3 Big Mistakes In Incident Response

  /     /     /  
Publicated : 22/11/2024   Category : security


3 Big Mistakes In Incident Response


How not to respond to a cyberattack.



An incident response specialist investigating a recent breach of a government services firm was convinced the attack he was investigating was the handiwork of a group of Chinese hackers.
The type of malware he found was commonly associated with that group of attackers, so he concentrated his efforts on cleanup and analysis of the malware, ultimately missing the real danger: The attackers had abandoned the malware and had since commandeered the victim companys administrative tools.
It was a classic case of incident response tunnel vision that left the victim organization at the mercy of the attackers while the IR team was sidetracked.
Unfortunately, the analyst had tunnel vision and, because of this, didnt address outside the spectrum of these Chinese attackers they believed [the malware] represented, says Shane Shook, global vice president of consulting for Cylance, whose firm discovered the oversight after it was hired by the victim organization to perform a review of the attack investigation.
Its easy to prematurely draw conclusions about the attackers and type of attack in the early phase of discovery, but rushing to judgment too soon or tipping your hand to the attackers can have serious consequences, incident response and forensics experts say. Sophisticated attackers can quickly change up their malware and mask their movements if they know theyve been outed.
What most organizations do is overreact: They throw all of their efforts into that one incident and are not looking at what they should be looking at, says David Amsler, president and CIO of Foreground Security. And, worse, they dont have a playbook [for response]. Its so haphazard, and thats where they fall down.
Amsler, Shook, and other security experts say there are some things that you should just
never
do in the wake of an attack. Heres a look at the top three biggest mistakes organizations make in the wake of a cyberattack.
1. ASSuming Its An APT
With China and APTs seared into the consciousness of many organizations today, its no surprise that many organizations automatically blame an APT when they discover theyve been infiltrated. But identifying the attacker is not straightforward in cyberattacks, and incident response isnt about IDing the individual attackers, anyway, Cylances Shook says.
I see it often, Shook says of organizations mistakenly identifying an attack as cyberespionage. A phishing email to a command-and-control beaconing address -- that type of activity is not attributed to longer-term persistence, he says. Its more likely a financially motivated attacker, not cyberspies, he says.
You have to view the available evidence through a lens of objectivity, Shook says.
If not, key evidence and malicious activity can go unnoticed and do further damage. Shook says in the case of the attacked government services organization where no one noticed the hijacked admin tools, his firm in its investigation found three campaigns from similar attack groups had infiltrated the victim organization. They all generally belonged to the same activity pattern, but had overlapping time frames, he says. The attackers had taken control of common admin utilities to facilitate the exfiltration of information.
The other [attacker] groups were more persistent, and [the IR team] didnt see them. They had use of the clients infrastructure, Shook says.
And, increasingly, threat actors in Russia, Brazil, Mexico, Pakistan, and the U.S. are mimicking some of the Chinese cyberespionage attack methods. As an attacker with malicious intent, its a form of obfuscating who I am by mimicking the TTPs [tactics, techniques and procedures] of someone else, he says.
Trent Healy, senior security consultant with Foreground Security, says you cant just rely on attack indicators, anyway. Command-and-control is getting more complex ... attackers are probably going to use one set of C&C to do some campaigns, and neighboring ASNs [autonomous system numbers] could be malicious activity by the same actor. The first C&C is the beachhead; the other is one they dont want you to see, Healy says.
2. Not Monitoring Traffic
No one can completely prevent getting hacked by a determined attacker. Thats the cold hard reality today, but the common reaction of a breached organization is to ask which patch or tool it was missing that led to the attack, notes Tom Cross, director of security research at Lancope.
The question they ask is, How do I invest in better preventative measures so this kind of breach doesnt happen to me in the future? Well, that process makes sense -- up to a point, Cross explains. No process or patch can truly stop a zero-day or unpatched vuln from being exploited, or something that was made to evade your antivirus or IPS, he says.
