Page 44 - cdm-2014
P. 44
known bad MD5 hash values on endpoints; move to more sophisticated methods of analyzing
data to identify IOCs and kill processes or remove files.
•Report back to the business on how automation is saving costs while enhancing security by
freeing up highly skilled security staff to be proactive.
Status quo is not an option. Organizations that shun automation entirely will find themselves at a
constant and mounting disadvantage against attackers.
What Not To Do
Don’t tip your hand needlessly. You may decide to contain the attack but be careful how you
respond. Actions such as hacking back or submitting the malware to a reporting site will inform
the adversary they’ve been discovered. The same is true if the team uses the compromised
network to coordinate incident response efforts, rather than establish out-of-band
communications. Hackers will deploy another technique while the team is distracted and busy
dealing with the first attack.
Don’t start investigating without a plan. An overzealous response can compound the damage.
For example, utilizing an external tool to attempt to find the threat can taint the data required to
perform proper timeline analysis and inspect other important information such as prefetch data
(data that is preloaded to speed the boot process and shorten application startup time). Prefetch
data can provide valuable forensics artifacts that might help answer the “what”, “where” and
“when” of an attack.
Don’t keep it to yourself. Inform management and the right people using the incident notification
call list and call tree. Collaboration can help to more effectively deal with the situation. For
organizations that choose to hire professional services to help, make sure knowledge transfer is
part of the process to help keep costs in check.
Conclusion
After an organization been hacked, reducing the amount of time an APT lives within the
environment is paramount.
To get the job done organizations must deploy a methodical approach that includes steps to
detect/identify, contain – or perhaps not, and remove/recover from the attack as quickly as
possible.
But the process can’t stop there. Attackers are increasingly creative in their methods of attack.
To truly gain an advantage against attackers, security and IT teams need to become more
creative in how to identify and remediate the growing number of security incidents the
organization will continue to face. By adopting a proactive approach that includes the option of
policy-based automation organizations can reduce the time and costs the team spends on
incident response. Only then can they shift the bulk of resources from focusing on what
happened in the past, to creating a safer future.
! " $ !
! # ! "
