Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Vulnerabilities / Threats //

Advanced Threats

1/19/2017
10:30 AM
Ryan Benson
Ryan Benson
Commentary
Connect Directly
Twitter
LinkedIn
RSS
E-Mail vvv
100%
0%

The 4 Top Barriers To Effective Incident Response

Responding to cyberattacks is straightforward in some ways, difficult in others. Here are four ways that the process can get tripped up.

Cyberattacks are getting worse, growing in frequency and impact. This probably isn't a surprising statement for anyone reading Dark Reading. Most organizations understand this and are taking measures to prevent and detect threats. While hundreds of firms are working to build new technologies to help here, there are fewer options for actually responding to the attacks that are detected. Estimates range from 50 to 60 days for security teams to contain and respond to incidents, on average.

As a practitioner of forensics and incident response (IR) at both a large healthcare firm and at multiple forensics consulting firms, I have worked on many cybersecurity incidents. Although IR is straightforward in some ways, it's often very difficult in others. In practice, these four barriers most often prevent IR teams from responding effectively and efficiently to threats:

  1. Availability of information: This is table stakes; obviously, if the forensics information doesn't exist, you can't do much with it. It's surprising how often organizations simply don't log useful information. One firm I spoke with only logged failed logon attempts, so it had no way of tracking attackers who actually entered the network. Useful information to log from an endpoint at a minimum includes user logons and logoffs, both successful and unsuccessful; changes or additions to user or group accounts; process creation and termination; and PowerShell logs. On the network side, DNS queries, proxy logs, and NetFlow information are valuable historical data sources.
  2. Scalability barriers: Some information is useful, but impossible to get at scale. For example, in a smaller investigation, I might want a full disk image of a user's workstation to look for malware or other indicators of compromise. In a larger investigation, I may need to look on every employee’s machine for those same indicators. Getting a disk image from one machine isn’t hard; getting it from 50,000 endpoints may be impossible (and would result in way more information than is needed to answer my question). Centralized logging can make the process much easier to scale, as can endpoint technologies such as Carbon Black, osquery, and Mozilla InvestiGator.
  3. People shortages: Many firms simply don't have the bodies (and connected brains) needed to investigate and analyze an incident. This may be due to frozen staffing budgets or simple inability to hire what's needed. So, when an incident hits, it's too slow or not even possible to investigate using the available people. Although the usual answer to this is "bring in the consultants," this isn't always possible. The forensics firms themselves face shortages and may not be able to staff a project in time. People shortages are tough problems, since you can’t create new experts overnight. Automation, to amplify and guide the people you already have, is the only way to proceed here. It's possible to automate data gathering, timeline creation, reputation and context, etc., making life easier for your analysts and cutting response dramatically. It also can make the employees you do have more efficient (and happier) by eliminating some of the tedious, repetitive parts of an investigation.
  4. Collaboration at scale: In many past engagements, we, as IR consultants, tracked notes and data in a shared spreadsheet and discussed the information over chat. With the volume and complexity of incidents today, this doesn't work any longer. Tools are coming to market that help IR teams collaborate, share notes, and respond quickly. Look for these, whether commercial or open source, as they will support a collaborative response that doesn't miss details.

The barriers aren't hard to describe: lack of data, lack of brains, failure to work at scale. I've suggested some approaches that can help, and there are interesting new technologies becoming available that make many of these IR processes more effective. Some things will be required for the foreseeable future: more data means better analysis - and it's hard to find good people, and harder to coordinate them. Bottom line: we need to get better at managing data at scale, at automating the tasks that slow down analysts, and at amplifying those analysts' abilities. 

Related Content:

Ryan Benson is a senior threat researcher at Exabeam. He has over a decade's experience in computer forensics and incident response, with previous roles at Stroz Friedberg and Mandiant. He also worked within corporate IT as an information security engineer at Kaiser Permanente. View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
pmerry
50%
50%
pmerry,
User Rank: Apprentice
1/19/2017 | 7:32:59 PM
Great Points
Great points. We are in the business of do more with less. With advances in automation and collaboration, coupled with budget cuts and workforces reduction, it seems like incident response is relying on a smaller workforce with stronger skill sets and more efficient and powerful tools. There is a point where the workforce is cut too thin and the model fails. How thin can the workforce be cut before incident response is deemed ineffective?
Data Leak Week: Billions of Sensitive Files Exposed Online
Kelly Jackson Higgins, Executive Editor at Dark Reading,  12/10/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: Our Endpoint Protection system is a little outdated... 
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
The State of Ransomware
The State of Ransomware
Ransomware has become one of the most prevalent new cybersecurity threats faced by today's enterprises. This new report from Dark Reading includes feedback from IT and IT security professionals about their organization's ransomware experiences, defense plans, and malware challenges. Find out what they had to say!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-12420
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, a message can be crafted in a way to use excessive resources. Upgrading to SA 3.4.3 as soon as possible is the recommended fix but details will not be shared publicly.
CVE-2019-16774
PUBLISHED: 2019-12-12
In phpfastcache before 5.1.3, there is a possible object injection vulnerability in cookie driver.
CVE-2018-11805
PUBLISHED: 2019-12-12
In Apache SpamAssassin before 3.4.3, nefarious CF files can be configured to run system commands without any output or errors. With this, exploits can be injected in a number of scenarios. In addition to upgrading to SA 3.4.3, we recommend that users should only use update channels or 3rd party .cf ...
CVE-2019-5061
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the hostapd 2.6, where an attacker could trigger AP to send IAPP location updates for stations, before the required authentication process has completed. This could lead to different denial of service scenarios, either by causing CAM table att...
CVE-2019-5062
PUBLISHED: 2019-12-12
An exploitable denial-of-service vulnerability exists in the 802.11w security state handling for hostapd 2.6 connected clients with valid 802.11w sessions. By simulating an incomplete new association, an attacker can trigger a deauthentication against stations using 802.11w, resulting in a denial of...