Cross says this prevention-only mindset falls short. You need to be able to look beyond the perimeter at whats going on inside your network. There are incidents [victim organizations] are experiencing that they cant prevent through vulnerability management, he says. The way you stop these sophisticated targeted attacks or disrupt them [early on in the process] is through incident response and analysis and understanding as much about the attacks as possible.
That requires IR skill sets and capabilities, he says, but also monitoring methods such as employing NetFlow to track network transactions. NetFlow traffic is much less expensive to store, so you can store a longer history as packet capture for the same amount of disk space, he says. NetFlow and full packet capture [log] every single thing that happens, even the good [traffic], he says.
But most organizations dont have proper monitoring -- logging, NetFlow, packet capture -- in place. Many companies are not prepared because they dont have [these] capabilities in place to respond quickly and properly, Foregrounds Amsler says.
Keeping audit trails helps in troubleshooting when an attack is discovered. The next question is what happened between the time the computer was compromised and when I shut it down? What else did it do? These are basic questions that a lot of organizations have no way to answer without monitoring traffic, Lancopes Cross says.
Monitoring NetFlow traffic can help track insider threats and malware infections, he says. Youve got a record of network transactions happening in your environment that you can cross-reference to IP intelligence data and to identify bot-infected hosts.
Foregrounds Amsler says even some of the largest companies arent properly monitoring their traffic such that it can aid them in their IR process. We are seeing in a majority of cases that customers dont have NetFlows, packet capture ... maybe theyre getting some logs fed in to the SIEM. But they dont have the time or skill sets to store it and use it, anyway, he says.
Weve had two separate large customers on the phone because theyre owned and dont know what to do, he says. The fundamental biggest struggle is they are not prepared for it because theyre not monitoring for it.
3. Focusing Only On The Malware
Hacked organizations typically spend a lot of time and resources on malware cleanup rather than on the primary threats. Viruses and malware are a nuisance. They represent a risk, Cylances Shook says.
But malware and tools should be less of a priority than determining whether data theft or sabotage has occurred and other more long-term damages, according to Shook. Second, has the user profile been manipulated? Third, has lateral movement been made or made available to people? he says. Last on the list is pinpointing any malicious tools, he says.
Foregrounds Amsler advises to not immediately upload the malware sample you find to VirusTotal or other open forums because some attackers keep tabs on that and will just regroup and change their patterns. And dont turn off [infected] computers: Then IR has lost all of the most valuable data they have, he says.
The more advanced attackers are monitoring to see whether theyve been detected, so the last thing you want to do is broadcast that youre onto them. The actors are watching and waiting and know when you know they exist, and they change their patterns, Amsler says.
Focusing primarily on malware in an attack is akin to a doctor treating just the symptoms and not the actual disease, he says. If youre just treating the malware infection and not looking at the root cause, and did that move laterally [in the organization] and infect other parts of the body, then you havent identified how bad this disease is in the environment, he says.
Dont assume that just because youve cleaned up an infection that youre safe from a relapse: Advanced attackers often have more than one way into their victims organization than just the malware. Unfortunately, through lack of experience, many people believe that once theyve identified the malware, theres no residual risk, Cylances Shook says. But malware is [just] one of the initial activities to establish ways in. You cant restrict [yourself] to just identifying and eradicating malware.
Have a comment on this story? Please click Add Your Comment below. If youd like to contact
Dark Readings
editors directly,
send us a message
.

Last News

▸ Beware EMV may not fully protect against skilled thieves. ◂
Discovered: 23/12/2024
Category: security

▸ Hack Your Hotel Room ◂
Discovered: 23/12/2024
Category: security

▸ Website hacks happened during World Cup final. ◂
Discovered: 23/12/2024
Category: security


Cyber Security Categories
Google Dorks Database
Exploits Vulnerability
Exploit Shellcodes

CVE List
Tools/Apps
News/Aarticles

Phishing Database
Deepfake Detection
Trends/Statistics & Live Infos



Tags:
3 Big Mistakes In Incident Response