Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

1/19/2017
10:30 AM
Ryan Benson
Ryan Benson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The 4 Top Barriers To Effective Incident Response

Responding to cyberattacks is straightforward in some ways, difficult in others. Here are four ways that the process can get tripped up.

Cyberattacks are getting worse, growing in frequency and impact. This probably isn't a surprising statement for anyone reading Dark Reading. Most organizations understand this and are taking measures to prevent and detect threats. While hundreds of firms are working to build new technologies to help here, there are fewer options for actually responding to the attacks that are detected. Estimates range from 50 to 60 days for security teams to contain and respond to incidents, on average.

As a practitioner of forensics and incident response (IR) at both a large healthcare firm and at multiple forensics consulting firms, I have worked on many cybersecurity incidents. Although IR is straightforward in some ways, it's often very difficult in others. In practice, these four barriers most often prevent IR teams from responding effectively and efficiently to threats:

  1. Availability of information: This is table stakes; obviously, if the forensics information doesn't exist, you can't do much with it. It's surprising how often organizations simply don't log useful information. One firm I spoke with only logged failed logon attempts, so it had no way of tracking attackers who actually entered the network. Useful information to log from an endpoint at a minimum includes user logons and logoffs, both successful and unsuccessful; changes or additions to user or group accounts; process creation and termination; and PowerShell logs. On the network side, DNS queries, proxy logs, and NetFlow information are valuable historical data sources.
  2. Scalability barriers: Some information is useful, but impossible to get at scale. For example, in a smaller investigation, I might want a full disk image of a user's workstation to look for malware or other indicators of compromise. In a larger investigation, I may need to look on every employee’s machine for those same indicators. Getting a disk image from one machine isn’t hard; getting it from 50,000 endpoints may be impossible (and would result in way more information than is needed to answer my question). Centralized logging can make the process much easier to scale, as can endpoint technologies such as Carbon Black, osquery, and Mozilla InvestiGator.
  3. People shortages: Many firms simply don't have the bodies (and connected brains) needed to investigate and analyze an incident. This may be due to frozen staffing budgets or simple inability to hire what's needed. So, when an incident hits, it's too slow or not even possible to investigate using the available people. Although the usual answer to this is "bring in the consultants," this isn't always possible. The forensics firms themselves face shortages and may not be able to staff a project in time. People shortages are tough problems, since you can’t create new experts overnight. Automation, to amplify and guide the people you already have, is the only way to proceed here. It's possible to automate data gathering, timeline creation, reputation and context, etc., making life easier for your analysts and cutting response dramatically. It also can make the employees you do have more efficient (and happier) by eliminating some of the tedious, repetitive parts of an investigation.
  4. Collaboration at scale: In many past engagements, we, as IR consultants, tracked notes and data in a shared spreadsheet and discussed the information over chat. With the volume and complexity of incidents today, this doesn't work any longer. Tools are coming to market that help IR teams collaborate, share notes, and respond quickly. Look for these, whether commercial or open source, as they will support a collaborative response that doesn't miss details.

The barriers aren't hard to describe: lack of data, lack of brains, failure to work at scale. I've suggested some approaches that can help, and there are interesting new technologies becoming available that make many of these IR processes more effective. Some things will be required for the foreseeable future: more data means better analysis - and it's hard to find good people, and harder to coordinate them. Bottom line: we need to get better at managing data at scale, at automating the tasks that slow down analysts, and at amplifying those analysts' abilities. 

Related Content:

Ryan Benson is a senior threat researcher at Exabeam. He has over a decade's experience in computer forensics and incident response, with previous roles at Stroz Friedberg and Mandiant. He also worked within corporate IT as an information security engineer at Kaiser Permanente. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pmerry
50%
50%
pmerry,
User Rank: Apprentice
1/19/2017 | 7:32:59 PM
Great Points
Great points. We are in the business of do more with less. With advances in automation and collaboration, coupled with budget cuts and workforces reduction, it seems like incident response is relying on a smaller workforce with stronger skill sets and more efficient and powerful tools. There is a point where the workforce is cut too thin and the model fails. How thin can the workforce be cut before incident response is deemed ineffective?
US Turning Up the Heat on North Korea's Cyber Threat Operations
Jai Vijayan, Contributing Writer,  9/16/2019
Preventing PTSD and Burnout for Cybersecurity Professionals
Craig Hinkley, CEO, WhiteHat Security,  9/16/2019
NetCAT Vulnerability Is Out of the Bag
Dark Reading Staff 9/12/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-3738
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Improper Verification of Cryptographic Signature vulnerability. A malicious remote attacker could potentially exploit this vulnerability to coerce two parties into computing the same predictable shared key.
CVE-2019-3739
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to Information Exposure Through Timing Discrepancy vulnerabilities during ECDSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover ECDSA keys.
CVE-2019-3740
PUBLISHED: 2019-09-18
RSA BSAFE Crypto-J versions prior to 6.2.5 are vulnerable to an Information Exposure Through Timing Discrepancy vulnerabilities during DSA key generation. A malicious remote attacker could potentially exploit those vulnerabilities to recover DSA keys.
CVE-2019-3756
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P3 (6.6.0.3), contain an information disclosure vulnerability. Information relating to the backend database gets disclosed to low-privileged RSA Archer users' UI under certain error conditions.
CVE-2019-3758
PUBLISHED: 2019-09-18
RSA Archer, versions prior to 6.6 P2 (6.6.0.2), contain an improper authentication vulnerability. The vulnerability allows sysadmins to create user accounts with insufficient credentials. Unauthenticated attackers could gain unauthorized access to the system using those accounts.