Research

It’s easy to believe the hype. You know, that NGFW (Next Generation Firewall) devices will take over the perimeter tomorrow. Get on the bandwagon now before it’s too late. And the anecdotal evidence leads in this direction as well. You see lines around the corners at trade shows to glimpse an NGFW Godbox, and local seminars are standing room only to hear all about application-aware policies which can help you control those pesky users who want to Facebook all day in the office. Of course reality is usually a bit behind the hype. We do believe NGFW technology (application awareness) will have a disruptive and lasting impact on network security, but it won’t happen overnight. Our pals at 451 Group do a bunch of surveys each year to track vendor momentum and buying plans. These show tremendous growth for NGFW. The technology, a fusion of application layer firewalls and stateful firewalls, continues a multi-year run of growth that has seen it rise in ‘in use’ percentage from 26% in 2010 to 33% last year. But are they totally displacing traditional firewalls? Not yet – many organizations start deploying NGFW (and NGIPS for that matter) in a monitoring role right next to the existing firewalls, to provide greater visibility into application usage. This visibility, then control deployment approach has been fairly consistent since the first NGFW devices hit the market a few years ago. …application-aware firewalls are rising as complementary or companion capabilities alongside a primary network firewall, where enterprises still seem to employ solutions from fairly longstanding firewall providers. But that is starting to change. We now hear about folks blowing up their perimeters; forklifting their traditional firewalls; and going lock, stock and barrel into NGFW gear. These are not small networks by the way. As the technology matures and the traditional network security players evolve their product lines to include NG capabilities, we will see this more and more often. That’s a good thing – port and protocol policies don’t provide much protection against current attacks. Photo credit: “No riding on forklift” originally uploaded by Leo Reynolds Share:

We are in the school year endgame right now. The kids will be done for the year in 10 days, and then summer officially begins. It is a frantic time in our house – the kids head off for camp in mid-June and we take family vacations before then. There is a lot of stuff to buy, a lot of packing to do, and a lot of quality time to squeeze in before The Boss and I become empty nesters for 7 weeks. One of those tasks is haircuts. It turns out the Boy has my hair. And that means he needs to get it cut. Frequently. I’m not complaining but it requires some planning. If they leave in mid-June we need to get his hair trimmed mid-May, which gives it a month before we get the short camp cut. Yes, we actually have to think about stuff like this. So I took the Boy for a haircut on Saturday afternoon, and my phone rang with a number I didn’t recognize from South Florida. Normally I would let it go to voicemail, especially on a Saturday, but my paranoia kicked in because Mom is in South Florida. When you get to my age you dread calls from numbers you don’t know in South Florida. So I picked up the phone for my friends in Office Depot’s fraud department. No, they aren’t really my friends, but they did me a huge solid by catching a strange transaction. Evidently someone used my credit card and address (with cellphone number) to buy a laptop for delivery to a store in California. They asked if I had bought a computer for $519 that day. I had to laugh because everyone knows you can’t buy a Mac for $519, and I wouldn’t be caught dead with a Windows laptop. Kidding aside, they quickly canceled the transaction and kindly suggested I call MasterCard to shut down my clearly compromised card. Yeah, I was already 2-3 steps ahead. Card was shut down, new card ordered, and fraud investigation underway within 5 minutes. Then came the damage assessment. I checked my personal email account to ensure no funkiness (2FA for the win) and also reviewed transactions on my other financial accounts in case of a larger compromise on my end. All clean, for now. But then I got thinking – which of the zillion online merchants I use got popped? They had my cell phone, so it wasn’t a skimming attack. This involved both card number and address/phone, so it was full-on total pwnage of some merchant. But I never expect to learn which. I can’t be too pissed – I had a pretty good run with that MasterCard number. It lasted 18 months, which sadly is a long time between card credential compromises. I could be angry, but it’s just the way it is. When my new card comes in I will need to spend a couple hours wading through my bills and changing all the automatic charges for monthly stuff. I need to monitor that account much more closely until I am confident everything is clean. In 12-18 months I will need to do it again. At least the merchant didn’t give me a hard time – unlike last time this happened, when someone bought auto parts and had them delivered to an address in my town. Of course it wasn’t my address, but those are pesky details. AmEx did good work on that situation, fortunately. And with that, let me tip my hat to Office Depot once again. Once attackers get a working card the fraud transaction come fast and furious, so they saved me a bunch of angst. Now I need to go by some office supplies from Amazon. Come on, man, you didn’t think this would buy any office supply loyalty, did you? –Mike Share:

