Leveraging Threat Intelligence in Incident Response/ManagementBy Mike Rothman
It’s hard to be a defender today. Adversaries continue to innovate, attacking software which is not under your control. These attacks move downstream as low-cost attack kits put weaponized exploits in the hands of less sophisticated adversaries, making them far more effective. But frequently attackers don’t even need to use innovative attacks because a little reconnaissance and a reasonably crafted phishing message can effectively target and compromise your employees. The good news is that we find very few still clinging to the hope that all attacks can be stopped by deploying the latest shiny object coming from a VC-funded startup.
Where does that leave us? Pretty much where we have been for years. It is still about reacting faster – the sooner you know about an attack the sooner you can start managing it. In our IR fundamentals series and subsequent React Faster and Better paper, we mapped out a process for responding to these incidents completely and efficiently, utilizing tactics honed over decades in emergency response.
But the world hasn’t stayed still over the past 3 years – not by a long shot. So let’s highlight a few things shifting the foundation under our (proverbial) feet.
- Better adversaries and more advanced tactics: Attackers continue to refine their tactics, progressing ever faster attack from to exfiltration. As we described in our Continuous Security Monitoring paper, attackers can be in and out with your data in minutes. That means if monitoring and assessment is not really continuous you leave a window of exposure. This puts a premium on reacting faster.
- Out of control data: If you haven’t read our paper on The Future of Security, do that now. We’ll wait. The paper explains how the combination of cloud computing and mobility fundamentally disrupts the way technology services are provisioned and delivered. They will have a broad and permanent impact on security, most obviously in that you lose most control over your data, because it can reside pretty much anywhere.
So how can you manage incidents when you aren’t sure where the data is, and you may not have seen the attacks before? That could be the topic of the next Mission Impossible movie. Kidding aside, the techniques security professionals can use have evolved as well, thanks to the magic of Moore’s Law. Networks are faster, but we can now capture that traffic when necessary. Computers and devices are more powerful, but now we can collect detailed telemetry on them to thoroughly understand what happens to them. Most importantly, with our increasing focus on forensics, most folks don’t need to argue so hard that security data collection and analysis are critical to effectively responding and managing incidents.
As mentioned above, our technology to monitor infrastructure and analyze what’s going on has evolved quickly.
- Full network packet capture: New technologies have emerged that can capture multi-gbps network traffic and index it near real time for analysis. This provides much higher fidelity data for understanding what attackers might have done. Rather than trying to interpret log events and configuration changes, you can replay the attack and see exactly what happened and what was lost. This provides the kind of evidence essential for quickly identifying the root cause of an attack, as well as the basis for a formal investigation.
- Endpoint activity monitoring: We introduced this concept in our Endpoint Security Buyer’s Guide and fleshed it out in Advanced Endpoint and Server Protection. This approach enables you to collect detailed telemetry from endpoint devices, so you see every action on the device, including what software was executed and which changes were made – to the device and all its files. This granular activity history enable you to search for attack patterns (indicators of compromise) at any time. So even if you don’t know activity is malicious when it takes place, you can identify it later, so long as you keep the data.
- A ton of data: The good news is that, between network packets and endpoint telemetry, you have much more more data to analyze. The bad news is that you need technology that can actually analyze it. So we hear a lot about “big data” for security monitoring these days. Regardless of what it’s called by the industry hype machine; you need technologies to enable you to index, search through, and find patterns within the data – even when you don’t know exactly what you’re looking for. Fortunately other industries – like retail – have been analyzing data for unseen and unknown patterns for years, and many of their analytical techniques are now being applied to security.
As a defender it is tough to keep up with attackers. But many of these new technologies help to fill the gaps. Technology is no longer the biggest issue for detecting, responding, and managing threats and attacks. The biggest problem is now the lack of skilled security professionals to do the work.
In Search of… Responders
It seems like every conversation we have with CISOs or other senior security professionals these days turns at some point to finding staff to handle attacks. Open positions stay open for extended periods. These organizations really need to be creative to find promising staffers and invest in training them, even though they often soon move on to a higher-paid consulting job or another firm. If you are in this position, you aren’t unique. Even the incident response specialist shops are resource constrained. There just aren’t enough people to meet demand.
The security industry needs to address this on multiple fronts:
- Education: Continued investment in training people to understand core skills is required. More importantly, these folks need opportunities and resources to learn on the job – which is really the only way to keep up with modern attackers anyway.
- Automation: The tools need to continue evolving, to make response more efficient and accessible to less sophisticated staff. We are not talking about dumbing down the process, but instead about making it easier and more intuitive so less skilled folks can do the job, and more skilled folks can be much more efficient.
- Prioritization: Even skilled responders need to start somewhere when they think there has been an incident. Where do they start? Far too often, it’s a gut feeling. Experienced folks just know where to look. Of course that’s not a scalable process. The entire incident management function happens much faster and better when the responders have a better idea of where to look and what to look for. That’s where external data, also known as threat intelligence, comes in.
What’s Missing: a Crystal Ball
In this Leveraging Threat Intelligence in Incident Response/Management (TI+IRM) series, we won’t address education for responders. We will update the research from our React Faster and Better paper to account for how tools are evolving and how they can impact the effectiveness/efficiency of the response/management process. But this series will focus on how to help your responders prioritize their work and investigate more efficiently.
We needed to dig out one of the great sports quotes:
A good hockey player plays where the puck is. A great hockey player plays where the puck is going to be. – Wayne Gretzky
This applies to incident response/management because responders need to see into the future. To know where the attack is going to be, not merely to react to what you have already seen – which, by the way, is what traditional security technologies do. Obviously you can’t really see into the future, but you can at least benefit from the misfortune of others.
This is how we described this concept in our recent [Leveraging Threat Intelligence in Security Monitoring] paper:
By understanding attack patterns and other nuggets of information gleaned from attacks on other organizations, you can be better prepared when they come for you.
Though to be clear, you cannot actually get ahead of threats without a time machine, regardless of what vendors tell you. The threat already exists, but wouldn’t it be great to know about it before it is used against you?
This series will look at the process of responding and managing incidents, and how they can (and should) change in light the availability of threat intelligence. As is typical with our blog series, we owe a debt of gratitude to Cisco and Malcovery Security for potentially licensing the research at the end of the project. We make this point frequently, but without security companies understanding and getting behind our Totally Transparent Research model, you wouldn’t be able to enjoy our open research.