drops additional backdoors, the task becomes much harder. Surgically containing the incident at “patient zero,” before lateral movement has taken place, is the ideal response when prevention has failed. Good visibility of what the attacker is doing, as well as intelligence on their likely end goal, helps you make informed decisions.If the consequences of killing connectivity are so significant, why do we sometimes see organizations choose this path? The key advantage of a complete shutdown is the effective removal of access for the external threat actor, preventing them from stealing additional data or taking destructive measures. Organizations will also need to consider the reputational risk, and carefully manage internal and external communication. Will the organization tolerate - and can your company afford - this potential downtime? It may have a significant impact on sales, clients, employees, and profit.If the initial intrusion vector is an external-facing application, this can involve development of changes to fix a vulnerability, as well as testing, to ensure the attacker does not immediately return. Depending on the size of the incident, your environment, and the resources you can bring to bear, this can represent several weeks of 24x7 work to accomplish.You will also need to take steps to prevent the threat actor from easily re-compromising your environment - with all the inside information they managed to gather during their time inside your environment. Before safely reconnecting to the internet, there is an expectation they will a) find every impacted system in the environment b) analyze the activity c) understand the malware’s behavior (and block it) and d) identify the initial intrusion vector - all while taking the necessary remediation steps to remove the attacker. If you disconnect the organization, you immediately place a huge amount of pressure on your incident responders.In all cases, it is a decision you should make with great care. One of the big decisions incident response teams and CISOs may have to make is around connectivity: During an active data breach, should you disconnect the entire organization? Sometimes it is a necessary course of action - but it can also be a big mistake. Resist that impulse: You need to consider your next actions carefully. This can trigger knee-jerk reactions and a desire to fix the situation ASAP. Hearing the words, “You’ve been hacked,” often creates a sense of fear. 5 on our list of IR “sins,” the top rule in incident response should always be “DO NOT PANIC.” However, this is often easier said than done. The Fifth Deadly Sin of Incident Response: Panicking, Cutting External Connectivity, or Wiping Systems Too SoonĪlthough this is No.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |