No company is “unhackable.” Sure, preventative measures like risk assessments, penetration testing, network segmentation, vulnerability scanning, and asset management, are great at minimizing the number of cyber attacks your company will experience. The truth is though, regardless of how well your security program does those things; compromise can still happen. Compromise is impossible to prevent 100% of the time. So, there needs to be an incident response plan. Effective incident response is critically important in all organizations. As someone who has a say in the security program at your company, you need to know what to do when the inevitable compromise happens.
Often, that’s going to involve bringing in a consultant or cybersecurity service provider to help your team members with triage, cleanup, and assistance in determining what to focus on moving forward so that it doesn’t happen again (or at least as badly).
As a cybersecurity service provider, we tend to look at incidents through a different lens and have the internal capabilities and bandwidth to spend time fully eradicating any issues. Because of this, there’s a handoff that happens between the organizations we help and us when responding to an incident.
What does it look like once the incident is passed to our cybersecurity incident response team (CSIRT)? While incident response is kind of like the Wild West, an emergency incident response engagement with FRSecure usually follows a five-step process.
We can’t properly handle an incident without understanding what the scope of the incident is. Generally, scoping is focused on two primary objectives: what is it affecting, and what is causing it?
What is it affecting?
Asset management is one of the single most important components of an information security program. You cannot protect what you don’t know exists. This comes into play with incidents in a big way. If we don’t know everything that exists in the environment, how can we know if the incident is truly contained?
With a complete asset inventory, we can investigate to accurately tell you what is affected and what is not.
To do that, we’ll do a few things:
Artifacts are pieces of data that can help incident responders to help identify potentially malicious activity. Logs, patch states, server configurations, and user privileges are all examples of artifacts that can help a service provider determine the scope of the threat.
Logging and alerting solutions can be extremely helpful in telling us when something unusual happens within your environment. Logging allows us to see a snapshot of what events are occurring in our environment, and alerting tells us about the potentially problematic events. In an incident, our response team will check the logs for abnormalities.
If set up effectively, there would be a segmented log server where all devices (domain controllers, firewalls, and switches at minimum) synchronize to the segmented server simultaneously. Then, when we look through logs, we’ll be able to determine where the incident is coming from and ensure the attacker won’t be able to freely cover their tracks.
Take Machine Images
A machine image is like a clone of a device. They’re used to investigate evidence within a system. Using the images, incident response teams can poke around in the system as if it were the live environment that was impacted by the incident. Because a machine image is a clone of a machine, the response team can ensure that their investigation efforts wouldn’t alter the original system at all.
These investigation techniques help with more than just scoping too. They also help the response team get an idea of the causes of the incident, and they make digital forensics easier.
Threat hunting and threat intelligence is a step that goes along with both identification and digital forensics. Your business likely has some combination of firewalls, endpoint protection, SIEM, IDS, or other security solutions. They’re designed to keep attackers out but aren’t fool-proof solutions.
Threat hunting is a proactive and repeatable focus on looking for threats that may have gotten past your initial defenses, and typically consists of both manual sifting as well as software to search for potential risks within the business’s important assets.
Threat hunting is typically more effective when it’s used as a technique to recognize a compromise before detection, but it’s helpful that this is done by your incident response team after a compromise is detected as well.
More often than not, we find a vulnerability or evidence of other compromises even when the incident has been deemed “contained.” That’s why this is such a critical step in incident response. We never want to assume the compromise is contained, and we never want to leave any rock unturned.
Threat hunting is also a necessary component in determining the next steps.
Digital forensics is an investigation practice that takes a look at digital data storage, primarily. Using digital forensics techniques, incident response teams analyze and report on the abnormalities within a system.
Not only is this used to understand the root cause of the incident, but it’s also used as a tool for presenting evidence.
When your security incident response team provider conducts their digital forensics efforts, what they find could be considered criminal evidence. Obtaining access to systems and information in an unauthorized manner is a criminal activity, and digital forensics evidence is often presented to a court.
Assuming the facts are sufficient, the methods and tools of obtaining evidence are reliable, and the witness (incident response provider) opinions are based in expert knowledge, digital forensics efforts can be extremely helpful in prosecution—particularly as it relates to the theft of corporate data, consumer records, and financials.
A good cybersecurity incident response team will consider potential legal requirements as it works through the scoping, triage, and investigation portions of an incident response engagement.
Once the full scope is understood you move to containment. Simply, containment efforts stop the bleeding. They ensure that the compromise can’t spread beyond the current affected systems or worsen. They also ensure that any evidence of compromise isn’t destroyed. Your internal team may be asked to help here.
Eradication is focused on removing any threats found during the identification phase. This is typically done by restoring systems from backup or rebuilding impacted workstations. During this phase, the FRSecure CSIRT will continue to monitor the environment and provide assurance that the threat is being contained.
Ultimately, changes will need to be made to clean up the current issues and prevent future ones from occurring. A combination of the steps before (identification, scoping, digital forensics, and threat hunting) ideally allows us to fully understand the type of compromise, attack points, and weak spots.