Amen to our buddy Paul Proctor, who starts a post, Why I hate the term GRC, with “GRC is the most worthless term in the vendor lexicon.” I couldn’t agree more. 10 years later I still don’t know what it means. Besides everything, as Paul explains: Vendors use it to describe whatever they are selling and Gartner clients use it to describe whatever problem they have. For seven years I have battled this monolithic term and I fear I’m losing the battle. The alternative is to try to bring some clarity to its usage by defining some boundaries. Unfortunately boundaries aren’t going to help. As long as Risk or Compliance (the R and C of GRC) continues to have budget line items, we will have both vendors and users dumping whatever they can into the GRC bucket. It’s a funding strategy that has worked for years, and unless there is some miraculous movement away from regulation it will be successful for years to come. Then Paul tries to put GRC tools into a box. Good luck with that. But he makes a good point: “Buying a tool to solve your GRC problems is putting the cart before the horse. For example, if you don’t have risk assessment, buying a GRC tool is not going to give it to you.” I applaud this attempt to provide some sanity to the idiocy of GRC. But that’s too positive and constructive for me. I would rather just bitch about it some more. Which I think I did… Share:

OK, not really. But as Rich pointed out in last week’s Incite (Truth is stranger than satire), The Onion getting hacked, and then the hackers posting stuff that seemed very Onion-like, was one step short of crossing the streams. In less than true Onion form – honest and satire-free –= they go through exactly what happened in a recent blog post, and it was very unsophisticated phishing. Phase 1 seemed random, and only one Onion staffer fell for the ruse. Leveraging that initial compromised account the attackers sent another wave of phishing messages. A few clicked the link but only two actually provided credentials. At that point the Onion folks realized they had compromised accounts and forced a company-wide password reset. But the attackers weren’t done. They were able to send a duplicate password reset email (through yet another compromised account) and they then got control of another 2 email accounts. One of which had access to the corporate Twitter account. Yikes! Hats off to The Onion – these posts are helpful for everyone to learn from the misfortune of others. They have some decent tips in the post as well, including using a dedicated application to access the corporate Twitter account (where you could apply more granular access control) and having email addresses associated with the corporate accounts on a totally separate system to provide account segregation. Rich talked about some other tactics to protect corporate Twitter accounts as well, with two-factor authentication topping the list. Photo credit: “Never again Mr. Onion” originally uploaded by dollen From the New York Post, of all places: Goldman later learned that Bloomberg staffers could determine not only which of its employees had logged into Bloomberg’s proprietary terminals but how many times they had used particular functions, insiders said. The matter raised serious concerns for the firm about how secure information exchanged through the terminals within the firm actually was – and if the privacy of their business strategy had been compromised. Oops. Imagine if AWS or Salesforce did something like this? They won’t because it is a kiss-of-death type mistake if there are viable alternatives, but Bloomberg is too entrenched for this to damage them materially. Share:

Most folks think you need to be a day trading financial junkie to have any interest in quarterly earnings releases and/or conference call transcripts. But you can learn a lot from following the results of your strategic security vendors and companies you don’t do business with, but who would like to do business with you. You can glean stuff about overall market health, significant problem spaces, technology innovation, and business execution. For instance, if you are thinking about upgrading your perimeter network security gear you have a bunch of options, most of them public companies. You cannot going much about Cisco, Juniper, IBM, Dell, or HP through their conference calls. Security is barely a rounding error for those technology behemoths, although a company like Intel does talk a little bit about its McAfee division because it is key to its growth prospects. But if you pay attention to the smaller public companies, such as Symantec, Check Point, Fortinet, Palo Alto, Sourcefire, Imperva, Websense, Qualys, etc., you can learn about how those bigger companies are competing. You need to keep in mind that you get a very (very very) skewed perspective, but it provides some ammo when challenging sales reps from those big companies. You can also learn a lot about business. How certain channel strategies work, or don’t work, which can help optimize how you procure technology. You can get a feel for R&D spend by your key vendors, which is important to the health of their new product pipelines. You should also read the Q&A transcripts, where investment analysts ask about different geographies, margins, product growth, and a host of other things. This information cannot help you configure your devices more effectively, but it does help you understand the folks you do business with, and feel better about writing big checks to your strategic vendors. Especially when you know the big deal they mention in the conference call is you. Here is a list of transcripts for the major publicly traded security companies. And if your favorite company (or the one in your 401k) isn’t here, it’s likely because they haven’t announced their Q1 results yet (like Splunk), or they may still be private. Symantec FQ4 2013 Earnings Call Transcript Check Point Q1 2013 Earnings Call Transcript Fortinet Q1 2013 Earnings Call Transcript Sourcefire Q1 2013 Earnings Call Transcript Qualys Q1 2013 Earnings Call Transcript Imperva Q1 2013 Earnings Call Transcript Websense Q1 2013 Earnings Call Transcript Proofpoint Q1 2013 Earnings Call Transcript SolarWinds Q1 2013 Earnings Call Transcript VASCO Data Security Q1 2013 Earnings Call Transcript Zix Q1 2013 Earnings Call Transcript That should keep you busy for a little while… Photo credit: “scrooge-mcduck” originally uploaded by KentonNgo Share:

