Author: Tingyang Wei, Security Analyst, Orange Cyberdefense
Running away screaming when the aliens land, hitting the panic button when all the servers go down, ordering an immediate response attack the moment you’re under fire… Just your average movie scene where the decision to fight or flight is being made.
But before any action is taken, there is usually a pause. A still frame of the character looking in awe at the scene, assessing the situation and deciding what the best option is.
This is similar for real-life fight of flight situations, as our body and mind need just a few seconds to decide what the best action is. Stay and fight or drop everything and run.
In the case of a critical cyber security incident, it usually isn’t a wise decision to make a run for it. But in order to decide on how to act in the situation, it pays off to have a few measurements in place that you know you can rely on. It improves your fighting capabilities. Especially as for critical cyber security incidents, effectively managing the first hour will have a massive impact on the remediation of the issue.
Essential for a quick response in critical situations is sufficient knowledge of the infrastructure, roles and responsibilities. IT infrastructure has evolved rapidly over the past years. For example, we observed increasing movement to cloud computing and data storage. The fast-changing IT environment frequently requires analysts to update their skill sets, such as learning about cloud security.
Consequently, analysts will need to have hands-on practice and maintain a complete picture of the topology of all systems. In the real world, external CSIRT analysts should quickly identify all assets under their responsibility. At the same time, the in-house CSIRT analysts should also actively participate in the vulnerability management and the discovery scanning processes.
In addition to knowledge of the internal infrastructure and processes, analysts must be aware of the potential threats facing the company. In order to effectively prepare for incident response, knowledge of the cyber security threat landscape is key.
Having robust procedures and checklists in place can help to identify what to do in the first critical hour. However, in many scenarios, CSIRT analysts may be prone to the obscurity of information, the inability to effectuate a solution in a limited time frame, and lack of operational jurisdiction. In such times, the incident response team must take matters into their own hands, clearly express their professional knowledge, and push through with their operations.
In the first hour, time is imperative. Like taking an exam, where time is limited, skip the questions you’re stuck on first.
Nowadays, the incident response containment process is often simplified due to the widely adopted Endpoint Detection and Response (EDR) technologies, which offer network containment capabilities at the push of a button. Nonetheless, even with traditional network containment tools, containing the network is not always an easy one. People do not always choose the safer option when it is available. But as the saying goes, it’s always better to be safe than sorry!
After the first hour, pieces of the puzzle might still be missing. After the first critical hour, it’s a good idea to take some time and reflect upon all the possibilities and work down a list.
At this stage you will need to collect as much data as you can from the incident. How exactly has the service been compromised? What information did the attackers have to get to this stage? What had been there exact target?
Answering these questions will help with the remediation of the issue, and will also strengthen the procedures and plans for any future scenario.
From time to time, during the post-breach analysis, CSIRT analysts may encounter setbacks in connecting the dots. But the truth will always prevail with enough patience and a correct mindset.
In conclusion, effectively managing the crucial one-hour time interval after a critical incident requires more than learning on the spot.
In addition to technical specialties, experienced CSIRT analysts will also benefit from extensive preparation on their assets and their adversaries, prioritization of tasks and making quick decisions when required, as well as being able to discern down-to-earth facts using the process of elimination.
This is a story from the trenches found in the Security Navigator. More stories and other interesting stuff including accounts of emergency response operations and a criminal scientist's view on cyber extortion, as well as tons of facts and figures on the security landscape in general can be found there as well. The full report is available for download, so have a look. It's worth it!
Download