Enhancing the response to Cyber attacks
Thoughts on increasing effectiveness of Incident Response teams
While you’re at it..
When a cyber attack is detected, panic begins. Perhaps the single most important management task is controlling the damages and ensuring business continuity. Everything else stops being urgent.. the affected organization will likely recruit a professional Cyber Incident Response (IR) team. This team will basically focus on containing and stopping the spread of the damage, perform recovery work, and submit a report that will try to explain “how did that happen to us?”
This pattern is obviously a “reactive” approach that is mainly focused on recovering from specific damages, and closing the specific breaches that has occurred.
However, why not let Incident Response teams do a better job in preventing similar breaches from happening again? It’s simply a matter of incorporating tools and methodologies from another discipline to the IR team work, allowing them to go beyond the standard reaction patterns. This WILL enhance organization readiness and lower vulnerability to future attacks.
Do not focus on the broken window
If someone broke into your home, you call the police and a forensic team comes in. It’s one thing if they point at the particular window from which the burglar got in. But – if there are other weaknesses the intruder could exploit, wouldn’t you want the forensic team to highlight them for you as well?
The same is true for any organization that has suffered cyber attacks and damages. Since it is very likely that the intruder chose to walk one path out of several, it is very important to show the organization what are the other places from which one gain access.
A cyber event response team will investigate and will often point out the specific path the intruder took, and show you which user accounts were used. They will also likely recommend resetting passwords to those specific user accounts, among other things.
Deliver more value
Think for a moment, what would we, as information security professionals, tell the client if God forbid they go through a subsequent attack? Especially if the next events will involve vulnerabilities you could have pointed at while managing the first event..
When an event response team is already invited to the affected customer site, and given the appropriate mandate (and budget!) To investigate and handle the incident, why not give the client a slightly fuller picture of their problems?
Today there is a kind of line between the job of an incident response team, and the execution of “other” actions that the organization can implement “later” – to prevent the recurrence of a cyber attack. The tools and methodology used by a response team are not necessarily the same tools that could discover more obvious weaknesses and help the client better prepare for the next breach.
Most Common denominator for cyber attacks
No attack happens without exploiting user accounts, and leveraging high privileges.
It wouldn’t be unreasonable to expect a professional who is already on site, to look around a little more, and at least show the client some obvious weaknesses – those that can be seen without too much effort, and are relatively easy to handle!
Leverage Identity Management methodologies
(add some prevention, while recovering)
It only makes sense to incorporate some tools and methodologies from the identity management world into the response team’s work.
Specifically – Access Governance methods and tools can be utilized to scan, analyze, and show the client some of the major issues with existing user and permissions settings – the kind that attackers are likely to use. This would immediately help the client reduce their exposure.
This extra effort can be limited in scale and still provide great value. There’s no need to even talk on a full blown Identity management and governance project. If done correctly, this can be combined in the same time window that the response team is already on the client site.
Here are examples of two topics to cover:
1. High risk user accounts
You can easily scan to detect most user accounts that present risk.
A very common scenario is that many user accounts presents high risk, and not just the account by which the attack was committed. For example, such a scan will accurately point to all accounts with weak or easy-to-guess passwords – something relatively easy to detect and help fix.
2. Excessive (unnecessary!) Permissions
There are most likely many excessive permissions that users in the organization have. This is also something that presents risk and can be used in an attack. Performing a scan and mapping the big vulnerable spots in this context will also help reduce risk.
The above two gaps are relatively easy to work on, and much of them can be addressed while working on the cyber event. This extended approach will leave every client less vulnerable in subsequent attacks.
3. (optional) Reduce privileged accounts
As an optional (and very relevant) activity, organizations should look at significantly reducing the amount of “privileged” accounts (those with high privileges). The reality of things in most organizations is troubling, as too many users are given too much privileges – even if not used on a daily basis.
The Bottom Line
(or paragraph 🙂
Security team leaders should look at putting more emphasis on preventing the next attack, while handling the current attack and restoring its damage. With proper planning – this can integrate well into the response teams’ activities during a cyber event. It should not mean turning the effort into a lengthy or significantly costly.
In the end – this is a just different angle of addressing the cyber crime problem. Two sides of the same coin: one is Recovery , the other is Preventive. Response team activities tend to focus on crisis recovery, while identity management and governance tools enable prevention of the next crisis.