{"id":14208,"date":"2018-12-31T11:00:03","date_gmt":"2018-12-31T19:00:03","guid":{"rendered":"http:\/\/www.palada.net\/index.php\/2018\/12\/31\/news-7960\/"},"modified":"2018-12-31T11:00:03","modified_gmt":"2018-12-31T19:00:03","slug":"news-7960","status":"publish","type":"post","link":"http:\/\/www.palada.net\/index.php\/2018\/12\/31\/news-7960\/","title":{"rendered":"Incident Response In The Public Eye"},"content":{"rendered":"

Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Mon, 31 Dec 2018 17:00:44 +0000<\/strong><\/p>\n

\"\"<\/p>\n

Cyberattacks happen constantly. Every day organizations are attackers online whether they realize it or not. Most of these attacks are passing affairs. The mere fact that systems are on to the internet makes them a target of opportunity. For the most part, these attacks are non-events.<\/p>\n

Security software, bugs in attack code, and updated applications stop most attacks. With 20 billion+ devices connected<\/a> to the internet, it\u2019s easy enough for the attack to move on.<\/p>\n

But every couple of weeks there is a big enough attack to draw headlines. You\u2019ve seen a steady stream of them over the past few years. 10 million records here, thousands of systems there, and so on.<\/p>\n

When we talk about these attacks, for most people, it\u2019s an abstract discussion. It\u2019s hard to visualize an abstract set of data that lives online somewhere.<\/p>\n

The recent attack on the Tribune Publishing network<\/a> is different. This attack had a real world impact. Around the United States, newspapers arrived late<\/a> and missing significant sections of content.<\/p>\n

Timeline<\/h2>\n

Late Thursday, some systems on Tribune Publishing network were inaccessible. This is not an uncommon experience for anyone working in a large organization.<\/p>\n

Technology has brought about many wonders but reliability isn’t typically one of them. When system is inaccessible, it\u2019s not out of the question to first think, \u201cUgh, this isn\u2019t working. Call IT\u201d.<\/p>\n

Support tickets are often the first place cyberattacks show up\u2026in retrospect. All public signs in the Tribune Publishing attack point this way. Once support realized the extent of the issue and that it involved malware, the event\u2014a support request\u2014turned into an incident. This kicks off an incident response (IR) process.<\/p>\n

It\u2019s this process that the teams at Tribune Publishing are dealing with now.<\/p>\n

Whodunnit?<\/h2>\n

\u201cWho is behind the attack?\u201d Is the first question on everyone\u2019s mind. It\u2019s human nature\u2014doubly so at a media organization\u2014to want to understand the \u201cwho\u201d and “why” as opposed to the \u201chow\u201d.<\/p>\n

The reality is that for the incident response process, that\u2019s a question that wastes time. The goal of the incident response process is to limit damage to the organization and to restore systems as fast as possible.<\/p>\n

In that context, the response team only needs to roughly classify their attacker. Is the attacker;<\/p>\n

    \n
  1. A low level cybercriminal<\/a> who is got lucky with an automated attack and has few resources to continue or sustain the attack?<\/li>\n
  2. A cybercriminal intending on attacking a specific class of organization or systems?<\/li>\n
  3. A cybercriminal targeting your organization?<\/li>\n<\/ol>\n

    Knowing which class of cybercriminal is behind the attack will help dictate the effort required in your response.<\/p>\n

    For a simple attack, your automated defences should take care of it. Even after an initial infection, a defence in depth strategy will isolate the attack and make recovery straight forward.<\/p>\n

    If the attack is part of a larger campaign (e.g., WannaCry<\/a>, NotPeyta<\/a>, etc.), incident response is more complex but the same principles hold true. The third class of attacker\u2014specifically targeting your organization\u2014is what causes a change in the process. Now you are defending against an adversary who is actively changing their approach. That requires a completely different mindset compared to other responses.<\/p>\n

    The Process<\/h2>\n

    Incident response processes<\/a> generally follow six stages;<\/p>\n

      \n
    1. Prepare<\/li>\n
    2. Identify<\/li>\n
    3. Contain<\/li>\n
    4. Eradicate<\/li>\n
    5. Recover<\/li>\n
    6. Learn<\/li>\n<\/ol>\n

      On paper the process looks simple. Preparation begins with teams gather contact information, tools, and by writing out\u2014or better yet, automating\u2014procedures.<\/p>\n

      Once an incident has started, teams work to identify affected systems and the type of attack. They then contain the attack to prevent it from spreading. Then work to eradicate any trace of the attack.<\/p>\n

      Once the attack is over, the work shifts to recovering systems and data to restore functionality. Afterwards, an orderly review is conducted and lessons are shared about what worked and what didn’t.<\/p>\n

      Easy, right?<\/p>\n

      \n

      Any incident responders reading this post, can take a minute here having enjoyed a good laugh. The next section slams everyone back to the harsh reality of IR.<\/p>\n<\/blockquote>\n

      Reality<\/h2>\n

      The six phases of incident response look great on paper but when you\u2019re faced with implementing them in the real world, things never work out so cleanly.<\/p>\n

