Taking Back the Castle

How to Respond to Active Breaches

Colin Cowie and Michael Salihoglu
| 10/22/2018
IR Teams to the Rescue
As our dependence on technology increases, protecting data and IT systems is more urgent than ever. A 2017 report by the Ponemon Institute revealed that 54 percent of companies experienced at least one digital attack that successfully compromised data or IT infrastructure. It’s important to note that this statistic only takes into account compromises that were ultimately detected and reported, meaning that an even greater number of organizations could have been breached without ever realizing it. As these events shift from possibilities to likely occurrences, it becomes increasingly critical that organizations develop and equip incident response programs and teams that can resolve threats swiftly and efficiently.
Assembling an incident response team that can investigate and respond effectively to security incidents can be challenging for some organizations. A response team should consist of carefully selected and well-trained personnel who can make critical decisions in times of extreme crisis and stress. The team’s objective is to minimize impact and restore normal operations as quickly as possible.

Identify and monitor the threat

Responding to data breaches in complex network environments is a daunting task. Before taking defensive actions, it’s critical to observe the affected environment and attempt to think like the adversaries. Understanding the mindset of the attackers helps orient the team’s response strategies to attackers’ techniques and tactics.
One of the most difficult aspects of the incident response process is detecting and assessing possible incidents accurately. Indicators of compromise (IOCs) are signs that an incident might have occurred or is currently underway. If an organization suspects that a data breach is in progress, information that might contain IOCs should be triaged from a variety of sources, including intrusion detection sensors, firewalls, event logs, and network traffic. Correlating noteworthy events and IOCs can help identify what type of actions malicious actors performed, the impact of the attacks, and what actions malicious actors might perform in the future.

Contain the incident 

Different types of incidents can have drastically different and potentially unique risks, so effective corresponding containment strategies vary greatly based on the incident type. Some things to consider before determining a containment strategy include:
  • Evidence preservation
  • Service availability
  • Time and resources required
  • Efficacy of the determined strategy
  • Potential responses from adversaries
Some immediate actions, such as isolating an infected network segment or disabling a service being abused by adversaries, should be taken to prevent further damages and to provide incident response teams with more time for analysis. In some cases, production servers might need to be temporarily taken offline to reduce risk. Adversaries might determine that they are losing control over the affected environment and could respond in unexpected ways. During the entire incident response process, network traffic should be monitored for malicious characteristics and new attacks.

Recover and rebuild

After the threat has been contained, the identified IOCs can help restore the compromised network. Using IOCs such as cryptographic hashes of malicious files and malware signatures helps cleanse infected machines. Patching any exploited vulnerabilities can reduce the success rate of attacks. Any compromised services or accounts should be disabled or secured.
Depending on the incident, it might be difficult to rebuild the compromised network completely. Validating system functionality and security during the rebuilding process reduces the risk of repeated, similar instances. Some actions performed during the restoration process include restoring systems from clean backups, changing account passwords, or even rebuilding systems entirely from the ground up.

Prevent future incidents

Holding post-incident autopsy meetings with all involved parties can improve security measures and the organization’s incident handling process. This meeting can also provide closure by reviewing what occurred, what was done to intervene, and how well the intervention worked. Some questions to explore during an autopsy meeting include:
  • What happened and when, specifically?
  • What was the lag in response time from compromise to detection?
  • What actions might prevent similar incidents in the future? 
  • What precursors can be monitored in the future to detect similar incidents?
As soon as possible after any incident, the operational security of an organization should be reviewed and critiqued. Performing regular risk assessments can help organizations prioritize and mitigate vulnerabilities before threat actors can exploit them.