In hindsight we should have seen this coming. I mean it’s not like McAfee even showed up for the most recent NSS Labs next-generation firewall (NGFW) test. They made noise about evolving their IPS, I mean Network Security Platform, to offer integrated firewall capabilities. But evidently it was either too hard or would have taken too long (or both) to provide a competitive product. So McAfee solved the problem by writing a $389MM check for Stonesoft. You haven’t heard of Stonesoft? They weren’t a household name but they have had a competitive firewall product for years. Decent distribution in Europe and a very small presence in the US. They did about $50MM in revenues last year and are publicly traded in Finland. I guess what’s surprising is that it wasn’t Cisco, Juniper, IBM, or HP. What about Cisco’s blank check to regain competitiveness in the security business? If it’s not connected to an SDN apparently Juniper isn’t interested. I guess IBM and HP hope that if they continue to ignore the NGFW market it will just go away. Hope is not a strategy. And as perimeter consolidation continues (and it is happening – regardless of what IPS vendors tell you), if you don’t have a competitive integrated product you won’t be in the game for long. So McAfee needed to make this move. Certainly before someone else did. But it’s not all peaches and cream. McAfee has their work cut out for them. It’s not like they have really excelled at integrating any of their larger acquisitions. And they have to reconcile their existing IPS platform with Stonesoft’s integrated capabilities. Don’t forget about the legacy SideWinder proxy firewall, which continues to show up a lot in highly secure government environments. Why have one integrated platform when you can have 3? How they communicate the roadmap and assure customers (who are already looking at other alternatives) will determine the success of this deal. To further complicate matters, integration plans are basically on hold due to some wacky Finnish laws that prevent real integration until the deal is basically closed. It is unlikely they will be able to do any real planning until the fall (when they have acquired 50% of the stock), and cross-selling cannot start until they have 90% of the stock tendered – probably early 2014. Details, details. The NGFW game of musical chairs is about to stop, and the move towards the Perimeter Security Gateway is going to begin. The M&A in the space is pretty much done because there just aren’t any decent alternatives available to buy without writing a multi-billion-dollar check any more. Those vendors without something NGFW are likely to see their network security revenues plummet within 2 years. Select your network security vendors accordingly. Photo credit: “Stone Pile” originally uploaded by Mark McQuitty Share:

Do you ever look at your To Do list and feel like you want to just run away and hide? Me too. I talk a lot about consistent effort and not trying to hit home runs, but working for a bunch of singles and doubles. That works great for run rate activities like writing the Incite and my blog series. But I am struggling to move forward on a couple very important projects that are bigger than a breadbox and critical to the business. It is annoying the crap out of me, and I figure publicly airing my issues might help me push through them. I have tried to chunk up these projects into small tasks. That’s how you defeat overwhelm, right? But here it just means I need to push a bunch of tasks back and back and back in my Todo app rather than just one. I think my problem is that I feel like I need a block of time sufficient to complete a smaller task. But I rarely have a solid block of a couple hours to focus and write so I get stuck and don’t even start. But that’s nonsense. I don’t have to finish the entire task now – I just need to do a bit every day, and sure enough it will get done. Is that as efficient as clearing the calendar, shutting off Twitter and email, and getting into the zone? Nope. It will definitely take longer to finish but I can make progress without finishing the entire task. Really, I can. As much as I try to teach my kids what they need to know, every so often I learn from them too. XX1 just finished her big year-end project. It was a multi-disciplinary project involving science, language arts, and social studies. She invented a robot (J-Dog 6.2) that would travel to Jupiter for research. We went to the art store and got supplies so she could mock up the look of the robot; she had to write an advertisement for the product, a user manual, and a journal in the robot’s voice to describe what was happening – among other things. She did a great job. I’m not sure where she got her artistic chops or creativity but the Boss and I didn’t help her much at all. How does that relate to my issue getting big things done? She worked on the project a little every day. She cut the pieces of the model one day. Painted it the next. Outlined the journal on the third. And so on. It’s about making progress, one step at a time. She finished two days early