Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Perimeter

10/9/2014
05:20 PM
Connect Directly
Google+
Twitter
RSS
E-Mail
50%
50%

How To Be A 'Compromise-Ready' Organization

Incident response pros share tips on how to have all your ducks in a row before the inevitable breach.

MIRcon -- Washington, D.C. -- You'd think an accurate, up-to-date network diagram would be a given at most organizations, but forensics and incident responders say that's one of the more common missing puzzle pieces when they first respond to a client's data breach.

Marshall Heilman, a consultant with FireEye's Mandiant, said that seemingly no-brainer network diagram isn't always handy at a breached company. "I need to learn the network as fast as humanly possible," Heilman said here this week during a presentation on IR. If the victim organization either doesn't have one or has an outdated version of it, it's a "waste of time."

Heilman and Craig Hoffman, a partner with BakerHostetler, who work together on security incident investigations at their clients' site, offered advice to organizations on how to be prepared for the investigation/IR phase after a cyberattack, including what information and types of logs to have on hand. Even though attacks are inevitable and require organizations to plan ahead on how they will respond, react, and disclose publicly, there still are ways to minimize the damage if you're properly prepared, they say.

"Almost without exception, every single case I have worked on could have been mitigated if the organization had implemented security 101 and actually paid attention to their security assets," Heilman said. "I don't believe you can prevent all breaches. I do believe that all breaches can be mitigated."

That starts with building what Heilman called a "compromise-ready environment." That means planning for just how you'll react to a breach and work with investigators. "Understand the types of questions the investigators are going to ask, and can you give the answers. That reduces the amount of time it takes to investigate a breach," and it can reduce the pain and ultimate damage.

The problem is many organizations get caught unawares about their breaches. "A lot of times, incidents come out in the media or by third parties before you are aware of it. Most don't self-detect," he said. "The Secret Service, FBI, or bloggers come to them."

Aside from having an updated network diagram that shows data flows, here's a partial checklist of items to have on hand for incident responders and to be "compromise-ready":

Logs -- the relevant ones
"Large firms have lots of internal DNS servers. One company [we investigated] had 100-plus internal DNS servers but only four external servers," Heilman said. "But they were logging external DNS traffic only."

The problem: Without internal DNS logs, the IR team wasn't able to pin down which system made a DNS request, which made it difficult to track the attackers and compromised internal systems.

Hostname-IP addresses
Since many organizations use Dynamic Host Configuration Protocol (DHCP) to rotate the mapping of IP addresses to internal systems, the IP addresses are a moving target. "If I'm looking at an investigation that occurred within seven days, I get my answers. But if it's one that happened over a year ago… I have no idea who it is," he said.

Know how to find files in your environment.
When a malicious file is spotted on the network, you need to know how to find where that file exists and has spread throughout the entire environment. "Most organizations cannot easily do that. And time is one thing you don't have in an investigation."

Run incident-response fire drills.
Simulate how you contact the relevant team members and outside help and what you'll be telling the press. "Run some drills," Heilman said.

Don't go public too soon or with unconfirmed information.
Hoffman said there are four things you need to be able to answer before you go public about your breach: "What happened, how it happened, what you are doing to prevent it from happening again, and what you are doing to protect people affected by the incident."

A big mistake organizations make is changing their public message about the breach, he said. "If you have to change that message, that will affect your credibility."

Kelly Jackson Higgins is the Executive Editor of Dark Reading. She is an award-winning veteran technology and business journalist with more than two decades of experience in reporting and editing for various publications, including Network Computing, Secure Enterprise ... View Full Bio

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
mario94901
50%
50%
mario94901,
User Rank: Apprentice
10/10/2014 | 3:36:02 PM
Re: Good checklist.. How many companies follow it?
They forgot to mention one very critical piece of the list to be prepared. That is : Network Forensics.

All of the tools out there today, security wise, are mainly based upon IDS/IPS and firewall solutions. Those are great, for statistical data, and say syslogs or logs, but what happens when there is a breach? How do you identify what IP it was, what protocol was used, and what data and machines were affected? Having a system that captures every packet on the network, and stores them into HD's, so you can go back in time and do forensics on the data or time scope you like. Check these guys out... www.wildpackets.com 
Kelly Jackson Higgins
100%
0%
Kelly Jackson Higgins,
User Rank: Strategist
10/10/2014 | 11:04:15 AM
Re: Good checklist.. How many companies follow it?
This quote says it all, though: "Almost without exception, every single case I have worked on could have been mitigated if the organization had implemented security 101 and actually paid attention to their security assets," Heilman said. "I don't believe you can prevent all breaches. I do believe that all breaches can be mitigated."
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/10/2014 | 10:37:32 AM
Re: Good checklist.. How many companies follow it?
Yes, it was fascinating to read where the gaps are. I wouldn't be surprised to find other areas where IR has fallen short after an attack. (Hint, hint, dear readers).
Kelly Jackson Higgins
50%
50%
Kelly Jackson Higgins,
User Rank: Strategist
10/10/2014 | 10:33:25 AM
Re: Good checklist.. How many companies follow it?
What was so interesting about this was Craig and Marshall were really providing insider insight into what they deal with in an IR engagement. They have been there when the victim company isn't prepared and thus the investigation is hampered from the get-go.
Marilyn Cohodas
50%
50%
Marilyn Cohodas,
User Rank: Strategist
10/10/2014 | 10:07:36 AM
Good checklist.. How many companies follow it?
There is some really good advice in this article. Curious to know how many in the Dark Reading community are 'compromise ready' and, if not, where do their companies fall short.
Tor Weaponized to Steal Bitcoin
Dark Reading Staff 10/18/2019
Data Privacy Protections for the Most Vulnerable -- Children
Dimitri Sirota, Founder & CEO of BigID,  10/17/2019
State of SMB Insecurity by the Numbers
Ericka Chickowski, Contributing Writer,  10/17/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
2019 Online Malware and Threats
2019 Online Malware and Threats
As cyberattacks become more frequent and more sophisticated, enterprise security teams are under unprecedented pressure to respond. Is your organization ready?
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-18387
PUBLISHED: 2019-10-23
Sourcecodester Hotel and Lodge Management System 1.0 is vulnerable to unauthenticated SQL injection and can allow remote attackers to execute arbitrary SQL commands via the id parameter to the edit page for Customer, Room, Currency, Room Booking Details, or Tax Details.
CVE-2019-18212
PUBLISHED: 2019-10-23
XMLLanguageService.java in XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows a remote attacker to write to arbitrary files via Directory Traversal.
CVE-2019-18213
PUBLISHED: 2019-10-23
XML Language Server (aka lsp4xml) before 0.9.1, as used in Red Hat XML Language Support (aka vscode-xml) before 0.9.1 for Visual Studio and other products, allows XXE via a crafted XML document, with resultant SSRF (as well as SMB connection initiation that can lead to NetNTLM challenge/response cap...
CVE-2019-18384
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An authenticated remote non-administrative user can read unauthorized shared files, as demonstrated by the filename=*public*%25252Fadmin_OnlyRead.txt substring.
CVE-2019-18385
PUBLISHED: 2019-10-23
An issue was discovered on TerraMaster FS-210 4.0.19 devices. An unauthenticated attacker can download log files via the include/makecvs.php?Event= substring.