05:20 PM
Connect Directly

How To Be A 'Compromise-Ready' Organization

Incident response pros share tips on how to have all your ducks in a row before the inevitable breach.

MIRcon -- Washington, D.C. -- You'd think an accurate, up-to-date network diagram would be a given at most organizations, but forensics and incident responders say that's one of the more common missing puzzle pieces when they first respond to a client's data breach.

Marshall Heilman, a consultant with FireEye's Mandiant, said that seemingly no-brainer network diagram isn't always handy at a breached company. "I need to learn the network as fast as humanly possible," Heilman said here this week during a presentation on IR. If the victim organization either doesn't have one or has an outdated version of it, it's a "waste of time."

Heilman and Craig Hoffman, a partner with BakerHostetler, who work together on security incident investigations at their clients' site, offered advice to organizations on how to be prepared for the investigation/IR phase after a cyberattack, including what information and types of logs to have on hand. Even though attacks are inevitable and require organizations to plan ahead on how they will respond, react, and disclose publicly, there still are ways to minimize the damage if you're properly prepared, they say.

"Almost without exception, every single case I have worked on could have been mitigated if the organization had implemented security 101 and actually paid attention to their security assets," Heilman said. "I don't believe you can prevent all breaches. I do believe that all breaches can be mitigated."

That starts with building what Heilman called a "compromise-ready environment." That means planning for just how you'll react to a breach and work with investigators. "Understand the types of questions the investigators are going to ask, and can you give the answers. That reduces the amount of time it takes to investigate a breach," and it can reduce the pain and ultimate damage.

The problem is many organizations get caught unawares about their breaches. "A lot of times, incidents come out in the media or by third parties before you are aware of it. Most don't self-detect," he said. "The Secret Service, FBI, or bloggers come to them."

Aside from having an updated network diagram that shows data flows, here's a partial checklist of items to have on hand for incident responders and to be "compromise-ready":

Logs -- the relevant ones
"Large firms have lots of internal DNS servers. One company [we investigated] had 100-plus internal DNS servers but only four external servers," Heilman said. "But they were logging external DNS traffic only."

The problem: Without internal DNS logs, the IR team wasn't able to pin down which system made a DNS request, which made it difficult to track the attackers and compromised internal systems.

Hostname-IP addresses
Since many organizations use Dynamic Host Configuration Protocol (DHCP) to rotate the mapping of IP addresses to internal systems, the IP addresses are a moving target. "If I'm looking at an investigation that occurred within seven days, I get my answers. But if it's one that happened over a year ago… I have no idea who it is," he said.

Know how to find files in your environment.
When a malicious file is spotted on the network, you need to know how to find where that file exists and has spread throughout the entire environment. "Most organizations cannot easily do that. And time is one thing you don't have in an investigation."

Run incident-response fire drills.
Simulate how you contact the relevant team members and outside help and what you'll be telling the press. "Run some drills," Heilman said.

Don't go public too soon or with unconfirmed information.
Hoffman said there are four things you need to be able to answer before you go public about your breach: "What happened, how it happened, what you are doing to prevent it from happening again, and what you are doing to protect people affected by the incident."

A big mistake organizations make is changing their public message about the breach, he said. "If you have to change that message, that will affect your credibility."

Kelly Jackson Higgins is Executive Editor at She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/10/2014 | 3:36:02 PM
Re: Good checklist.. How many companies follow it?
They forgot to mention one very critical piece of the list to be prepared. That is : Network Forensics.

All of the tools out there today, security wise, are mainly based upon IDS/IPS and firewall solutions. Those are great, for statistical data, and say syslogs or logs, but what happens when there is a breach? How do you identify what IP it was, what protocol was used, and what data and machines were affected? Having a system that captures every packet on the network, and stores them into HD's, so you can go back in time and do forensics on the data or time scope you like. Check these guys out... 
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/10/2014 | 11:04:15 AM
Re: Good checklist.. How many companies follow it?
This quote says it all, though: "Almost without exception, every single case I have worked on could have been mitigated if the organization had implemented security 101 and actually paid attention to their security assets," Heilman said. "I don't believe you can prevent all breaches. I do believe that all breaches can be mitigated."
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/10/2014 | 10:37:32 AM
Re: Good checklist.. How many companies follow it?
Yes, it was fascinating to read where the gaps are. I wouldn't be surprised to find other areas where IR has fallen short after an attack. (Hint, hint, dear readers).
Kelly Jackson Higgins
Kelly Jackson Higgins,
User Rank: Strategist
10/10/2014 | 10:33:25 AM
Re: Good checklist.. How many companies follow it?
What was so interesting about this was Craig and Marshall were really providing insider insight into what they deal with in an IR engagement. They have been there when the victim company isn't prepared and thus the investigation is hampered from the get-go.
Marilyn Cohodas
Marilyn Cohodas,
User Rank: Strategist
10/10/2014 | 10:07:36 AM
Good checklist.. How many companies follow it?
There is some really good advice in this article. Curious to know how many in the Dark Reading community are 'compromise ready' and, if not, where do their companies fall short.
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Current Issue
Security Operations and IT Operations: Finding the Path to Collaboration
A wide gulf has emerged between SOC and NOC teams that's keeping both of them from assuring the confidentiality, integrity, and availability of IT systems. Here's how experts think it should be bridged.
Flash Poll
New Best Practices for Secure App Development
New Best Practices for Secure App Development
The transition from DevOps to SecDevOps is combining with the move toward cloud computing to create new challenges - and new opportunities - for the information security team. Download this report, to learn about the new best practices for secure application development.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2017-05-09
NScript in mpengine in Microsoft Malware Protection Engine with Engine Version before 1.1.13704.0, as used in Windows Defender and other products, allows remote attackers to execute arbitrary code or cause a denial of service (type confusion and application crash) via crafted JavaScript code within ...

Published: 2017-05-08
unixsocket.c in lxterminal through 0.3.0 insecurely uses /tmp for a socket file, allowing a local user to cause a denial of service (preventing terminal launch), or possibly have other impact (bypassing terminal access control).

Published: 2017-05-08
A privilege escalation vulnerability in Brocade Fibre Channel SAN products running Brocade Fabric OS (FOS) releases earlier than v7.4.1d and v8.0.1b could allow an authenticated attacker to elevate the privileges of user accounts accessing the system via command line interface. With affected version...

Published: 2017-05-08
Improper checks for unusual or exceptional conditions in Brocade NetIron 05.8.00 and later releases up to and including 06.1.00, when the Management Module is continuously scanned on port 22, may allow attackers to cause a denial of service (crash and reload) of the management module.

Published: 2017-05-08
Nextcloud Server before 11.0.3 is vulnerable to an inadequate escaping leading to a XSS vulnerability in the search module. To be exploitable a user has to write or paste malicious content into the search dialogue.

Dark Reading Radio
Archived Dark Reading Radio
In past years, security researchers have discovered ways to hack cars, medical devices, automated teller machines, and many other targets. Dark Reading Executive Editor Kelly Jackson Higgins hosts researcher Samy Kamkar and Levi Gundert, vice president of threat intelligence at Recorded Future, to discuss some of 2016's most unusual and creative hacks by white hats, and what these new vulnerabilities might mean for the coming year.