Tuesday, October 4, 2022
Home Tech News SecTor 2021: To blunt attacks by advanced threat actors you need an...

SecTor 2021: To blunt attacks by advanced threat actors you need an updated incident response plan

Keeping more historical event data and closely watching for suspicious network behaviour are keys to blunting attacks by advanced threat actors, says an expert.

”We need to update our incident handling capabilities” to face advanced threats and supply chain attacks, Jeff Costlow, deputy chief information security officer (CISO) of ExtraHop Networks, told the SecTor 2021 conference on Wednesday.

That’s in part because advanced threat actors are likely to disable event logging and defensive tools like endpoint detection and response, he said, and use Windows and network tools against defenders.

He urged CISOs to create an incident response plan based on one of several incident response frameworks (such as the NIST framework), which generally contain these steps:

1. Preparation: Includes having digital forensic software to analyze disk images and logs. The SolarWinds attack shows the need for incident investigators to look backwards to find indicators of compromise, Costlow said. It’s easy if you have network flow logs going back months to look at root cause, but not every IT department does.

“As advanced threats, and especially supply chain attacks, impact greater numbers of organizations, it grows more important to invest in internal investigation and response tools that are able to look backwards in time to discover attack exposure and get to the root cause of an incident whose initial compromise event may have been far in the past.”

2- Detection and analysis. Many security tools have a mechanism for saving and correlating relevant data after detecting a threat. But, Costlow said, saving forensic data at that point isn’t good enough. He noted the dwell time of the Sunburst exploit used by Nobelium was nearly a year.

3. Containment and recovery. To make sure malware is completely eradicated, many experts recommend burning a compromised IT environment to the ground so it can be rebuilt from scratch. But Costlow noted this can be expensive — and possibly unnecessary if enough relevant historical log data is available to show precisely when and where the initial compromise happened.

4- Post-incident analysis. Many organizations skip this because of other priorities, Costlow said. But it must be done so the IT team can learn from its omissions and mistakes. Those lessons are applied to the Preparation stage, so the process is a cycle.

Experts talk about the defenders’ dilemma: deciding what assets should be protected best. But, Costlow said, there is also an attackers’ dilemma: Once inside a compromised network, their playbook becomes more limited. The number of tactics for stealthy lateral movement is smaller than the number of ways of compromising the perimeter.

“If you get good at detecting and investigating the handful of TTPs (tactics, techniques and procedures) attackers use once they are already inside, you can greatly improve the odds of preventing a breach, as well as accelerating the eradication, containment and recovery stages,” Costlow said. That means carefully watching network behaviour.

He suggested CISOs start preparing for a new incident response strategy by conducting a retrospective analysis of the risk of all assets they hold. Then, over the next few months, explore where there are gaps in the event and threat data. Figure out evidence preservation strategies, and update your threat model.

Fill in those data gaps with new sources of threat information. And carefully watch what’s happening on the network.

“Advanced threats should change how we think about our risk and incident response strategies as well as our threat models,” Costlow said. “Adversaries are learning from successful campaigns, so should we. Building resilience begins with retrospectives and assessing the risk you hold. Attackers have a limited playbook, which can be used to your advantage. Network monitoring is an attacker’s worst nightmare. Enabling evidence preservation across your tools will save your organization a lot of heartaches. Good security is about resilience, not being bulletproof.”

- Advertisment -

Most Popular

Former Calgary Dino now a rookie with NFL’s Los Angeles Chargers

Canadian Deane Leonard has certainly taken the path less travelled to the NFL’s Los Angeles Chargers. The 22-year-old cornerback is in his rookie season with...

‘Impact success!’ Nasa spacecraft smashes asteroid in first ever ‘planetary defence test’

To view this video please enable JavaScript, and consider upgrading to a web browser that supports HTML5 video Nasa has successfully crashed a spacecraft into a small asteroid...

TikTok could face £27m fine for failing to protect children’s privacy

TikTok could face £27m fine for failing to protect children’s privacyInvestigation finds video-sharing app may have breached UK data protection law between 2018 and...

Eight states sue crypto lender Nexo over security sales and misleading marketing

/ New York’s attorney general alleges that the company’s Earn Interest Product was a security, one that the company wasn’t registered to sell,...