Incident response may be a basic cybersecurity prerequisite, but there’s nothing basic about it. If anything, the complexity of modern-day IR makes us pine for the old days, when the DDoS attacks were under 100 gigabytes per second, and it was the hackers who were frantically trying to decode encrypted files (ransomware has turned encryption against the good guys). Alas, IR won’t be getting simpler anytime soon.
The good news, however, is that we’re getting better at it, by leaps and bounds no less. Of course, that doesn’t mean we don’t have more to learn, which is why Arctic Wolf Networks’ head of security engineering, Sam McLane, recently sat down with SC Magazine to take a deeper dive into the the nitty-gritty of IR.
Without giving too much away (this is the IR webinar) here are a few of the highlights:
‘The call is coming from inside the house!’
“Insider threats are on the rise.”
Unfortunately, some IT administrators can relate to the terror Jill Johnson felt in When a Stranger Calls upon learning that the creepy phone calls she’d been receiving were coming from inside her own house. Insider threats, whether they’re malicious or just the result of carelessness, are on the rise, and they’re giving organizations quite a fright.
The webinar “Incident Response from the Inside Out,” opens up with a very important point, which is that when a breach occurs, the assumption cannot be that external forces are responsible. The possibility of an insider-introduced threat must be considered. The question from there is, “How should you limit access control to those who have a specific need to access the compromised systems?” In other words, who can you trust?
A good place to start is by using physical access controls. If, for instance, a hacker has stolen John Doe’s login credentials and is operating under a seemingly trustworthy profile from a remote system, the actual John Doe still can still have his access, but only from a single physical location.
There’s a lot more to it than that, but we’ll leave it to McLane to supply the details.
‘It’s a trap!’
When Admiral Akbar realized that the imperial forces had the rebel fleet exactly where they wanted it, there was only one thing left to say.
The tricky part about an IR plan is making sure that a certain attack isn’t in fact, a trap. In SC Magazine’s webinar, McLane used the example of a distributed denial-of-service attack. Hackers could use a DDoS attack to get your IR team exactly where they want them. With all hands on deck tackling the diversion, the cybercriminals can execute the real ambush under the radar.
In order to prevent diversionary tactics, McClane noted that it’s important to have certain staff pre-assigned to scan other vectors while IR is in progress. You ideally would not want your entire staff’s attention diverted in one direction. To that end, working with a third party that can help manage IR is hugely beneficial.
And plenty more where that came from
The above are only a few of the insights provided by McLane in SC Magazine’s recent webinar about IR. To learn about the IR chain of command, proper containment procedures, post-incident analysis and much more, listen to the complete webinar, available here.