Vulnerabilities / Threats //

Advanced Threats

10:30 AM
Ryan Benson
Ryan Benson
Connect Directly
E-Mail vvv

The 4 Top Barriers To Effective Incident Response

Responding to cyberattacks is straightforward in some ways, difficult in others. Here are four ways that the process can get tripped up.

Cyberattacks are getting worse, growing in frequency and impact. This probably isn't a surprising statement for anyone reading Dark Reading. Most organizations understand this and are taking measures to prevent and detect threats. While hundreds of firms are working to build new technologies to help here, there are fewer options for actually responding to the attacks that are detected. Estimates range from 50 to 60 days for security teams to contain and respond to incidents, on average.

As a practitioner of forensics and incident response (IR) at both a large healthcare firm and at multiple forensics consulting firms, I have worked on many cybersecurity incidents. Although IR is straightforward in some ways, it's often very difficult in others. In practice, these four barriers most often prevent IR teams from responding effectively and efficiently to threats:

  1. Availability of information: This is table stakes; obviously, if the forensics information doesn't exist, you can't do much with it. It's surprising how often organizations simply don't log useful information. One firm I spoke with only logged failed logon attempts, so it had no way of tracking attackers who actually entered the network. Useful information to log from an endpoint at a minimum includes user logons and logoffs, both successful and unsuccessful; changes or additions to user or group accounts; process creation and termination; and PowerShell logs. On the network side, DNS queries, proxy logs, and NetFlow information are valuable historical data sources.
  2. Scalability barriers: Some information is useful, but impossible to get at scale. For example, in a smaller investigation, I might want a full disk image of a user's workstation to look for malware or other indicators of compromise. In a larger investigation, I may need to look on every employee’s machine for those same indicators. Getting a disk image from one machine isn’t hard; getting it from 50,000 endpoints may be impossible (and would result in way more information than is needed to answer my question). Centralized logging can make the process much easier to scale, as can endpoint technologies such as Carbon Black, osquery, and Mozilla InvestiGator.
  3. People shortages: Many firms simply don't have the bodies (and connected brains) needed to investigate and analyze an incident. This may be due to frozen staffing budgets or simple inability to hire what's needed. So, when an incident hits, it's too slow or not even possible to investigate using the available people. Although the usual answer to this is "bring in the consultants," this isn't always possible. The forensics firms themselves face shortages and may not be able to staff a project in time. People shortages are tough problems, since you can’t create new experts overnight. Automation, to amplify and guide the people you already have, is the only way to proceed here. It's possible to automate data gathering, timeline creation, reputation and context, etc., making life easier for your analysts and cutting response dramatically. It also can make the employees you do have more efficient (and happier) by eliminating some of the tedious, repetitive parts of an investigation.
  4. Collaboration at scale: In many past engagements, we, as IR consultants, tracked notes and data in a shared spreadsheet and discussed the information over chat. With the volume and complexity of incidents today, this doesn't work any longer. Tools are coming to market that help IR teams collaborate, share notes, and respond quickly. Look for these, whether commercial or open source, as they will support a collaborative response that doesn't miss details.

The barriers aren't hard to describe: lack of data, lack of brains, failure to work at scale. I've suggested some approaches that can help, and there are interesting new technologies becoming available that make many of these IR processes more effective. Some things will be required for the foreseeable future: more data means better analysis - and it's hard to find good people, and harder to coordinate them. Bottom line: we need to get better at managing data at scale, at automating the tasks that slow down analysts, and at amplifying those analysts' abilities. 

Related Content:

Ryan Benson is a senior threat researcher at Exabeam. He has over a decade's experience in computer forensics and incident response, with previous roles at Stroz Friedberg and Mandiant. He also worked within corporate IT as an information security engineer at Kaiser Permanente. View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
1/19/2017 | 7:32:59 PM
Great Points
Great points. We are in the business of do more with less. With advances in automation and collaboration, coupled with budget cuts and workforces reduction, it seems like incident response is relying on a smaller workforce with stronger skill sets and more efficient and powerful tools. There is a point where the workforce is cut too thin and the model fails. How thin can the workforce be cut before incident response is deemed ineffective?
Crowdsourced vs. Traditional Pen Testing
Alex Haynes, Chief Information Security Officer, CDL,  3/19/2019
BEC Scammer Pleads Guilty
Dark Reading Staff 3/20/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-24
The social-warfare plugin before 3.5.3 for WordPress has stored XSS via the wp-admin/admin-post.php?swp_debug=load_options swp_url parameter, as exploited in the wild in March 2019. This affects Social Warfare and Social Warfare Pro.
PUBLISHED: 2019-03-24
The renderer process in the entertainment system on Tesla Model 3 vehicles mishandles JIT compilation, which allows attackers to trigger firmware code execution, and display a crafted message to vehicle occupants.
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to VCRUNTIME140!memcpy.
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlFreeHeap.
PUBLISHED: 2019-03-24
XnView MP 0.93.1 on Windows allows remote attackers to cause a denial of service (application crash) or possibly have unspecified other impact via a crafted file, related to ntdll!RtlpNtMakeTemporaryKey.