Incident-Response Imperative: Take Immediate Action

By on
Something malicious this way comes. A fast reaction can reduce your risk.

You have just detected an attack and alerted the incident-response team, one of 38 investigations you will likely conduct this year. Half of these are probably generic malware attacks, but the rest are higher-risk targeted attacks or data breaches. Now you are working against the clock and against the potentially exponential rate of further infections, trying to get your systems back to a known state.

What happens if you cannot stop the attack soon enough? We have all seen the immediate and public effects of a security breach, but what happens afterwards? You have isolated the machines that you think are infected and begun the laborious process of cleaning them. Or you buy new machines and operate completely separate networks while you carefully scrub and transfer data from the old to the new. Or maybe you find yourself so deep in a hole so quickly that you cannot dig your way out, so you just work around the infected machines.

These and other security scenarios are playing out at organizations around the world. Attackers are shifting to focused, designer attacks targeting specific companies and individuals. They have been testing the behaviors of preventative technologies and are learning how to get through security defenses and minimize detection. A fast and active incident-response capability is now an important part of your overall security plan.

Our research underlines the importance of responding effectively within the first hour. You are probably already struggling with the volume of security data. There is so much data flowing in from your existing tools that it takes a long time to analyze it, delaying your response. Or you have made compromises on the data being collected, and you are missing important indicators of attack.

Risk Reduction

Speeding up incident detection and gaining an understanding of the potential impact and scope are the most important tasks in reducing risk. What you need is the ability to perform live investigations. Using historical data as the foundation, automated endpoint collectors can learn the system’s state and context, watching for any changes to network flow, registries, or processes that may indicate an attack. This also includes deleted files or dormant components, tricks that are commonly used to evade detection.

Quickly alerted to an attack and its potential scope, the next important tasks are taking action to minimize the impact, identifying which assets remain vulnerable, and updating security controls. When the endpoint collectors detect an attack event, they send alerts to security central. But you can also configure them to trigger other actions, depending on the nature of the alert. Do you want additional data collection, temporary changes to user privileges, or some other custom action that will assist the response team?

You can also trigger an investigation across all systems in the organization, greatly expanding the scale of your response. You no longer need to make assumptions about the attack’s progress, which can result in an artificially limited view of the affected systems. If you cannot scale the response fast and far enough, you could allow the criminals to work freely in one area while you try to contain just a portion of the infection.

Time and scale are the prime limiters of incident response. Greater automation of data collectors, security triggers, and predefined reactions helps you detect sooner, respond faster, and hunt farther than you could before.

View the original post on Dark Reading.

Leave a Comment

Similar articles

2018 was a wild ride when it came to cybersecurity. While some hackers worked to source financial data, others garnered personal information to personalize cyberattacks. Some worked to get us to download malware in order to help them mine cryptocurrency or harness our devices to join their botnets. And the ways in which they exact ...
Read Blog
Your home screen is just a matrix of numbers. Your device loses its charge quickly, or restarts suddenly. Or, you notice outgoing calls that you never dialed. Chances are your smartphone has been hacked. The sad truth is that hackers now have a multitude of ways to get into your phone, without ever touching it. ...
Read Blog
Rockstar Games’ Red Dead Redemption 2 has struck a popular chord with many online gamers. Unfortunately, the Western-themed action-adventure game has also become a popular vessel for malicious activity among cybercriminals as well. Scammers are tricking gamers into giving up their personal information with phony “free” downloads of the online game, while simultaneously making a ...
Read Blog