so she didn’t have to do an all-nighter the day before – like her old man has been known to do. So I need to take a lesson and get a little done. Every day. Chip away at it. I have an hour left in my working day, so I need to get to work… –Mike Photo credits: XX1 Geobot project – May 2013 Heavy Research We are back at work on a variety of blog series, so here is a list of the research currently underway. Remember you can get our Heavy Feed via RSS, where you can get all our content in its unabridged glory. And you can get all our research papers too. Defending Cloud Data/IaaS Encryption Object Storage Encrypting Entire Volumes Protecting Volume Storage Understanding Encryption Systems Security Analytics with Big Data Use Cases Introduction The CISO’s Guide to Advanced Attackers Evolving the Security Program Breaking the Kill Chain Verify the Alert Mining for Indicators Newly Published Papers Email-based Threat Intelligence: To Catch a Phish Network-based Threat Intelligence: Searching for the Smoking Gun Understanding and Selecting a Key Management Solution Building an Early Warning System Implementing and Managing Patch and Configuration Management Incite 4 U I (for the record) am not the world’s greatest lover: I don’t know Troy Hunt but he probably isn’t either. But this awesome post basically supports his claim as the world’s greatest lover by stating “I could quite rightly say that nobody has ever demonstrated that this is not the case and there are no proven incidents that disprove it.” Then he goes on to lampoon the web site security seals from your favorite big security vendor. Not just that they can’t really justify their assurances that something is secure, but showing screenshots of these ‘protected’ sites busted by simple attacks. As funny (in a sad way) as this is, ultimately it won’t make much of a difference because the great unwashed think those seals actually mean something. – MR Nuclear powered 0-day: This is a bit of a weird one. Internet Explorer 8, and only IE version 8, is being actively exploited in the wild with a 0-day attack. It is always interesting when a vulnerability only works on one version of IE and doesn’t affect earlier or later versions. Additionally the malware was propagated through a US Department of Labor website, and only to people researching illnesses associated with work on nuclear weapons. Clearly the attackers were targeting a certain demographic, but I haven’t seen any reports of actual exploitation, which is the part we should be most interested in (except the DoL website – they totally pwned that one). It seems like a bit of an outlier attack because I don’t expect too many of their targets to look on the DoL site for that information, but what do I know? As we have learned, these espionage attacks are basically a targeted spray and play: attacking every possible path to their desired targets, understanding that the law of averages is in their favor. – RM Learn it. Know it. Live it.: Security professionals talk about how developers don’t understand security, but the Coverity team throws it right back at them with 10 Things Developers Wished Security People Knew. This is sound advice for security people working with software development. The underlying belief is that all these things require security to get to know the people, process, and code

The tactics we have described so far are very useful for detecting and disrupting advanced attackers – even if used only in one-off situations. But you can and should establish a more structured and repeatable process – especially if you expect to be an ongoing target of advanced attackers. So you need to evolve your existing security program, including incident response capabilities. But what exactly does that mean? It means you need to factor in the tactics you will see from advanced attackers and increase the sophistication of your intelligence gathering, active controls, and incident response. Change is hard – we get that. Unless you have just had a recent breach – then it’s easy. At that point instead of budget pressures you get a mandate to fix it no matter the cost, and you will face little resistance to changing process to ensure success with the next response. Even without a breach as catalyst you can make these kinds of changes, but you will need some budgetary kung fu with strategic use of recent high-profile attacks to make your point. But even leveraging a breach doesn’t necessarily result in sustainable change, regardless of how much money you throw at the problem. Evolving these processes involves not only figuring out what to do now, or even in the future. Those are short term band-aids. Success requires empowering your folks to rise to the challenge of advanced attackers. Pile more work on to make sure they can accept their additional responsibilities, and recognize them for stepping up. This provides an opportunity for some managers to take on more important responsibilities and ensures everyone is on the hook to get something done. Just updating processes and printing out new workflows won’t change much unless there are adequate resources and clear accountability in place to ensure change takes place. Identify Gaps Start evolving your program by identifying gaps in the status quo. That’s easiest when you are cleaning up a breach because it is usually pretty obvious what worked, what doesn’t, and what needs to change. Without a breach you can use periodic risk assessment or penetration testing to pinpoint issues. But regardless of the details of your gaps or how you find them, it is essential that you (as senior security professional) drive process changes to address those gaps. Accountability starts and ends with the