APT Response Strategy – Part 1
January 21, 2014 6 Comments
APT Response Strategy – Part 1
APT Response Strategy – Part 2
APT Response Strategy – Part 3
How do you implement a Plan C? Organizations are starting to recognize the ever increasing importance of rapid and well orchestrated incident response capabilities as a key component in their defense-in-depth strategy.
The APT Response Strategy (aka APT-IR) series of blogs discuss the development and evolution of an effective rapid incident response program, a call to action.
There is no silver bullet for advanced persistent threats (APT). Preventative controls, such as next generation firewalls (NG-FW), endpoint protection platforms (EPP), intrusion prevention systems (IPS), data loss prevention (DLP) tools, Web application firewalls (WAF), Application White-Listing, Sandboxes are all key components but there is no technology guarantee.
Misplaced trust in the ability of preventative controls to stop an attack results in an excessive focus on them in security planning and operations versus response.
“If you go back to the definition of security being protection, detection and response, this feels like the last area that needs work, and the idea of incident response coordination and working on a response is really important and something that isn’t there,”
Organizations need to stop treating response as just a backup plan if things go wrong and start making it a core and active part of their operational strategy, to have the capability and preparedness and readiness to rapidly deploy.
Plan A: Prevention
If not the most, this must be one of the most important challenges to the security industry. Prevention is crucial. We cannot lose sight of that goal but we must accept the fact that no barrier is impenetrable, and detection / response represents an extremely critical line of defense.
The range of possible breach scenarios is immense and rapidly growing, protecting against them all is challenging if not impossible. It requires identifying the right controls and resources and where to allocate them to counter the threats. Leveraging APT Red Teams to study target selection and attack difficulty is a useful way of understanding and addressing the more likely threat vectors towards continuous improvement.
Bottom-line, prevention and preventative security controls will fail. Plan B depends upon the ability to detect and contain.
The Defensive Line: Incident Response
Plan B: Detection
In the Cisco 2014 Annual Security Report, Cisco found that of a sample 30 large firms it studied, 100 percent had traffic going to DNS locations pointing at websites hosting malware while 96 percent had traffic going to compromised servers, 88 percent to suspicious FTP servers, while 79 percent had PCs tunneling connections using VPNs.
Malicious actors are using trusted applications and connections to exploit gaps in perimeter security. Indicators of compromise suggest network penetrations may be undetected over long periods.
Timespan of Detection and Response Rates
As the Verizon DBIR 2013 illustrates, most breaches are not discovered internally or contained for weeks, months or even longer. While it can be difficult to detect, positively identify, and respond to an intrusion within minutes or hours, our ability to do so should ostensibly increase the longer attackers persist on internal networks.
Even the most advanced cyber-attacks follow a multi-step process that begins with network reconnaissance and eventually ends with data being ex-filtrated. This gives organizations multiple opportunities to detect an attack and prevent it from spreading across the entire network impacting critical data.
Bottom-line, detection typically fails on a frequent basis, what remains is Plan C which depends upon the effective Incident Response.
Plan C: Response
Today, being well prepared for incident response is one of the most cost-effective security measures any organization can take because it can limit the damage and reduces the incident impact and costs since security incidents are typically inevitable.
Organizations must elevate incident response as a key component of their overall business strategy, making sure that all the right components are in place to deal with unforeseen incidents.
Effective incident response means that even when a host or account is compromised, it is short-lived and has a near-zero impact on the business. In order to achieve this, organizations must develop the right mix of people, processes and tools. This grows more and more important as threat actors creatively exploit vulnerabilities and advance their methods.