      The majority of a response is spent stuck in a near endless loop. Identifying<\/b> new areas of compromices to try to contain<\/b> the attack. Hopefully allowing responders to eradicate<\/b> any foothold to recover<\/b> the affected systems.<\/p>\n

      This is what most organizations struggle with. The time spent preparing is often insufficient because it\u2019s all theoretical. Combined with the rapid pace of change on the network means that teams are struggling to keep up during an active incident.<\/p>\n

      With an organization like Tribune Publishing, things are even more difficult. By it\u2019s very nature, it\u2019s a 24\/7 business with a wide variety of users around the country. This means there are a lot of systems to consider and each hour of downtime has a very real and significant impact on the bottom line.<\/p>\n

      As the incident progresses, the response team will make critical decision after critical decision. Shutting down various internal services to protect them. Changing network structures to isolate malicious activity. And a host of other challenges will pop up during the incident.<\/p>\n

      It\u2019s difficult, hard driving work. Made doubly so with the eyes of senior management, customers, and the general public looking on.<\/p>\n

      Focus<\/h2>\n

      As a CISO or incident response team leader, you need to focus on the IR process, not on attribution. That\u2019s why it\u2019s worrisome to see early attribution during an incident.<\/p>\n

      In the Tribune Publishing attack, it was publicly reported that the attack came from outside of the United State. This lead to speculation around motivation. It\u2019s likely that statement was based on the malware reportedly found<\/a> and simple IP address information.<\/p>\n

      Early in the IR process, evidence like this will be found. It’s easily accessible but also highly unreliable. Malware is often sold in the digital underground and IP addresses are easily spoofed or proxied. The response team knows this but pressure from higher up may demand some form of answer…whether or not it helps resolve the situation.<\/p>\n

      The team must stay focused on resolving the incident, not spending valuable time and energy getting side tracked. Attribution has its place. It\u2019s definitely not in the middle of the response to an incident.<\/p>\n

      Practice<\/h2>\n

      The one hard truth of incident response is that nothing can substitute for experience. Given the\u2014hopefully obvious\u2014fact that you don\u2019t actually want to be attacked, this leads to the concept of a game day or an active simulation.<\/p>\n

      Popular in cloud environments\u2014AWS runs game days<\/a> at their events\u2014these exercises provide hands on experience. Usually held for the operations team, they are are of critical importance to the security team as well.<\/p>\n

      Security doesn\u2019t operate in a vacuum, especially during an incident. Working with other teams during an incident is key. Practicing that way is a must. This type of work is a huge effort but one that will pay off significant when an organization is attacked.<\/p>\n

      Next Steps<\/h2>\n

      Tribune Publishing was hit by a cyberattack with real world impact. This level of visibility is a stark reminder of how challenging these situations can be. The most critical phase of incident response is the first one: preparation.<\/p>\n

      As a CISO or senior security team member, you need to prepare<\/a> not only the incident response<\/a> plan. With a plan<\/a> in hand, you need to get other teams on board and make it clear to senior management how this process works. Critical to success is making sure that management knows that the priority is recovery\u2026not attribution.<\/p>\n

      Combine that with a lot of practice and when the next incident hits, you\u2019ll have put your team in a reasonable position to respond and recover quickly.<\/p>\n

      The post Incident Response In The Public Eye<\/a> appeared first on <\/a>.<\/p>\n

      http:\/\/feeds.trendmicro.com\/TrendMicroSimplySecurity<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"

      Credit to Author: Mark Nunnikhoven (Vice President, Cloud Research)| Date: Mon, 31 Dec 2018 17:00:44 +0000<\/strong><\/p>\n

      \"\"<\/p>\n

      Cyberattacks happen constantly. Every day organizations are attackers online whether they realize it or not. Most of these attacks are passing affairs. The mere fact that systems are on to the internet makes them a target of opportunity. For the most part, these attacks are non-events. Security software, bugs in attack code, and updated applications…<\/p>\n

      The post Incident Response In The Public Eye<\/a> appeared first on <\/a>.<\/p>\n","protected":false},"author":4,"featured_media":0,"comment_status":"open","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"colormag_page_container_layout":"default_layout","colormag_page_sidebar_layout":"default_layout","footnotes":""},"categories":[10378,10413],"tags":[14364,10422,4503,12657,10752],"class_list":["post-14208","post","type-post","status-publish","format-standard","hentry","category-security","category-trendmicro","tag-compliance-regulations","tag-current-news","tag-cybercrime","tag-incident-response","tag-vulnerabilities"],"_links":{"self":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14208","targetHints":{"allow":["GET"]}}],"collection":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/users\/4"}],"replies":[{"embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/comments?post=14208"}],"version-history":[{"count":0,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/posts\/14208\/revisions"}],"wp:attachment":[{"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/media?parent=14208"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/categories?post=14208"},{"taxonomy":"post_tag","embeddable":true,"href":"http:\/\/www.palada.net\/index.php\/wp-json\/wp\/v2\/tags?post=14208"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}