senior security professional, with or without the CISO title. Be candid about what went wrong and right with senior management and your team, and couch the discussion in terms of improving your overall capability to defend against advanced attackers. Intelligence Gathering The next aspect of detecting advanced attackers is building an intelligence gathering program to provide perspective on what is happening out there. Benefit from the misfortune of others, remember? Larger organizations tend to formalize an intelligence group, while smaller entities need to add intelligence gathering and analysis to the task lists of existing staff. Of all the things that could land on a security professional, needing to do intelligence research isn’t a bad extra responsibility. It provides exposure to cutting-edge attacks and makes a difference in your defenses. That’s how you should sell it. Once you determine organizational structure and accountability for intelligence you ll need to focus on integration points with the rest of your active (defensive) and passive (monitoring) controls. Is the intelligence you receive formatted to integrate directly into your firewall, IPS, and WAF? What about integration with your SIEM or forensics tools? Don’t forget about analyzing malware – isolating and searching for malware indicators is key to detecting advanced attackers. Understand that more sophisticated and mature environments should push beyond just searching for technical indicators of compromise. Mature intelligence processes include proactive intelligence gathering about potential and active adversaries, as we described earlier. If you don’t have those capabilities internally which of your service providers can offer it, and how can you use it? Finally you will need to determine your stance on information sharing. We are big fans of sharing what you see with folks like you (same industry, similar company size, geographical neighbors, etc.) to learn from each other. The key to information sharing networks (aside from trust) is reducing the signal-to-noise ratio – it is easy for active networks to generate lots of chatter that isn’t relevant to you. As with figuring out integration points, you need accountability and structure for collecting and using information from sharing networks. Tracking Innovation Another aspect of dealing with advanced attackers is tracking industry innovation on how to manage them. We have done considerable research into evolving endpoint controls, network-based advanced malware detection, and the application of intelligence (Early Warning, Network-based Threat Intelligence, Email-based Threat Intelligence) to understand how these technologies can help. But all those technologies together cannot provide the sustainable change you need. So who in your organization will be responsible for evaluating new technologies? How often? You might not have budget to buy all the latest and greatest shiny objects to hit the market – but you still need to know what’s out there, and you might need to find the money to buy something that solves a sufficiently serious problem. We have seen organizations assemble a new technology task force, comprised of promising individual contributors within each of the key security disciplines. These folks monitor their areas of expertise, meet with innovative start-ups and other companies, go to security conferences, and leverage research services to evaluate new technologies. At periodic meetings they present what they find. Not just what the shiny object does but also it could would change what the organization does, and why that would be better. This shows not just whether they can parrot back what a vendor tells them, but how well they can apply that capability to existing control sets. Evolving DFIR As we have discussed throughout this series, a key aspect of detecting advanced attackers is digital forensics and incident response (DFIR). First you need to ensure responders have an adequate tools to determine what happened and analyze attacks. So you need to revisit your data collection infrastructure, and

The arms race goes on and on. The folks at Trusteer recently found an evolved type of malware designed to game financial institutions’ two-factor authentication (2FA) mechanisms on compromised devices. This is Darwin at work, folks – why should attackers try to rob banks, when they can mug everyone who comes out with money? Whatever gun you have, they come back with a bigger one. This is fun, right? Trusteer’s security team recently analyzed a Ramnit variant that is targeting a UK bank with a clever one-time password (OTP) scam. The malware stays idle until the user successfully logs into their account,.. The most interesting part is the reconnaissance and detailed understanding of the process and transaction types & formats required to successfully perform this attack. This is no smash and grab – it’s a very sophisticated set of technologies used to game a bank’s security controls. 2FA is still a good thing. But don’t think it’s the only thing, and definitely don’t think it makes you secure. Many of us learned that from the RSA hack, but for those who didn’t get the message the first time, your strong authentication isn’t strong enough. At least not all the time… Photo credit: “Big Guns” originally uploaded by DM Share:

