By Al Hartmann

Damage Control: 6 Questions Organizations Should Ask Before a Breach

6 Questions All Organizations Should be Asking Before a Breach

I wouldn’t exactly be going out on a limb stating that if hackers want to breach your network, it’s only a matter of time before they succeed. The endpoint is the most common vector of attack, and the people are the biggest point of vulnerability in any organization. The endpoint device is where they interact with whatever information that an attacker is after: intellectual property, credentials, cyber ransom, etc. There are new Next Generation Endpoint Security (NGES) solutions, of which Ziften is a leader, that provide the needed visibility and insight to help reduce or prevent the chances or duration of an attack. Methodologies of prevention include reducing the attack surface area through removing known vulnerable applications, curtailing version proliferation, killing malicious processes, and ensuring compliance with security policies.

But prevention can only go so far. No solution is 100% effective, so it is important to take a proactive, real-time approach to your environment, watching endpoint behavior, detecting when breaches have occurred, and responding immediately with remediation. Ziften also provides these capabilities, generally known as Endpoint Detection and Response, and organizations should change their mindset from “How can we prevent attacks?” to “We are going to be breached, so what do we do then?”

To understand the true breadth or depth of an attack, organizations need to be able to rewind the clock and reconstruct the conditions surrounding a breach. Security investigators need answers to the following 6 questions, and they need them fast, since Incident Response personnel are outnumbered and dealing with limited time windows to mitigate damage.

Where was the attack behavior first seen?

This is where the ability to rewind the clock to the point in time of initial infection is critical. In order to do this effectively, organizations need to be able to go as far back in time as necessary to identify patient zero. The unfortunate state of affairs according to Gartner is that when a cyber breach occurs, the average dwell time before a breach is detected is a shocking 205 days. According to the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, attackers were able to penetrate organizations within minutes. That’s why NGES solutions that don’t continuously monitor and record activity but rather periodically poll or scan the endpoint can miss out on the initial critical penetration. Also, DBIR found that 95% of malware types showed up for less than a month, and four out of five didn’t last a week. You need the ability to continuously monitor endpoint activity and look back in time (however long ago the attack occurred) and reconstruct the initial infection.

How did it behave?

What happened step by step after the initial infection? Did malware execute for a second every 5 minutes? Was it able to obtain escalated privileges? A continuous picture of what occurred at the endpoint behaviorally is critical to get an investigation started.

How and where did the attack spread after initial compromise?

Usually the adversary isn’t after the information available at the point of infection, but rather want to use it as an initial beachhead to pivot through the network to get to the valuable data. Endpoints include the servers that the endpoints are connected to, so it is important to be able to see a complete picture of any lateral movement that occurred after the infection to know what assets were compromised and potentially also infected.

How did the infected endpoint(s) behavior(s) change?

What was going on before and after the infection? What network connections were being made? How much network traffic was flowing? What processes were active before and after the attack? Immediate answers to these questions are critical to rapid triage.

What user activity occurred, and was there any potential insider involvement?

What actions did the user take before and after the infection occurred? Was the user present on the machine? Was a USB drive inserted? Was the time interval outside their normal usage pattern? These and many more artifacts must be provided to paint a full picture.

What mitigation is required to resolve the attack and prevent the next?

Reimaging the infected machine(s) is a time-consuming and costly solution, but many times this is the only way to know for sure that all harmful artifacts have been removed (although state-sponsored attacks may embed into system or drive firmware to remain immune even to reimaging). But with a clear picture of all activity that occurred, lesser actions such as removing malicious files from all systems affected may suffice. Re-examining security policies will probably be in order, and NGES solutions can help automate future actions should similar situations arise. Automatable actions include sandboxing, cutting off network access from infected machines, killing processes, and much more.

Don’t wait until after a breach occurs and you need to call in an army of specialists and spend time and money piecing the facts together. Make sure you are prepared to answer these 6 key questions and have all the answers at your fingertips in minutes.

Get the General Here