Cyberattacks are getting worse, growing in frequency and impact. This probably isn't a surprising statement for anyone reading Dark Reading. Most organizations understand this and are taking measures to prevent and detect threats. While hundreds of firms are working to build new technologies to help here, there are fewer options for actually responding to the attacks that are detected. Estimates range from 50 to 60 days for security teams to contain and respond to incidents, on average.
As a practitioner of forensics and incident response (IR) at both a large healthcare firm and at multiple forensics consulting firms, I have worked on many cybersecurity incidents. Although IR is straightforward in some ways, it's often very difficult in others. In practice, these four barriers most often prevent IR teams from responding effectively and efficiently to threats:
- Availability of information: This is table stakes; obviously, if the forensics information doesn't exist, you can't do much with it. It's surprising how often organizations simply don't log useful information. One firm I spoke with only logged failed logon attempts, so it had no way of tracking attackers who actually entered the network. Useful information to log from an endpoint at a minimum includes user logons and logoffs, both successful and unsuccessful; changes or additions to user or group accounts; process creation and termination; and PowerShell logs. On the network side, DNS queries, proxy logs, and NetFlow information are valuable historical data sources.
- Scalability barriers: Some information is useful, but impossible to get at scale. For example, in a smaller investigation, I might want a full disk image of a user's workstation to look for malware or other indicators of compromise. In a larger investigation, I may need to look on every employee’s machine for those same indicators. Getting a disk image from one machine isn’t hard; getting it from 50,000 endpoints may be impossible (and would result in way more information than is needed to answer my question). Centralized logging can make the process much easier to scale, as can endpoint technologies such as Carbon Black, osquery, and Mozilla InvestiGator.
- People shortages: Many firms simply don't have the bodies (and connected brains) needed to investigate and analyze an incident. This may be due to frozen staffing budgets or simple inability to hire what's needed. So, when an incident hits, it's too slow or not even possible to investigate using the available people. Although the usual answer to this is "bring in the consultants," this isn't always possible. The forensics firms themselves face shortages and may not be able to staff a project in time. People shortages are tough problems, since you can’t create new experts overnight. Automation, to amplify and guide the people you already have, is the only way to proceed here. It's possible to automate data gathering, timeline creation, reputation and context, etc., making life easier for your analysts and cutting response dramatically. It also can make the employees you do have more efficient (and happier) by eliminating some of the tedious, repetitive parts of an investigation.
- Collaboration at scale: In many past engagements, we, as IR consultants, tracked notes and data in a shared spreadsheet and discussed the information over chat. With the volume and complexity of incidents today, this doesn't work any longer. Tools are coming to market that help IR teams collaborate, share notes, and respond quickly. Look for these, whether commercial or open source, as they will support a collaborative response that doesn't miss details.
The barriers aren't hard to describe: lack of data, lack of brains, failure to work at scale. I've suggested some approaches that can help, and there are interesting new technologies becoming available that make many of these IR processes more effective. Some things will be required for the foreseeable future: more data means better analysis - and it's hard to find good people, and harder to coordinate them. Bottom line: we need to get better at managing data at scale, at automating the tasks that slow down analysts, and at amplifying those analysts' abilities.