Let’s start with a great quote made at the 2012 RSA Cyber Security Conference by Robert Mueller, Former Director of the FBI:
“I am convinced that there are only two types of companies: those that have been hacked and those that will be. And even they are converging into one category: companies that have been hacked and will be hacked again.”
Today, you hear many security professionals making very similar comments:
“It’s not if you get hacked but when you get hacked.”
“It’s not that you haven’t been breached, you just haven’t realized it yet.”
We are now all agreed that what was once our worst nightmare has now become reality. Acknowledging that fact, how do we prepare our business to ensure we make the best possible recovery in the shortest amount of time?
Well, before you can react to a breach, you have to first know it’s taken place. Unfortunately, despite the sentiments of many IT professionals, far too many organizations don’t realize they’ve been breached until months after the event and when they’re informed by law enforcement, the press, or someone who notices their data being sold on the dark web.
How to Detect a Breach
For an organization to detect a breach, it must have three things: educated people, managed policy and process, and the right technology. Without these, you might as well put on a blindfold and try to cross a five-lane highway in rush-hour. It’s only a matter of time before you become extinct..
So based on the assumption extinction isn’t part of the plan, let’s take a quick look at each of the three legs to our breach detection stool.
It’s not just your security team that requires cyber-security training. All company staff members should be capable of recognizing basic attack indicators, including phishing emails, unusual system activity, and an unexpected call from IT asking for our credentials.
Organizations should consider implementing a company-wide cyber security training program, for a strong security culture defines how our people think about cyber security and how they can respond to potential and real security events.
It’s important for organizations to maintain their breach risk profile. At least annually, there should be a review of all organizational data to determine how it is being used and how it can be protected.
Here are some other process-oriented tips:
- Define your incident response team and ensure they fully understand their roles and responsibilities.
- Ensure that security policies and procedures are regularly updated, and keep them in line with organizational and technological changes. It’s no good having a fantastic plan if it references processes or technology that no longer exist.
- Make sure you work with your legal and PR teams to create a communication plan well before you need it.
Organizations need to make sure their response teams have the correct technical tools to allow them to do their job. For a successful response to a security incident, their teams should have access to a fully featured incident notification and management tool set.
Finally, the best people, process and technology will be of little value if they do not run like a well-oiled clock. Regular testing/practise is an absolute must.
Okay, so let’s assume you have made the investment in your people, process, and technology. Let’s now consider what to do when the inevitable breach takes place.
How to Respond to a Breach
After a breach you will normally have more questions than answers. Some of the questions you should be asking yourself are:
- How was my system compromised?
- How far does the damage extend?
- What data has been compromised, damaged, or stolen?
- Which system can I trust?
- How long will it take me to assess the impact?
- Who do I need to inform?
- How do I prevent it from happening again?
To help you answer these questions and probably a few more, let’s take a methodical approach to recovering compromised systems and restoring business trust.
The very first step you take following a breach should be a backwards one!
Step back and take a breath. Don’t let the immediate tension and pressure of the moment force you into knee-jerk reactions. It’s very important that you first assess what has occurred and what systems have been affected.
Once you have had a chance to assess the situation, you should begin to stabilize the system by reducing the opportunity for further compromise and damage. This might mean removing or reducing access to the production environment, changing production credentials, or putting a change freeze in place. Also, don’t forget to conside third-party systems, managed solutions, etc.
All the while, it’s important you understand that you can’t do everything at once. Use your breach risk profile to help prioritize your targets. Assess data sources and make sure they are adequately protected. Monitor progress and ensure you are always in alignment with business management.
As the recovery process starts to pick up steam, make sure you establish trusted reference points that will allow you to define what is “Good” and what is suspect. Gold builds or other provisioning sources, trusted backups and pre-production systems are all valid starting points.
Next, assess the current condition of your systems by gathering system state information such as OS, applications, configuration files, user information, and file hashes. Transfer any data collected to a disconnected storage location for off-line analysis and later investigation.
Now compare each system with what was deployed. You can correlate system state information with other sources for greater accuracy. Prioritize your findings based on risk and value and start isolating or removing suspicious systems from the environment.
If it is absolutely necessary to keep a compromised system running, you need to implement strong controls to prevent it from infecting or re-infecting other systems.
Now is probably a good time to start analyzing the available data to help determine the infection path and cause.
Once this is complete, you can start rebuilding systems from your trusted source/s and redeploy the now trusted systems back into the environment. Based on your findings from the analysis, you may want to carry out additional hardening to prevent re-infection or repeat compromise.
As you redeploy your trusted systems back into the environment, it’s important to establish a continuous monitoring strategy to ensure you detect any further anomalies or inconsistencies. The last thing you need is an outlier to take you by surprise and undo all the good work you’ve already done.
Throughout this whole process, there should be constant communication. Internally, you need to keep the business management apprised of progress. Externally, you should be working with your legal and PR teams to ensure key customer, stakeholders and the necessary authorities are informed at the right tame and in the right way.
When the system is stabilized and business has returned to normal, don’t be tempted to sit back on your laurels and congratulate yourself just yet. Carry out a detailed evaluation of the organization’s performance, successes, failures, and lessons learned. Make sure plans and processes are adjusted or re-written where necessary. Also, prepare a report for the exec/board and ensure you publicly recognize any heroes and heroines.
Well, I think that about covers it.
If you’d like to hear more, ask questions or just fill a gap in your calendar, I’ll be presenting the same subject at Infosecurity Europe on Thursday 9th June at 13:20 – 13:45.
For more information on what Tripwire has in store at the conference, click here.