Page 43 - cdm-2014
P. 43
again. If outside services have been retained to help with incident response and remediation
then dealing with reinfections can cause security costs to spiral out of control.
To break the cycle, organizations need to take a proactive stance. In the military, soldiers learn
that when they defend a position, they still need to gain situational awareness by taking a small
portion of the defensive team to actively patrol outside the perimeter. This proactive posture
enables them to discover any enemy forces planning an ambush or surprise attack and can
mean the difference between life and death.
Enterprises can defend proactively against cyber attackers by taking the following steps:
•Changing the mindset from ‘if’ an attack will happen to ‘when.’ With this perspective teams can
better anticipate threats and take action to reduce the amount of time an APT lives in the
organization.
•Actively investigating the environment for IOCs by continuing to collect data from multiple
sources and looking for known malware via signatures and unknown malware via behavioral
detection algorithms.
•Staying current with the latest threat intelligence and available countermeasures and deploying
them as required within the context of the environment.
•Continuing to educate employees on popular attack methods, how to identify them and who to
contact if they suspect they may be a target of an attack.
•Encouraging ongoing professional development of IT and security staff to keep credentials
current.
5. Automate Incident Response
Being proactive is potentially time consuming because organizations are now investing IT and
security resources in looking for attacks before they occur. In the long term it makes financial
sense, but it may be difficult to justify in the short term because of the additional resources
required. This is why automation goes hand in hand with a proactive approach. Automation
eliminates the need to perform manual work that is crucial but time consuming, such as
collecting endpoint data from a large number of hosts and searching for IOCs. And the cost
savings of automation can be significant – anywhere from $1,900 to investigate and remediate
each potential malware incident to multiple thousands of dollars per potential incident according
to the “Securosis Malware Analysis Quant Metrics Model.”
To begin to incorporate automation into incident response:
•Select trusted solutions that integrate well into existing security infrastructure
•Evolve from manual methods to automation over time as comfort levels grow and the value is
demonstrated – begin with ‘low hanging fruit’ such as searching for and removing files with
! " $ !
! # ! "
