Charles Leaver – Six Damage Control Questions To Ask Prior To A Breach

Written By Michael Bunyard And Presented By Ziften CEO Charles Leaver

The reality of modern life is that if cyber assailants want to breach your network, then it is just a matter of time before they will be successful. The endpoint is the most typical vector of attack, and individuals are the most significant point of susceptibility in any organization. The endpoint device is where they connect with whatever information that a cyber attacker wants: intellectual property, credentials, cyber ransom, etc. There are brand-new Next Generation Endpoint Security (NGES) services, of which Ziften is a leader, that supply the required visibility and insight to assist reduce or prevent the possibilities or duration of an attack. Methodologies of avoidance include minimizing the attack surface area through getting rid of recognized vulnerable applications, cutting version expansion, eliminating harmful procedures, and guaranteeing compliance with security policies.

But avoidance can just go so far. No solution is 100% effective, so it is important to take a proactive, real-time approach to your environment, viewing endpoint behavior, identifying when breaches have actually taken place, and responding right away with remediation. Ziften also provides these capabilities, normally called Endpoint Detection and Response, and companies should change their frame of mind from “How can we avoid attacks?” to “We are going to be breached, so what do we do then?”

To comprehend the true breadth or depth of an attack, organizations have to have the ability to take a look back and rebuild the conditions surrounding a breach. Security investigators need answers to the following six questions, and they need them quick, considering that Incident Response personnel are surpassed and dealing with limited time windows to alleviate damage.

Where was the cyber attack behavior initially seen?

This is where the ability to look back to the point in time of preliminary infection is important. In order to do this effectively, organizations have to be able to go as far back in time as necessary to recognize patient zero. The unfortunate state of affairs according to Gartner is that when a cyber breach takes place, the average dwell time prior to a breach is identified is a shocking 205 days. According to the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, assailants had the ability to permeate companies within minutes. That’s why NGES services that do not continuously monitor and record activity however rather regularly poll or scan the endpoint can miss out on the preliminary crucial penetration. Also, DBIR discovered that 95% of malware types appeared for less than a month, and four out of 5 didn’t last 7 days. You need the capability to continuously monitor endpoint activity and look back in time (however long ago the attack took place) and reconstruct the preliminary infection.

How did it act?

What took place step by step after the initial infection? Did malware execute for a second every 5 minutes? Was it able to get escalated privileges? A constant picture of what happened at the endpoint behaviorally is important to get an examination started.

How and where did the cyber attack spread after initial compromise?

Generally the enemy isn’t after the info readily available at the point of infection, but rather want to use it as a preliminary beachhead to pivot through the network to get to the valuable data. Endpoints include the servers that the endpoints are linked to, so it is essential to be able to see a complete image of any lateral motion that happened after the infiltration to understand exactly what assets were compromised and possibly also contaminated.

How did the infected endpoint(s) behavior(s) alter?

What was going on prior to and after the infection? What network connections were being made? Just how much network traffic was flowing? What procedures were active before and after the attack? Immediate answers to these questions are vital to quick triage.

What user activity happened, and was there any possible insider participation?

What actions did the user take in the past and after the infection took place? Was the user present on the device? Was a USB drive inserted? Was the time interval outside their typical use pattern? These and much more artifacts must be offered to paint a full picture.

What mitigation is required to deal with the attack and prevent the next?

Reimaging the infected computer(s) is a time-consuming and expensive solution but sometimes this is the only method to know for sure that all of the hazardous artifacts have actually been removed (although state-sponsored attacks might embed into system or drive firmware to remain immune even to reimaging). But with a clear image of all activity that occurred, simpler actions such as getting rid of harmful files from all systems affected might be adequate. Re-examining security policies will most likely be necessary, and NGES solutions can assist automate future actions should similar situations occur. Automatable actions consist of sandboxing, cutting off network access from contaminated computers, killing processes, and far more.

Do not wait until after a breach happens and you have to contract an army of experts and spend time and finances piecing the facts together. Make sure you are prepared to respond to these 6 crucial concerns and have all the responses within your grasp in minutes.