Incident Response Goals The goals of an effective and rapid incident response include:
- Discover: Verify that an incident has occurred
- Triage: Rapidly contain and reduce the impact of the incident
- Stabilize: Maintain or restore Business Operations/Continuity
- Diagnostics: Determine attack vectors and how the incident occurred
- Immunize: Prevent future attacks / incidents
- Debrief: Improve the organization’s security posture
- Communications: Keep management informed and follow proper chain of command procedures
Ideally APT-IR focused organizations need seek to balance people, process and technology. Solid incident responders with solid technology but no well designed, validated and, established processes and procedures will leave their organizations less than optimally defended. An effective and properly maturing APT-IR requires all three dimensions – people, process, technology – to work well and improve together.
It is important that organizations create lightweight policies, plans, and procedures related to incident response with management buy-in to effectively protect the organization against incidents and cyber security attacks. From our experience and research, a snapshot of the current incident response capability maturity is, as follows:
Incident Response Program Capability Maturity
In order to prepare for incidents organizations need to know:
- How to manage and organize for effective incident response (IR)
- What tools, techniques and practices are needed
- How to investigate and respond to attacks from persistent attackers
- How to use the results of IR processes to better secure the enterprise
- How to ensure that a similar attack is not successful a second time
On a high level, to organize for effective security incident response, organizations need to:
- APT-IR –
- Define enterprise APT-IR mission and capability (in terms of scope, resources skills, contacts, escalation)
- Make it a priority to build an APT-IR team consisting of experienced, full-time members
- Involve cross-functional multi-disciplinary areas of the organization in the process
- Rules of Engagement:
- Create clearly defined rules of engagement for the incident response team
- Define incidents, handling and escalation to clearly distinguish and prioritize
- Invest in technologies that support the collection of information to identify indicators and potential threats
- Understand compliance and threat trends (hone awareness and skills)
- Prepare templates / tools to manage and respond (engage in test drills and readiness)
- Assess the readiness of incident response team members on an ongoing basis
- Effectiveness Metrics:
- Develop useable operational metrics to measure the overall effectiveness and evolve
- IoC Sharing:
- Consider sharing threat indicators with third-party organizations to foster collaboration
Incident Response Life Cycle
In APT Response Strategy – Part 2 we will present and discuss the Incident Response Life Cycle, to effectively and rapidly handle incidents and attacks, to mitigate risk across the organization together with incident response maturity.
Incident Response Life Cycle
As a preview of Part 2, the IRP should cover all steps throughout the life cycle process, including:
- Post-Incident activities
Stay tuned for a lightweight yet effective APT Response Strategy that focuses more upon necessary triage steps and actions.
Organizations are facing a greater attack surface, the growing proliferation and sophistication of attack models, and increasing complexity within the hyper-extended network. Many are struggling to solidify a security vision supported by an effective strategy that uses new technologies, simplifies their architecture and operations, and strengthens their security teams. The NigeSecurityGuy blog can help.
Our Adaptive Zone Defense blog establishes a key foundation to help organize and structure applications, systems and, data in order to both simplify operations as well as limit and manage communications to enable protection, detection and, containment.
The Defensible Security Posture blog leverages a threat-centric defensible security model to enable defenders to address the full attack continuum, across all attack vectors, and to respond at any time, all the time, in a continuous fashion—before, during, and after an attack.
In a world where organizations need to be watching or monitoring their networks continuously knowing what to look out for is critical, APTs typically exhibit recognizable attributes and patterns that can be monitored by readily available, open source tools. The APT Detection Indicators blog series helps identify indicators of compromise (IoCs).
In order to begin to understand and to be able to defend against targeted attacks the APT Detection Framework blog series presents a detection matrix that is needed for visibility, analysis and, to ensure that all threat scenarios are considered with no gaps in defense. The APT Red Teams series blog seeks to help enable continuous improvement and optimization via security posture validation and testing from counter-intuitive sources to help mitigate advanced threats.
This APT Response Strategy – Part 1 blog is also a part of the APT Strategy Series and Security Architecture Series. For a complete listing of all NigeSecurityGuy blogs see the Security Series Master Index.
Thanks for your Interest!
Nige the Security Guy.