Enterprises today are engaged in a never ending arms race with malicious and criminal attackers who craft malware designed to infect systems and networks – and remain unnoticed the entire time they’re doing it. The attack codes they use today are largely more clandestine versions of what security professionals have been battling for some time: application and operating system exploit code, traffic sniffers, bots, Trojans – whatever works to achieve the designed goal whether that be to exfiltrate information, disrupt system access, conduct medical identity theft, or steal financial account info and intellectual property.
Advanced malware attacks are no longer rare; they are the norm.
In my interviews with incident/breach response teams and CISOs, it’s clear that more and more organizations today are dealing with custom or advanced malware somewhere on their networks. Most consider it either inevitable that they will be breached or assume that they are always breached and protect systems and networks accordingly.
The ability to detect and respond to breaches is what will set organizations apart from those who are not able to quickly spot incursions and mitigate breach damage. Unfortunately, the fact is that most organizations still don’t have the ability to respond to successful breaches or malware infestations. Most simply wipe infected endpoints, install what they hope is a clean image, and send the system back out to the front lines. The problem here, of course, is that the root cause of the problem is never uncovered. So what actually occurred remains unknown and they don’t learn what, if anything, the target of the attacker may have been. And if any data were stolen, any such evidence was likely wiped with the fresh install.
Nothing about this outdated approach is particularly helpful. The enterprise never finds the infection vector in the attack, and they move on, hoping they've plugged the breach. Conversely, the information gathered from a breach investigation will detail whether an attack was successful, how successful it was, what the motivation may have been, how the malware functioned, and all of the associated information that would be useful to protect the organization in the future.
Why have enterprises not done better at response?
One reason is that incident response is difficult and the benefits are hard to quantify and justify in the face of all of the daily fires the security teams have to extinguish. But one of the biggest reasons why effective response isn’t attained at many organizations is that it requires considerable collaboration among teams outside of security groups. It can involve application owners, developers, corporate communications and PR, operations, business leaders, legal, human resources, and more. If these groups don’t know how to work together in advance, they certainly won’t be able to work together in the heat of an emergency.
What does it take to build a capable incident response program?
Of course, it takes having the right tools and skills necessary to identify and analyze the breach; no question. But it requires more than that. An enterprise can have great tools and great people – but without the right plans and processes in place they won’t go far.
Beyond just the initial group of security analysts and responders, especially when dealing with a breach that is mandated to be reported publicly, it’s going to require those teams mentioned above to know the data breach drill. In an upcoming post, we will detail what needs to be in that response plan and what to do when the breach is something that needs to be disclosed publicly.