After a security incident is detected tremendous resources are spent in the forensic investigation trying to figure out what exactly happened and what data, if any, was compromised. If the forensic investigation doesn’t yield definitive results fairly quickly the organization is left with no choice but to assume the worst.
Worst case scenarios generally result in a dramatic increase in potential liability, as well as incurring more brand and customer damage than is warranted.
However, good preparation and a few basic security controls can dramatically reduce the amount of time wasted during forensic investigations, helping the organization quickly identify what happened, how it happened and who was behind the attack.
1. Build a Clean System
There’s no easy way to determine if an attack was successful and it’s even more difficult to quickly determine the scope and scale of what was compromised. The only reliable approach is to build a clean system and then compare it to all other systems in order to identify the changes.
Once a clean image is built, automated comparison of the clean image to systems on the network can quickly show the differences between the clean image and the potentially compromised infrastructure. Next, signs of malicious activity can be identified and these systems can be quarantined.
2. Classify Assets to Business Relevance
Business context matters during every breach investigation. Big changes on non-mission critical assets, like the printer in HR, may not merit significant time and attention. On the other hand, even small changes on mission critical assets should be investigated carefully.
After a breach, all systems are subject to review and audit. Post breach consultants often spend an inordinate amount of time trying to figure out the business purpose of systems with vague or non-existing business classification information.
In this scenario, an unpatched Windows machine is a meaningless piece of information, whereas a server that is part of the ecommerce infrastructure that hasn’t been patched or hardened for more than six months has the business relevance needed for forensics. All systems need business relevance data that is consistently collected, maintained and available for audit.
3. List Authorized Users and Their Privileges
Once a security breach is confirmed a huge amount of time is spent trying to figure out if the security incident matters and if so, who did it. Significant time can be saved if you spend the time required to create and maintain up-to-date user authorization policies and current asset classification before the breach.
The goal of forensic activities is to identify the actor, internal or external and the method used for the compromise, and finally, the scope of the impact so appropriate remediation action can be applied. In order to find the bad actor, a current list of authorized users and the assets they can access is a crucial resource.
Tools exist that can automate this but they are only as effective as the business process underlying them. Tracking down who did what with precision requires keeping access controls up-to-date with each change in employment, termination dates and especially third-parties and contractors.
4. Put Login Failures into Context
Reviewing login failures is like looking for a needle in a stack of needles. It gets even worse because in and of themselves, they really don’t tell you anything but you can’t afford to ignore them either.
A better approach is to correlate login failures with other suspicious activity. Many companies are now connecting asset vulnerability and identity context to their log information and correlating this data to identify truly suspicious activity.
For example, some companies are able to create an automated watch list of terminated employees and correlate it to activity. Some companies can also correlate suspicious changes (outside change windows, for example) and configuration policy failures (such as opening FTP or unauthorized ports) against other network activity to detect anomalous behavior.
Forensics experts repeatedly report that activities like this that are present during a breach, but most businesses never connect the data in various security technology silos.
5. Improve Tool Integration
Poor integration of security technologies leaves many organizations with an error-prone process that requires manually correlating thousands of events or changes. Suspicious changes identified by one security tool must be confirmed through reports in different data formats from multiple other tools.
Better tool integration automatically correlates data, dramatically reducing the time and resources required to confirm suspicious activity. This is an emerging area within security. To help their customers truly get ahead of security risks, vendors need to connect key pieces of information across the security technology stack. The blind spots created by missing integration are often how the bad guys get in.
Every company, even those with formidable security resources, is vulnerable to a cyberattack. Security teams need to stop thinking about “if” and plan for “when” because prevention really is only half the battle.
Best practices are generally perceived as beneficial but boring and they are rarely accorded the urgency they deserve on the long list of things that security and IT teams need to do. Strategic investment in these basic controls is worth the time; it will improve cyberattack prevention and save time during the critical hours and days after a security breach.
- Fraud Analytics: Heat Map of Potential Retail Data Breaches By State
- Backoff POS Malware: Are You Infected and Don’t Know It?
- Evolving Technology for Continuous Diagnostics and Mitigation
- 10 Steps for Early Incident Detection
The Executive’s Guide to the Top 20 Critical Security Controls
Tripwire has compiled an e-book, titled The Executive’s Guide to the Top 20 Critical Security Controls: Key Takeaways and Improvement Opportunities, which is available for download [registration form required].
Header image courtesy of Shutterstock.