In our last post in the CISO’s Guide to Advanced Attacks, you verified the alert, so it’s time to spring into action. This is what you get paid for – and to be candid your longevity in the CISO role directly correlates to your ability to contain the damage and recover from the attacks as quickly and efficiently as possible. But no pressure, right? So let’s work through the steps involved in breaking the kill chain, disrupting the attackers, taking counter measures, and/or getting law enforcement involved. Incident response needs to be a structured and conditioned response. Work to avoid setting policies during firefights, even though it’s not possible to model every potential threat or gain consensus on every possible countermeasure. But try to define the most likely scenarios and get everyone on board with appropriate tactics for containment and remediation. Those scenarios provide a basis for making decisions in scenarios that don’t quite match your models. Then at least you can spin why you made certain decisions in the heat of battle. Contain the Damage As we described in Incident Response Fundamentals, containment can be challenging because you don’t exactly know what’s going on but you need to intervene as quickly as practical. The first requirement is very clear: do not make things worse. Make sure you provide the best opportunity for your investigators (both internal and external) to isolate and study the incident. Be careful not to destroy data by turning off and/or unplugging machines without first taking appropriate forensic images. Keeping the discussion high-level, containment typically involves two main parts: Quarantine the device: Isolate the device quickly so it doesn’t continue to perform reconnaissance, move laterally within your network, infect other devices, or progress toward completing its mission and stealing your data. You may monitor the device as you figure out exactly what you are doing but make sure it doesn’t cause any more harm. Protect critical data: One reason to quarantine the device is to ensure that it cannot continue to mine your network and possibly exfiltrate data. But you also can’t assume the compromised device you identified is the only one. So go back to the potential targets you outlined when you sized up the adversary, and take extra care to protect the critical data most interesting to your adversary. One thing we know about advanced attackers is that they generally have multiple paths to accomplish their mission. You may have discovered one (the compromised device), but there are likely more. So be a little extra diligence with monitoring data access and egress points, to help disrupt the kill chain in case of multiple compromises. Investigate and Mitigate Your next step is to identify the attack vectors and determine appropriate remediation paths. As mentioned above you want to be sure to gather just as much information as you need to mitigate the problem (stop the bad guys) and collect it in a way that doesn’t preclude subsequent legal (or other) action at some point. For more details on malware investigation techniques, we point you again to Malware Analysis Quant for a very granular attack investigation process. When it comes to mitigation you will set a series of discreet achievable goals and assign resources to handle them. Just like any other project, right? But when dealing with advanced attackers you have a few remediation paths to consider: Clean: People also also call this the Big Bang approach because you need to do it quickly and completely. Because if you leave the attacker with any foothold in your environment you will start all over again sooner than later. Most organizations opt for this approach – the sooner you clean your environment the better. Observe: In certain instances, such as when you are dealing with an inside job or law enforcement is involved, you may be asked not to clean all the compromised machines. But as described above, you need to take extra care to ensure you don’t suffer further losses while observing the attackers. That involves deep monitoring (likely network full packet capture and memory forensics) on traffic in and out of critical data stores – as well as tightening controls on egress filters and/or DLP gateways. Disinformation: Another less common alternative is to actively provide disinformation to adversaries. That might involve dummy bids, incorrect schematics, or files with tracking data which might help identify the attacker. This is a very advanced tactic, generally performed with the guidance of law enforcement or a very select third-party incident response firm. Executing the Big Bang To get rid an advanced attacker you need to find all compromised devices. We have been talking about how to do that by searching for indicators of compromise but you cannot assume you have seen and profiled all the malware in use. Those pesky advanced attackers may be throwing 0-day attacks at you. This, again, is where threat intelligence comes in to look for patterns others have seen (though not likely your specific files). Once you have identified all the affected devices (and we mean all of them), they need to go dark at the same time. You cannot leave the adversary with an opportunity to compromise other devices or execute a contingency plan to retain a foothold while you work through your machines during cleanup. This probably entails wiping the machines down to bare metal – even if that means losing data. Given the capabilities of advanced attackers, you cannot be sure of totally eliminating the device compromise any other way. When the affected devices are wiped and rebuilt you need to monitor them and capture egress traffic during a burn-in period to make sure you didn’t miss anything. That means scrutinizing all configuration changes for indications that the attacker is breaking back in or finding new victims, as well as looking for command and control indicators. The moment the adversary is blown out they will start working double-time to get back in. You are never done. So you need to ensure your