Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Attacks/Breaches

11/5/2018
10:30 AM
Jackson Shaw
Jackson Shaw
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

After the Breach: Tracing the 'Smoking Gun'

Systems, technology, and threats change, and your response plan should, too. Here are three steps to turn your post-breach assessment into a set of workable best practices.

Many times, organizations become so wrapped up in taking steps to avoid becoming the next breach headline that they neglect arguably one of the most important steps: understanding exactly what happened after a breach occurs. But prevention is only part of the equation. Businesses are beginning to see the benefits of analyzing breaches after an event — among them, lowering forensics costs to improving the efficiency of incident management. But, as with any security practice, there is still much room for improvement.

Here are three important steps that can turn an organization’s post-breach assessment into workable best practices that will protect their enterprise from future attacks.

Step 1: Identify Potential Sources of Data
Following an incident, the simple question of "who did what?" is one of the most critical — yet most difficult — to answer. When an incident occurs, organizations want to discover the root cause as soon as possible to determine if other data is actively at risk and avoid additional compromise.

A full examination of security, operations, and access logs can help determine the initial cause and piece together a sequence of events. Typical resources usually start with security logs, operations logs, and remote access logs created on servers, clients, operating systems, databases, networks, and security devices. But even logs have their limitations.

For example, organizations that rely solely on logs run the risk of not detecting advanced attacks stemming from privileged user activities. In addition, a skillful attacker (or a rogue system administrator) can easily erase or alter relevant logs to cover his/her tracks. The loss of this information can lead to a faulty and costly investigation, followed by a delayed response or even an undetected breach — any organization's worst nightmare.

As a countermeasure, security can teams can turn to resources, such as session audits (leveraging session recordings and replayable audit trails) and behavioral analytics (detecting anomalous activity based on deviations from established norms) that show the full context of suspicious user activity and can also provide alerts if suspicious activity is detected.

Biometric and session data — such as mouse movement, logins, previously issued commands, viewed windows, and keystrokes during a session — provide tamper-proof audit trails that allow an analyst to replay or rebuild a user's action. When supplemented with log data, this type of monitoring gives analysts the tools to building a timeline of events, which is invaluable for both real-time and post-breach investigations.

Step 2: Acquire, Verify & Extract Breach Data
After identifying potential data sources, the analyst will need to acquire the data from the identified sources and — perhaps most importantly — verify its integrity before analyzing it.

Log management tools can help here by centrally collecting, filtering, normalizing, and storing log data from a wide range of sources. In a privilege misuse investigation scenario, it's recommended that analysts include audit trails stored by privileged session recording tools in their data acquisition plan.

After the data has been acquired, it's essential to verify its legitimacy, to prove that the data has not been tampered with, especially if it's needed as legal evidence in building an incident response plan.

Advanced forensic tools can protect against tampering by providing encrypted, time-stamped and digitally signed data. In addition, they can secure sensitive information with granular access policies.

After the data has been collected and verified, analysts will need to examine the data by assessing and extracting the relevant pieces of information. The use of forensics tools can provide quick navigation to the point in time where the suspicious event occurred. Combining log data with session metadata can accelerate examination of privileged account-related incidents.

Step 3: Conduct a Full Analysis
Once the relevant information has been extracted, the team should analyze the data to draw conclusions that help answer the who, what, where, when, why, and how of a breach. The foundation of good forensics is using a methodical approach to reach appropriate conclusions based on the available data or determine that no other conclusion can be drawn.

Third-party services can assist with conducting assessments ranging from information technology risk and network vulnerability assessments to penetration testing and many other types of assessments that determine if there is a weakness that can be targeted and eradicated. These risk evaluations allow an organization to establish an appropriate protocol and response process to protect it from future incidents.

As long as data is at risk, a breach or accidental loss can — and will — occur. But by conducting a thorough post-breach assessment, a company can craft a thoughtful response plan that prioritizes mitigation of risk, security of critical assets, and effective crisis execution.

Systems, technology, and threats change, so your response plan should, too. Security teams should conduct an audit at least once a year and conduct incident response plan "fire drills" to ensure the plan is still relevant, minimizes the possibility of future recurrences, and can be fine-tuned to establish accountability on an ongoing basis.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jackson Shaw is vice president of product management for One Identity, the identity & access management (IAM) business of Quest Software. Prior to Quest, Jackson was an integral member of Microsoft's IAM product management team within the Windows server marketing group at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Threaded  |  Newest First  |  Oldest First
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.