Defending your organisation against cyber-attacks is not a one-size-fits-all exercise. No single tool or magic box with flashing lights will solve this problem and understanding the threat landscape and where your organisation sits within it is no easy task, but it is far from impossible. There is reasonable knowledge now on the primary threat groups, their motivations, their targets and their methods. However, it is not the case that all threat groups target all organisations, or even a few. The nature of targeted attacks is that attackers take weeks or months to plan an attack where they attempt to access and exfiltrate specific information or assets. In order to respond to attacks you effectively also need people in order to defeat people.
Attackers typically perform reconnaissance on email filters, determining which employees fall for social engineering tactics, testing for whether or not known vulnerabilities have been patched, and amassing state-sponsored grade tools and techniques, among other activities. During an active compromise, attackers will also try any number of manoeuvres in the knowledge that they need only achieve one success. Defenders, by contrast, need to succeed at every move. This asymmetry during a live compromise means that defenders and responders need to have the skills, expertise, and knowledge of the attacker mindset to be one step ahead.
When an attacker is busy accessing your organisation’s resources you need the necessary skilled individuals with the knowledge and technological resources to deal with them effectively. The right people need to be in the right place at the right time and collaborating with decision makers in order to perform the necessary actions. The ‘first responders’ should also be more than just your technology team and should be in place throughout your organisation. It is crucial that – when an incident occurs – there is a designated lead (or leads) and deputies, accounting for the fact that attacks often occur at the most inconvenient of hours and when people are on holiday. It should also factor in that first responders should be fully versed in your cybersecurity policy – for example, if it is suspected a machine or server is compromised, it should be company-wide policy that this machine not be turned off, as evidence might be lost. However, when an attacked has been detected, equally important is establishing a clear chain of command. This needs to start with a primary contact. The bonus to consider here is how you will communicate during an active incident. Quite often, today’s cyberattacks compromise an organisation’s communications infrastructure.
The attacker may be live and able to see all communications, so a pre-determined alternative is crucial for successful remediation. Processes involve the use of playbooks and technology involves visibility, control and flexibility. Organisations need a framework for guiding internal discussions around your threat profile. Once your organisation is in agreement of the risks you face, these learnings need to translate into implementing the appropriate technology for responding to the threats you face. The core functionalities for effective response are: 100% coverage is difficult, but organisations should get as close to that percentage as possible and not consider their work a failure if they don’t get 100% coverage; You’ve got to have the right data, and the ability to analyse and act on it as quickly as possible.
A lot of tooling will prioritise retrieving artefacts over processing them, which can add additional lead time when you’re trying to figure out what’s going on. And then the vast majority of tooling should enable actions that slow or frustrate the attacker without making them aware of your presence. A bonus consideration on this aspect is that based on your risk appetite and threat profile, identify the appropriate amount of logging on your assets to enable forensic investigators to find the right information. DNS logs, for example, are essential, as many different malware families still rely on DNS to substantiate their initial communication. Not having the ability to trace back DNS queries from gateway logs to the initial host can delay response activities.