MIRcon -- Washington, D.C. -- You'd think an accurate, up-to-date network diagram would be a given at most organizations, but forensics and incident responders say that's one of the more common missing puzzle pieces when they first respond to a client's data breach.
Marshall Heilman, a consultant with FireEye's Mandiant, said that seemingly no-brainer network diagram isn't always handy at a breached company. "I need to learn the network as fast as humanly possible," Heilman said here this week during a presentation on IR. If the victim organization either doesn't have one or has an outdated version of it, it's a "waste of time."
Heilman and Craig Hoffman, a partner with BakerHostetler, who work together on security incident investigations at their clients' site, offered advice to organizations on how to be prepared for the investigation/IR phase after a cyberattack, including what information and types of logs to have on hand. Even though attacks are inevitable and require organizations to plan ahead on how they will respond, react, and disclose publicly, there still are ways to minimize the damage if you're properly prepared, they say.
"Almost without exception, every single case I have worked on could have been mitigated if the organization had implemented security 101 and actually paid attention to their security assets," Heilman said. "I don't believe you can prevent all breaches. I do believe that all breaches can be mitigated."
That starts with building what Heilman called a "compromise-ready environment." That means planning for just how you'll react to a breach and work with investigators. "Understand the types of questions the investigators are going to ask, and can you give the answers. That reduces the amount of time it takes to investigate a breach," and it can reduce the pain and ultimate damage.
The problem is many organizations get caught unawares about their breaches. "A lot of times, incidents come out in the media or by third parties before you are aware of it. Most don't self-detect," he said. "The Secret Service, FBI, or bloggers come to them."
Aside from having an updated network diagram that shows data flows, here's a partial checklist of items to have on hand for incident responders and to be "compromise-ready":
Logs -- the relevant ones
"Large firms have lots of internal DNS servers. One company [we investigated] had 100-plus internal DNS servers but only four external servers," Heilman said. "But they were logging external DNS traffic only."
The problem: Without internal DNS logs, the IR team wasn't able to pin down which system made a DNS request, which made it difficult to track the attackers and compromised internal systems.
Since many organizations use Dynamic Host Configuration Protocol (DHCP) to rotate the mapping of IP addresses to internal systems, the IP addresses are a moving target. "If I'm looking at an investigation that occurred within seven days, I get my answers. But if it's one that happened over a year ago… I have no idea who it is," he said.
Know how to find files in your environment.
When a malicious file is spotted on the network, you need to know how to find where that file exists and has spread throughout the entire environment. "Most organizations cannot easily do that. And time is one thing you don't have in an investigation."
Run incident-response fire drills.
Simulate how you contact the relevant team members and outside help and what you'll be telling the press. "Run some drills," Heilman said.
Don't go public too soon or with unconfirmed information.
Hoffman said there are four things you need to be able to answer before you go public about your breach: "What happened, how it happened, what you are doing to prevent it from happening again, and what you are doing to protect people affected by the incident."
A big mistake organizations make is changing their public message about the breach, he said. "If you have to change that message, that will affect your credibility."