Attacks/Breaches

11/5/2018
10:30 AM
Jackson Shaw
Jackson Shaw
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
50%
50%

After the Breach: Tracing the 'Smoking Gun'

Systems, technology, and threats change, and your response plan should, too. Here are three steps to turn your post-breach assessment into a set of workable best practices.

Many times, organizations become so wrapped up in taking steps to avoid becoming the next breach headline that they neglect arguably one of the most important steps: understanding exactly what happened after a breach occurs. But prevention is only part of the equation. Businesses are beginning to see the benefits of analyzing breaches after an event — among them, lowering forensics costs to improving the efficiency of incident management. But, as with any security practice, there is still much room for improvement.

Here are three important steps that can turn an organization’s post-breach assessment into workable best practices that will protect their enterprise from future attacks.

Step 1: Identify Potential Sources of Data
Following an incident, the simple question of "who did what?" is one of the most critical — yet most difficult — to answer. When an incident occurs, organizations want to discover the root cause as soon as possible to determine if other data is actively at risk and avoid additional compromise.

A full examination of security, operations, and access logs can help determine the initial cause and piece together a sequence of events. Typical resources usually start with security logs, operations logs, and remote access logs created on servers, clients, operating systems, databases, networks, and security devices. But even logs have their limitations.

For example, organizations that rely solely on logs run the risk of not detecting advanced attacks stemming from privileged user activities. In addition, a skillful attacker (or a rogue system administrator) can easily erase or alter relevant logs to cover his/her tracks. The loss of this information can lead to a faulty and costly investigation, followed by a delayed response or even an undetected breach — any organization's worst nightmare.

As a countermeasure, security can teams can turn to resources, such as session audits (leveraging session recordings and replayable audit trails) and behavioral analytics (detecting anomalous activity based on deviations from established norms) that show the full context of suspicious user activity and can also provide alerts if suspicious activity is detected.

Biometric and session data — such as mouse movement, logins, previously issued commands, viewed windows, and keystrokes during a session — provide tamper-proof audit trails that allow an analyst to replay or rebuild a user's action. When supplemented with log data, this type of monitoring gives analysts the tools to building a timeline of events, which is invaluable for both real-time and post-breach investigations.

Step 2: Acquire, Verify & Extract Breach Data
After identifying potential data sources, the analyst will need to acquire the data from the identified sources and — perhaps most importantly — verify its integrity before analyzing it.

Log management tools can help here by centrally collecting, filtering, normalizing, and storing log data from a wide range of sources. In a privilege misuse investigation scenario, it's recommended that analysts include audit trails stored by privileged session recording tools in their data acquisition plan.

After the data has been acquired, it's essential to verify its legitimacy, to prove that the data has not been tampered with, especially if it's needed as legal evidence in building an incident response plan.

Advanced forensic tools can protect against tampering by providing encrypted, time-stamped and digitally signed data. In addition, they can secure sensitive information with granular access policies.

After the data has been collected and verified, analysts will need to examine the data by assessing and extracting the relevant pieces of information. The use of forensics tools can provide quick navigation to the point in time where the suspicious event occurred. Combining log data with session metadata can accelerate examination of privileged account-related incidents.

Step 3: Conduct a Full Analysis
Once the relevant information has been extracted, the team should analyze the data to draw conclusions that help answer the who, what, where, when, why, and how of a breach. The foundation of good forensics is using a methodical approach to reach appropriate conclusions based on the available data or determine that no other conclusion can be drawn.

Third-party services can assist with conducting assessments ranging from information technology risk and network vulnerability assessments to penetration testing and many other types of assessments that determine if there is a weakness that can be targeted and eradicated. These risk evaluations allow an organization to establish an appropriate protocol and response process to protect it from future incidents.

As long as data is at risk, a breach or accidental loss can — and will — occur. But by conducting a thorough post-breach assessment, a company can craft a thoughtful response plan that prioritizes mitigation of risk, security of critical assets, and effective crisis execution.

Systems, technology, and threats change, so your response plan should, too. Security teams should conduct an audit at least once a year and conduct incident response plan "fire drills" to ensure the plan is still relevant, minimizes the possibility of future recurrences, and can be fine-tuned to establish accountability on an ongoing basis.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions, and service providers in the Business Hall. Click for information on the conference and to register.

Jackson Shaw is vice president of product management for One Identity, the identity & access management (IAM) business of Quest Software. Prior to Quest, Jackson was an integral member of Microsoft's IAM product management team within the Windows server marketing group at ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
High Stress Levels Impacting CISOs Physically, Mentally
Jai Vijayan, Freelance writer,  2/14/2019
Valentine's Emails Laced with Gandcrab Ransomware
Kelly Sheridan, Staff Editor, Dark Reading,  2/14/2019
Making the Case for a Cybersecurity Moon Shot
Adam Shostack, Consultant, Entrepreneur, Technologist, Game Designer,  2/19/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
How Enterprises Are Attacking the Cybersecurity Problem
How Enterprises Are Attacking the Cybersecurity Problem
Data breach fears and the need to comply with regulations such as GDPR are two major drivers increased spending on security products and technologies. But other factors are contributing to the trend as well. Find out more about how enterprises are attacking the cybersecurity problem by reading our report today.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-15380
PUBLISHED: 2019-02-20
A vulnerability in the cluster service manager of Cisco HyperFlex Software could allow an unauthenticated, adjacent attacker to execute commands as the root user. The vulnerability is due to insufficient input validation. An attacker could exploit this vulnerability by connecting to the cluster serv...
CVE-2019-3474
PUBLISHED: 2019-02-20
A path traversal vulnerability in the web application component of Micro Focus Filr 3.x allows a remote attacker authenticated as a low privilege user to download arbitrary files from the Filr server. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-3475
PUBLISHED: 2019-02-20
A local privilege escalation vulnerability in the famtd component of Micro Focus Filr 3.0 allows a local attacker authenticated as a low privilege user to escalate to root. This vulnerability affects all versions of Filr 3.x prior to Security Update 6.
CVE-2019-10030
PUBLISHED: 2019-02-20
A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.52 and earlier in RejectASTTransformsCustomizer.java that allows attackers with Overall/Read permission to provide a Groovy script to an HTTP endpoint that can result in arbitrary code execution on the Jenkins master JVM.
CVE-2019-10030
PUBLISHED: 2019-02-20
A exposure of sensitive information vulnerability exists in Jenkins Cloud Foundry Plugin 2.3.1 and earlier in AbstractCloudFoundryPushDescriptor.java that allows attackers with Overall/Read access to connect to an attacker-specified URL using attacker-specified credentials IDs obtained through anoth...