Keeping more historical event data and closely watching for suspicious network behaviour are keys to blunting attacks by advanced threat actors, says an expert.
”We need to update our incident handling capabilities” to face advanced threats and supply chain attacks, Jeff Costlow, deputy chief information security officer (CISO) of ExtraHop Networks, told the SecTor 2021 conference on Wednesday.
That’s in part because advanced threat actors are likely to disable event logging and defensive tools like endpoint detection and response, he said, and use Windows and network tools against defenders.
He urged CISOs to create an incident response plan based on one of several incident response frameworks (such as the NIST framework), which generally contain these steps:
—1. Preparation: Includes having digital forensic software to analyze disk images and logs. The SolarWinds attack shows the need for incident investigators to look backwards to find indicators of compromise, Costlow said. It’s easy if you have network flow logs going back months to look at root cause, but not every IT department does.
“As advanced threats, and especially supply chain attacks, impact greater numbers of organizations, it grows more important to invest in internal investigation and response tools that are able to look backwards in time to discover attack exposure and get to the root cause of an incident whose initial compromise event may have been far in the past.”
—2- Detection and analysis. Many security tools have a mechanism for saving and correlating relevant data after detecting a threat. But, Costlow said, saving forensic data at that point isn’t good enough. He noted the dwell time of the Sunburst exploit used by Nobelium was nearly a year.
—3. Containment and recovery. To make sure malware is completely eradicated, many experts recommend burning a compromised IT environment to the ground so it can be rebuilt from scratch. But Costlow noted this can be expensive — and possibly unnecessary if enough relevant historical log data is available to show precisely when and where the initial compromise happened.
—4- Post-incident analysis. Many organizations skip this because of other priorities, Costlow said. But it must be done so the IT team can learn from its omissions and mistakes. Those lessons are applied to the Preparation stage, so the process is a cycle.
Experts talk about the defenders’ dilemma: deciding what assets should be protected best. But, Costlow said, there is also an attackers’ dilemma: Once inside a compromised network, their playbook becomes more limited. The number of tactics for stealthy lateral movement is smaller than the number of ways of compromising the perimeter.
“If you get good at detecting and investigating the handful of TTPs (tactics, techniques and procedures) attackers use once they are already inside, you can greatly improve the odds of preventing a breach, as well as accelerating the eradication, containment and recovery stages,” Costlow said. That means carefully watching network behaviour.
He suggested CISOs start preparing for a new incident response strategy by conducting a retrospective analysis of the risk of all assets they hold. Then, over the next few months, explore where there are gaps in the event and threat data. Figure out evidence preservation strategies, and update your threat model.
Fill in those data gaps with new sources of threat information. And carefully watch what’s happening on the network.
“Advanced threats should change how we think about our risk and incident response strategies as well as our threat models,” Costlow said. “Adversaries are learning from successful campaigns, so should we. Building resilience begins with retrospectives and assessing the risk you hold. Attackers have a limited playbook, which can be used to your advantage. Network monitoring is an attacker’s worst nightmare. Enabling evidence preservation across your tools will save your organization a lot of heartaches. Good security is about resilience, not being bulletproof.”