Vulnerabilities / Threats //

Advanced Threats

10:30 AM
Ryan Benson
Ryan Benson
Connect Directly
E-Mail vvv

The 4 Top Barriers To Effective Incident Response

Responding to cyberattacks is straightforward in some ways, difficult in others. Here are four ways that the process can get tripped up.

Cyberattacks are getting worse, growing in frequency and impact. This probably isn't a surprising statement for anyone reading Dark Reading. Most organizations understand this and are taking measures to prevent and detect threats. While hundreds of firms are working to build new technologies to help here, there are fewer options for actually responding to the attacks that are detected. Estimates range from 50 to 60 days for security teams to contain and respond to incidents, on average.

As a practitioner of forensics and incident response (IR) at both a large healthcare firm and at multiple forensics consulting firms, I have worked on many cybersecurity incidents. Although IR is straightforward in some ways, it's often very difficult in others. In practice, these four barriers most often prevent IR teams from responding effectively and efficiently to threats:

  1. Availability of information: This is table stakes; obviously, if the forensics information doesn't exist, you can't do much with it. It's surprising how often organizations simply don't log useful information. One firm I spoke with only logged failed logon attempts, so it had no way of tracking attackers who actually entered the network. Useful information to log from an endpoint at a minimum includes user logons and logoffs, both successful and unsuccessful; changes or additions to user or group accounts; process creation and termination; and PowerShell logs. On the network side, DNS queries, proxy logs, and NetFlow information are valuable historical data sources.
  2. Scalability barriers: Some information is useful, but impossible to get at scale. For example, in a smaller investigation, I might want a full disk image of a user's workstation to look for malware or other indicators of compromise. In a larger investigation, I may need to look on every employee’s machine for those same indicators. Getting a disk image from one machine isn’t hard; getting it from 50,000 endpoints may be impossible (and would result in way more information than is needed to answer my question). Centralized logging can make the process much easier to scale, as can endpoint technologies such as Carbon Black, osquery, and Mozilla InvestiGator.
  3. People shortages: Many firms simply don't have the bodies (and connected brains) needed to investigate and analyze an incident. This may be due to frozen staffing budgets or simple inability to hire what's needed. So, when an incident hits, it's too slow or not even possible to investigate using the available people. Although the usual answer to this is "bring in the consultants," this isn't always possible. The forensics firms themselves face shortages and may not be able to staff a project in time. People shortages are tough problems, since you can’t create new experts overnight. Automation, to amplify and guide the people you already have, is the only way to proceed here. It's possible to automate data gathering, timeline creation, reputation and context, etc., making life easier for your analysts and cutting response dramatically. It also can make the employees you do have more efficient (and happier) by eliminating some of the tedious, repetitive parts of an investigation.
  4. Collaboration at scale: In many past engagements, we, as IR consultants, tracked notes and data in a shared spreadsheet and discussed the information over chat. With the volume and complexity of incidents today, this doesn't work any longer. Tools are coming to market that help IR teams collaborate, share notes, and respond quickly. Look for these, whether commercial or open source, as they will support a collaborative response that doesn't miss details.

The barriers aren't hard to describe: lack of data, lack of brains, failure to work at scale. I've suggested some approaches that can help, and there are interesting new technologies becoming available that make many of these IR processes more effective. Some things will be required for the foreseeable future: more data means better analysis - and it's hard to find good people, and harder to coordinate them. Bottom line: we need to get better at managing data at scale, at automating the tasks that slow down analysts, and at amplifying those analysts' abilities. 

Related Content:

Ryan Benson is a senior threat researcher at Exabeam. He has over a decade's experience in computer forensics and incident response, with previous roles at Stroz Friedberg and Mandiant. He also worked within corporate IT as an information security engineer at Kaiser Permanente. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/19/2017 | 7:32:59 PM
Great Points
Great points. We are in the business of do more with less. With advances in automation and collaboration, coupled with budget cuts and workforces reduction, it seems like incident response is relying on a smaller workforce with stronger skill sets and more efficient and powerful tools. There is a point where the workforce is cut too thin and the model fails. How thin can the workforce be cut before incident response is deemed ineffective?
How the US Chooses Which Zero-Day Vulnerabilities to Stockpile
Ricardo Arroyo, Senior Technical Product Manager, Watchguard Technologies,  1/16/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "He just showed up at my doorstep one day without a geotag."
Current Issue
The Year in Security 2018
This Dark Reading Tech Digest explores the biggest news stories of 2018 that shaped the cybersecurity landscape.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 contains hardcoded credentials in the WCF service on port 9003. An authenticated remote attacker can use these credentials to access the badge system database and modify its contents.
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores user credentials and other sensitive information with a known weak encryption method (MD5 hash of a salt and password).
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 stores backup files as encrypted zip files. The password to the zip is hard-coded and unchangeable. An attacker with access to these backups can decrypt them and obtain sensitive data.
PUBLISHED: 2019-01-18
Premisys Identicard version 3.1.190 database uses default credentials. Users are unable to change the credentials without vendor intervention.
PUBLISHED: 2019-01-18
Crestron AM-100 before firmware version contains an authentication bypass in the web interface's return.cgi script. Unauthenticated remote users can use the bypass to access some administrator functionality such as configuring update sources and rebooting the device.