Incident response challenge: How to get out of Firefighter Mode
Organizations tend to have the mindset that their IT and security teams should play the role of First Responders on the scene of a security incident. They expect their IT and Security departments to be experts, possessing the ability to immediately respond and contain the incident and the expertise to expeditiously remediate and rid the environment of any active attacker.
Realistically, IT and security staff may not be experts at all in incident response and because of the inherent organizational pressure to react to an attacker in their environment, will move to Firefighter Mode – the approach of prematurely taking corrective actions to a security incident without proper understanding the scope of attacker presence and access mechanisms to an environment.
Consequently, IT and security teams are left in reactionary “Firefighter Mode” when it comes to keeping their organizations safe – an approach that may not pan out so well for the good guys.
What if security teams could be much more than just another group of “firefighters”, and instead focus their efforts on hunting and proactive detection of an adversary earlier in the attack lifecycle? To be successful in responding to a security incident, organizations need to understand the position of the adversaries in their network and keep them in their sights.
Organizations should follow these tips to get out of “Firefighter Mode” and into a more proactive mindset that allows the business to be better prepared to detect and respond to a security incident the next time an adversary strikes.
1. Know the landscape of your network and what information they could be targeting
It is important to understand the value of the IT assets in your organization’s network environment and where they are located. Having a centralized asset management database will provide the ability to track and locate mobile IT assets that are highly reliant on things like DHCP, VPNs, and other access mechanisms and will be a great tool when needing to identify systems that may be within scope of a security incident.
If your company deals with sensitive data such as ePHI, PII, cardholder data, or intellectual property, pay special attention to where that data is stored, processed, and transmitted. It is also important to understand the users and systems that perform the said operations on this data. It is critical to ensure you have appropriate levels of monitoring to identify suspicious access patterns to this sensitive data.
Enterprise networks can be extremely broad and their footprints vast. This means attackers can gain access and remain dormant virtually anywhere, often lying in wait until an opportunity arises to continue their mission. Understanding the full scope of your network environment will greatly improve your ability to make tactical containment and remediation decisions. Knowing things such as:
- Network egress points for internet bound traffic
- Demilitarized Zones (DMZ) hosting public facing platforms and applications
- Remote access mechanisms (VPN, Outlook Web Access, Citrix, etc.)
- Server zones or locations where sensitive data may transit or be stored
- Strategic partner connections.
2. Understand that launching a premature response can backfire
Cyber adversaries can respond in spades to the firefighter approach to incident response, and they often leverage new and unseen tactics, techniques, and procedures (TTPs) as soon as they become aware that their presence has been detected in a victim’s network environment.
This is where the “watch and learn” aspect of incident response can often be most effective. Learning about your attacker can provide invaluable information as to how to deal with them before they can turn an incident into a full-scale data breach. Strict operational security should be maintained by investigating without destroying forensics evidence and ensuring that your activities do not tip your hand to the adversary.
3. Have a system or strategy in place that includes the following four key elements
a. Collaboration and knowledge sharing: Cross team collaboration and communication is an essential element in time of crisis. The sharing of investigative data throughout the course of an incident response effort will allow for a more streamlined and effective response.
b. Automation for scalable response: Automation is the only way to handle repeatable tasks that need to be performed at scale across a multitude of security and IT solutions.
c. Real time and historical situational awareness: Being able to look at historical security data is essential to assuring that duplicate analysis is not performed and that any context to investigative artifacts are enriched and immediately realized by analysts.
d. Log aggregation and analytics: The storage and ability to search relevant telemetry data from IT assets from your environment is absolutely critical when responding to a security incident.
Typical firefighter defensive tactics can often backfire, leaving a company vulnerable to an adversary who burrows deep into their surroundings, lying low and undetected, leaving a false sense of security – only to attack again in the future. It is important to learn how to respond and manage security incidents by fully understanding the threats so that organizations never lose visibility of an adversary and are always prepared with relevant data for a calculated response strategy.
One method that incident response teams are starting to embrace a calculated and more intelligent approach is by leveraging ChatBots – an intelligent collaboration and automation interface that interacts with IT and security teams. Emerging now in security, ChatBots streamline Security Operations Center (SOC) productivity and incident response processes and help to enable innovative and customized playbook-based workflows to automate components of incident response.
In addition, ChatBots are providing the ability to deliver cross-correlation and information sharing to help foster information, knowledge, and collaboration for IT and security teams to resolve incidents faster and with a more comprehensive, proactive approach. I look forward to seeing how ChatBots continue to pave the way to a more intelligent and automated approach to security operations.