Chuck Leaver – Be Prepared For Damage Control Before A Breach With These 6 Questions

Written By Michael Bunyard And Presented By Ziften CEO Chuck Leaver


The reality of modern-day life is that if cyber enemies want to breach your network, then it is just a matter of time before they will do it. The endpoint is the most common vector of cyber attacks, and the people are the greatest point of susceptibility in any organization. The endpoint device is where they engage with whatever info that an opponent is after: intellectual property, credentials, cyber ransom, etc. There are new Next Generation Endpoint Security (NGES) services, where Ziften is a leader, that provide the needed visibility and insight to help reduce or prevent the possibilities or duration of an attack. Methods of avoidance consist of lowering the attack surface area through eliminating recognized vulnerable applications, cutting version proliferation, killing malicious processes, and guaranteeing compliance with security policies.

However prevention can just go so far. No service is 100% effective, so it is important to take a proactive, real time approach to your environment, viewing endpoint behavior, spotting when breaches have taken place, and reacting instantly with remediation. Ziften also offers these abilities, normally known as Endpoint Detection and Response, and organizations should change their mindset from “How can we avoid attacks?” to “We will be breached, so exactly what do we do then?”

To understand the true breadth or depth of an attack, companies have to have the ability to take a look back and reconstruct the conditions surrounding a breach. Security investigators need answers to the following six concerns, and they need them fast, because Incident Response officers are outnumbered and dealing with limited time windows to alleviate damage.

Where was the attack behavior first seen?

This is where the ability to look back to the point in time of preliminary infection is crucial. In order to do this successfully, companies need to have the ability to go as far back in time as necessary to recognize patient zero. The unfortunate state of affairs in accordance with Gartner is that when a cyber breach takes place, the average dwell time before a breach is identified is a shocking 205 days. In accordance with the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, opponents had the ability to permeate organizations within minutes. That’s why NGES services that don’t constantly monitor and record activity however rather regularly poll or scan the endpoint can lose out on the preliminary vital penetration. Likewise, DBIR discovered that 95% of malware types showed up for less than a month, and 4 from five didn’t last a week. You need the ability to continuously monitor endpoint activity and recall in time (however long ago the attack took place) and rebuild the preliminary infection.

How did it behave?

Exactly what occurred piece by piece after the preliminary infection? Did malware execute for a second every 5 minutes? Was it able to get escalated privileges? A constant picture of what occurred at the endpoint behaviorally is vital to get an investigation started.

How and where did the cyber attack disperse after initial compromise?

Generally the enemy isn’t after the details offered at the point of infection, however rather want to utilize it as an initial beachhead to pivot through the network to get to the sensitvie data. Endpoints include the servers that the endpoints are connected to, so it is necessary to be able to see a complete picture of any lateral motion that took place after the infection to understand what assets were compromised and potentially likewise contaminated.

How did the infected endpoint(s) behavior(s) alter?

Exactly what was going on before and after the contamination? What network connections were being made? What does it cost? network traffic was flowing? What procedures were active prior to and after the attack? Immediate answers to these concerns are vital to rapid triage.

What user activity occurred, and was there any prospective insider involvement?

What actions did the user take before and after the infection happened? Was the user present on the device? Was a USB drive inserted? Was the time period outside their typical use pattern? These and a lot more artifacts should be offered to paint a complete image.

What mitigation is needed to fix the cyber attack and avoid the next?

Reimaging the contaminated machine(s) is a lengthy and pricey solution but lot of times this is the only way to understand for sure that all damaging artifacts have actually been eliminated (although state-sponsored attacks may embed into system or drive firmware to remain immune even to reimaging). However with a clear image of all activity that happened, simpler actions such as eliminating malicious files from all systems impacted may be sufficient. Re-examining security policies will probably be in order, and NGES services can assist automate actions in the future should comparable scenarios emerge. Automatable actions include sandboxing, cutting off network access from contaminated devices, killing procedures, and much more.

Do not wait till after a breach happens and you have to employ an army of experts and spend your time and cash piecing the facts together. Make sure you are prepared to respond to these six key questions and have all the responses within your reach in minutes.