3 Big Mistakes In Incident Response
How not to respond to a cyberattack
An incident response specialist investigating a recent breach of a government services firm was convinced the attack he was investigating was the handiwork of a group of Chinese hackers. The type of malware he found was commonly associated with that group of attackers, so he concentrated his efforts on cleanup and analysis of the malware, ultimately missing the real danger: The attackers had abandoned the malware and had since commandeered the victim company's administrative tools.
It was a classic case of incident response tunnel vision that left the victim organization at the mercy of the attackers while the IR team was sidetracked. "Unfortunately, the analyst had tunnel vision and, because of this, didn't address outside the spectrum of these Chinese attackers they believed [the malware] represented," says Shane Shook, global vice president of consulting for Cylance, whose firm discovered the oversight after it was hired by the victim organization to perform a review of the attack investigation.
More Security Insights
- Forrester Study: The Total Economic Impact of VMware View
- Securing Executives and Highly Sensitive Documents of Corporations Globally
[Don't rush to notification before getting enough information from your investigation, and when you do go public, be as open as possible. See Your Database Was Breached: Now What?.]
It's easy to prematurely draw conclusions about the attackers and type of attack in the early phase of discovery, but rushing to judgment too soon or tipping your hand to the attackers can have serious consequences, incident response and forensics experts say. Sophisticated attackers can quickly change up their malware and mask their movements if they know they've been outed.
"What most organizations do is overreact: They throw all of their efforts into that one incident and are not looking at what they should be looking at," says David Amsler, president and CIO of Foreground Security. "And, worse, they don't have a playbook [for response]. It's so haphazard, and that's where they fall down."
Amsler, Shook, and other security experts say there are some things that you should just never do in the wake of an attack. Here's a look at the top three biggest mistakes organizations make in the wake of a cyberattack.
1. ASSuming It's An APT With China and APTs seared into the consciousness of many organizations today, it's no surprise that many organizations automatically blame an APT when they discover they've been infiltrated. But identifying the attacker is not straightforward in cyberattacks, and incident response isn't about ID'ing the individual attackers, anyway, Cylance's Shook says.
"I see it often," Shook says of organizations mistakenly identifying an attack as cyberespionage. "A phishing email to a command-and-control beaconing address -- that type of activity is not attributed to longer-term persistence," he says. It's more likely a financially motivated attacker, not cyberspies, he says.
"You have to view the available evidence through a lens of objectivity," Shook says.
If not, key evidence and malicious activity can go unnoticed and do further damage. Shook says in the case of the attacked government services organization where no one noticed the hijacked admin tools, his firm in its investigation found three campaigns from similar attack groups had infiltrated the victim organization. "They all generally belonged to the same activity pattern, but had overlapping time frames," he says. The attackers had taken control of common admin utilities to facilitate the exfiltration of information.
"The other [attacker] groups were more persistent, and [the IR team] didn't see them. They had use of the client's infrastructure," Shook says.
And, increasingly, threat actors in Russia, Brazil, Mexico, Pakistan, and the U.S. are mimicking some of the Chinese cyberespionage attack methods. "As an attacker with malicious intent, it's a form of obfuscating who I am by mimicking the TTPs [tactics, techniques and procedures] of someone else," he says.
Trent Healy, senior security consultant with Foreground Security, says you can't just rely on attack indicators, anyway. "Command-and-control is getting more complex ... attackers are probably going to use one set of C&C to do some campaigns, and neighboring ASNs [autonomous system numbers] could be malicious activity by the same actor. The first C&C is the beachhead; the other is one they don't want you to see," Healy says.
2. Not Monitoring Traffic No one can completely prevent getting hacked by a determined attacker. That's the cold hard reality today, but the common reaction of a breached organization is to ask which patch or tool it was missing that led to the attack, notes Tom Cross, director of security research at Lancope.
"The question they ask is, 'How do I invest in better preventative measures so this kind of breach doesn't happen to me in the future?' Well, that process makes sense -- up to a point," Cross explains. No process or patch can truly stop a zero-day or unpatched vuln from being exploited, or something that was made to evade your antivirus or IPS, he says.
Cross says this prevention-only mindset falls short. "You need to be able to look beyond the perimeter at what's going on inside your network. There are incidents [victim organizations] are experiencing that they can't prevent through vulnerability management," he says. "The way you stop these sophisticated targeted attacks or disrupt them [early on in the process] is through incident response and analysis and understanding as much about the attacks as possible."
That requires IR skill sets and capabilities, he says, but also monitoring methods such as employing NetFlow to track network transactions. "NetFlow traffic is much less expensive to store, so you can store a longer history as packet capture for the same amount of disk space," he says. "NetFlow and full packet capture [log] every single thing that happens, even the good [traffic]," he says.
But most organizations don't have proper monitoring -- logging, NetFlow, packet capture -- in place. "Many companies are not prepared because they don't have [these] capabilities in place to respond quickly and properly," Foreground's Amsler says.
Keeping audit trails helps in troubleshooting when an attack is discovered. "The next question is what happened between the time the computer was compromised and when I shut it down? What else did it do? These are basic questions that a lot of organizations have no way to answer" without monitoring traffic, Lancope's Cross says.
Monitoring NetFlow traffic can help track insider threats and malware infections, he says. "You've got a record of network transactions happening in your environment that you can cross-reference to IP intelligence data and to identify bot-infected hosts."
Foreground's Amsler says even some of the largest companies aren't properly monitoring their traffic such that it can aid them in their IR process. "We are seeing in a majority of cases that customers don't have NetFlows, packet capture ... maybe they're getting some logs fed in to the SIEM. But they don't have the time or skill sets to store it and use it," anyway, he says.
"We've had two separate large customers on the phone because they're 'owned'" and don't know what to do, he says. "The fundamental biggest struggle is they are not prepared for it because they're not monitoring for it."
3. Focusing Only On The Malware
Hacked organizations typically spend a lot of time and resources on malware cleanup rather than on the primary threats. "Viruses and malware are a nuisance. They represent a risk," Cylance's Shook says.
But malware and tools should be less of a priority than determining whether data theft or sabotage has occurred and other more long-term damages, according to Shook. "Second, has the user profile been manipulated? Third, has lateral movement been made or made available to people?" he says. Last on the list is pinpointing any malicious tools, he says.
Foreground's Amsler advises to not immediately upload the malware sample you find to VirusTotal or other open forums because some attackers keep tabs on that and will just regroup and change their patterns. "And don't turn off [infected] computers: Then IR has lost all of the most valuable data they have," he says.
The more advanced attackers are monitoring to see whether they've been detected, so the last thing you want to do is broadcast that you're onto them. "The actors are watching and waiting and know when you know they exist, and they change their patterns," Amsler says.
Focusing primarily on malware in an attack is akin to a doctor treating just the symptoms and not the actual disease, he says. "If you're just treating the malware infection and not looking at the root cause, and did that move laterally [in the organization] and infect other parts of the body, then you haven't identified how bad this disease is in the environment," he says.
Don't assume that just because you've cleaned up an infection that you're safe from a relapse: Advanced attackers often have more than one way into their victim's organization than just the malware. "Unfortunately, through lack of experience, many people believe that once they've identified the malware, there's no residual risk," Cylance's Shook says. "But malware is [just] one of the initial activities to establish ways in. You can't restrict [yourself] to just identifying and eradicating malware."
Have a comment on this story? Please click "Add Your Comment" below. If you'd like to contact Dark Reading's editors directly, send us a message.