And that understanding is necessary to offer remediation recommendations—efforts to stop or reverse damages and prevent future ones.
There are a few remediation recommendations we give often to clients when an incident occurs.
It’s not uncommon for attackers to gain unwanted access to systems using stolen credentials. There are ways to prevent attackers from gaining access even with proper credentials though.
Multifactor authentication (MFA) is one of those ways.
Effectively a confirmation step after logging in, these tools force a user to prove their identity with a second step. This is often a text message with a code to the account’s phone number, a code sent to the email address on the account, or a third-party code-generating app like LastPass or Google Authenticator.
This is important because if the attacker does get a username and password combo correct, they (in theory) wouldn’t have access to the confirmation method. If the secondary method lives on your mobile phone, this is especially true.
We recommend MFA on any platform that has the capability. It’s one of the simplest and most effective ways of preventing unwanted access to your accounts and systems.
Configuring your hardware and software securely might be the single most important thing you can do for your organization.
When a company introduces new hardware or software into its environment, these assets can quickly become attack vectors if they’re not set up properly. This typically applies most to IT products.
The most basic example of this is with wireless routers. When you purchase a router, the manufacturer applies default usernames and passwords to the devices. These usernames and passwords are often generic and easy to guess by potential attackers. If your business doesn’t immediately change these upon installation, you’re opening your network to attacks the second they’re flipped on.
Other products that should have system configuration requirements include mainframe computers, workstations, and portable and mobile devices.
A patch is a small adjustment to the code of software you’re using. Commonly, you’ll see patches within app updates on your devices. If you read into what the update is fixing, typically it’s a bug fix or error fix.
Programmers schedule routine updates as gaps in security or bugs in the software become known. Installing automatic updates or at least patching regularly will minimize your business’s exposure to compromise, system downtime, data loss, and more.
Do the Fundamentals
Make sure the fundamentals are in place. No amount of fancy technology or software can immediately prevent you from getting hit again. Doing the fundamentals right can help you limit the chances, though.
The fundamentals start with a plan. If you have one and were still compromised, learn from it. Your plan might need to be changed to limit these events from becoming recurring ones.
If you don’t have a plan, let’s start with one.
- Why are you building a security program?
- What are the goals of the security program?
- Who is responsible for what?
- When do our goals need to be met?
- Where does the plan apply (scope)?
Answering those questions with input and guidance from an information security risk assessment, industry-accepted standards, and your executive leadership team (the business) will put you on the right track to preventing future compromise.
You can’t measure what you don’t know exists. You also can’t estimate the vulnerability of your hardware, software, or data if you can’t measure its risk. We mentioned this in the identification step, but it’s valuable here too.
A good asset management practice can improve the effectiveness of your security program. Understand what your assets are, where they exist, what systems they affect/affect them, and which roles and responsibilities should have access to them. It will make protecting them easier, and it will make finding compromise to them easier too.
You also can’t secure what you can’t control. Access controls limit who should have access to what and how much they should have. The concept is simple in theory but challenging in implementation.
If your business is good at this, an attacker who gains the credentials of one employee may not be able to get that far, as that employee might be blocked from viewing or accessing things that could cause further harm. For this reason, good control practices are critical in mitigating damages in times of compromise (and any time, really).
How do you know where the weak spots in your business are unless you do the diligence to measure risk? Conduct a risk assessment (at least annually) to get an idea of where your business is well-protected and where the protection falters.
Knowing where the cracks are in your foundation will allow you to repair them before another leak occurs.
5. Lessons Learned
Ultimately, the “lessons learned” step is just a follow up to the remediation efforts we’ve recommended to your business. We’ll check in to see if you’ve made the tactical security changes discussed as well as the changes to your overall plan. If we need to assist with some of those efforts, we certainly will. This is the portion of incident response where we guide constant improvements together.
There’s a bit more to the “lessons learned” stage than that, though.
It’s important that your reporting is tight. Very likely, you’ll be asked by your insurance provider and your executive leadership team to keep them updated on the progress throughout the clean-up (days and dollars to containment), but also the strides you’ve made to limit incidents moving forward. The better your reporting, the easier it will be for you to communicate those things.
Final Incident Response Tips
It’s important to remember, your internal team is probably strong in IT techniques and strategies, but IT skill does not perfectly translate to security or incident handling skill. If you start by letting your internal team handle the incident, know when it’s too advanced for your team to continue with.
Don’t spend too much time working through it on your own if it creates roadblocks—that’ll only slow down the response and exacerbate problems. Get an expert who can help you quickly and efficiently clean up any issues.
Trust what they are doing, too. If you call them, it’s for a reason. They know what they’re doing, and they have your best interests as a business in mind.
Assist them when they ask for help in certain areas (especially data collecting and containment). It’ll only pay dividends as the two of your organizations work to mitigate damages together.
Finally, and again, work to get ahead of this stuff. Even though you need to have a plan in place for when an incident does happen, you can certainly limit the number of times it happens (and the impact when it does).
If you need help building an incident response plan, working through a compromise, or implementing preventative measures, please reach out to us at frsecure.com.