Accepting that “prevention will eventually fail” and that a dedicated attacker will find a way in, means that we will inevitably have incidents that need to be investigated. How we respond to these incidents is just as important as every other aspect of our defensive strategy, but there are some important forces at play that we need to understand to do it effectively.
It is normal to have an entirely human emotional response at the discovery of a compromise in your environment and with an associated urge to remove the intruder from the network immediately.
But, before hitting that cease and desist button on the attacker’s presence, you need to consider the following questions…
- Do you know how they got in?
- What are they after?
- How many systems have they compromised?
- How long have they been in your network?
If you don’t know the answers to these questions, if wiping them from your network, you could not only be erasing any chance of learning the answers, but you may also tip off your adversary and drive them deeper and further into your organization making them harder to detect and eradicate.
Until we have this information, we cannot be sure that if we block “that IP”, or wipe “that machine”, the attacker does not have another way back in. We also can’t be sure that they don’t have other tools in place that allow them to continue their operations, remaining undetected, or maybe even suspend their operations until our guard is lowered again.
It’s critical that we ignore our emotional response and listen instead to this measured and logical thought process. By that, we mean that we should be careful to monitor an attacker and preserve evidence. We should work to gather the most complete picture we can of the attacker and use this as intelligence not only to bolster defenses and detection against that threat actor or technique but also to ensure that when the time comes we can enact a thorough and resilient containment strategy.
When the time does come, the ejection of the attacker from the network should be done in such a manner that the attacker never quite knows whether they have been detected or not. We can do that, for example, by using techniques such as degrading the comms channels or using honeypots to keep them away from the real action.
Now we’ve detected them, we hold the upper hand and this type of response allows us to maintain it. What’s most important is that we manage to retain our view of the attacker and observe their actions and responses.
This is what we should do if an incident has occurred
What’s even more important is being in a position to act in this way when you detect the attacker – and this requires preparation. The preparation required will depend on lots of factors but, as a minimum, you should have the following:
- A team on hand with 24/7 availability. This can be in-house or outsourced.
- A process or playbook to ensure that all the right stakeholders are in place and actions are taken or can be followed even under the pressure of an incident.
- Timely access to the right log data to investigate the affected hosts.
- An asset register detailing the ownership and location of systems within your network.
With these processes in place, an organization is well equipped to react effectively to attacks.