Things To Do After You ve Been Hacked



Similar documents
Integrating MSS, SEP and NGFW to catch targeted APTs

Protecting against cyber threats and security breaches

DEFENSE THROUGHOUT THE VULNERABILITY LIFE CYCLE WITH ALERT LOGIC THREAT AND LOG MANAGER

Addressing APTs and Modern Malware with Security Intelligence Date: September 2013 Author: Jon Oltsik, Senior Principal Analyst

Cisco Advanced Malware Protection

Incident Response. Six Best Practices for Managing Cyber Breaches.

A Case for Managed Security

Symantec Cyber Threat Analysis Program Program Overview. Symantec Cyber Threat Analysis Program Team

Cyber Security Incident Handling Policy. Information Technology Services Center (ITSC) of The Hong Kong University of Science and Technology

Advanced Threat Protection with Dell SecureWorks Security Services

Endpoint Threat Detection without the Pain

Defending Against Cyber Attacks with SessionLevel Network Security

What s Wrong with Information Security Today? You are looking in the wrong places for the wrong things.

Cisco Advanced Malware Protection for Endpoints

Analyzing HTTP/HTTPS Traffic Logs

Continuous Network Monitoring

Session 9: Changing Paradigms and Challenges Tools for Space Systems Cyber Situational Awareness

Why a Network-based Security Solution is Better than Using Point Solutions Architectures

How To Test For Security On A Network Without Being Hacked

Cisco Advanced Malware Protection for Endpoints

Incident Response. Proactive Incident Management. Sean Curran Director

Rethinking Information Security for Advanced Threats. CEB Information Risk Leadership Council

Concierge SIEM Reporting Overview

What is Penetration Testing?

How Your Current IT Security System Might Be Leaving You Exposed TAKEAWAYS CHALLENGES WHITE PAPER

5 DEADLY MISTAKES THAT BUSINESS OWNERS MAKE WITH THEIR COMPUTER NETWORKS AND HOW TO PROTECT YOUR BUSINESS

Defensible Strategy To. Cyber Incident Response

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Anatomy of a Breach: A case study in how to protect your organization. Presented By Greg Sparrow

SPEAR PHISHING UNDERSTANDING THE THREAT

IT Security Incident Management Policies and Practices

NATIONAL CYBER SECURITY AWARENESS MONTH

Preparing for a Cyber Attack PROTECT YOUR PEOPLE AND INFORMATION WITH SYMANTEC SECURITY SOLUTIONS

A MULTIFACETED CYBERSECURITY APPROACH TO SAFEGUARD YOUR OPERATIONS

The Four-Step Guide to Understanding Cyber Risk

Top 5 Global Bank Selects Resolution1 for Cyber Incident Response.

Redefining Incident Response

Persistence Mechanisms as Indicators of Compromise

Combating a new generation of cybercriminal with in-depth security monitoring. 1 st Advanced Data Analysis Security Operation Center

Cisco IPS Tuning Overview

ANDRA ZAHARIA MARCOM MANAGER

Retail Security: Enabling Retail Business Innovation with Threat-Centric Security.

Preempting Business Risk with RSA SIEM and CORE Security Predictive Security Intelligence Solutions

Perspectives on Cybersecurity in Healthcare June 2015

CyberArk Privileged Threat Analytics. Solution Brief

2016 Trends in Cybersecurity: A Quick Guide to the Most Important Insights in Security

Lifecycle Solutions & Services. Managed Industrial Cyber Security Services

Into the cybersecurity breach

Protect the data that drives our customers business. Data Security. Imperva s mission is simple:

IMPLEMENTING A SECURITY ANALYTICS ARCHITECTURE

The Business Case for Security Information Management

Security Controls Implementation Plan

Information Security Services

Security Intelligence Services.

SANS Top 20 Critical Controls for Effective Cyber Defense

Eight Essential Elements for Effective Threat Intelligence Management May 2015

Cybersecurity and internal audit. August 15, 2014

Overcoming Five Critical Cybersecurity Gaps

Defending Against Data Beaches: Internal Controls for Cybersecurity

TOP 10 WAYS TO ADDRESS PCI DSS COMPLIANCE. ebook Series

Cyber Threat Intelligence Move to an intelligencedriven cybersecurity model

External Supplier Control Requirements

By John Pirc. THREAT DETECTION HAS moved beyond signature-based firewalls EDITOR S DESK SECURITY 7 AWARD WINNERS ENHANCED THREAT DETECTION

AUTOMATED PENETRATION TESTING PRODUCTS

The Importance of Cybersecurity Monitoring for Utilities

Enterprise Cybersecurity: Building an Effective Defense

1. Thwart attacks on your network.

Combating a new generation of cybercriminal with in-depth security monitoring

What Do You Mean My Cloud Data Isn t Secure?

Security Intelligence

Hunting for Indicators of Compromise

End-user Security Analytics Strengthens Protection with ArcSight

WEB ATTACKS AND COUNTERMEASURES

Computer Security Incident Response Planning. Preparing for the Inevitable

ENDPOINT SECURITY WHITE PAPER. Endpoint Security and Advanced Persistent Threats

WHAT ARE THE BENEFITS OF OUTSOURCING NETWORK SECURITY?

CYBERSECURITY BEST PRACTICES FOR SMALL AND MEDIUM PENNSYLVANIA UTILITIES

Threat Intelligence: The More You Know the Less Damage They Can Do. Charles Kolodgy Research VP, Security Products

Cisco Security Optimization Service

Cyber security Time for a new paradigm. Stéphane Hurtaud Partner Information & Technology Risk Deloitte

Internet threats: steps to security for your small business

Fighting Advanced Threats

The SIEM Evaluator s Guide

Spear Phishing Attacks Why They are Successful and How to Stop Them

Overcoming PCI Compliance Challenges

Contents. McAfee Internet Security 3

The Hillstone and Trend Micro Joint Solution

Advanced Threats: The New World Order

Technical Testing. Application, Network and Red Team Testing DATA SHEET. Test your security defenses. Expert Testing, Analysis and Assessments

Speed Up Incident Response with Actionable Forensic Analytics

Cyber Security. Securing Your Mobile and Online Banking Transactions

ASSUMING A STATE OF COMPROMISE: EFFECTIVE DETECTION OF SECURITY BREACHES

Cyber Security Management

Kaseya White Paper. Endpoint Security. Fighting Cyber Crime with Automated, Centralized Management.

Transcription:

Problem: You ve been hacked! Now what? Solution: Proactive, automated incident response from inside the network Things To Do After You ve Been Hacked Tube web share

It only takes one click to compromise an organization Once a breach happens, the damage can be devastating. And unless you adopt a proactive stance in responding to incidents, you are doomed to get compromised over and over again. How many times will you fall...hook, line and sinker? It s time to change your strategy. * 2013 Verizon Data Breach Investigations Report (VDBIR) 95% of all state-affiliated espionage attacks still rely on phishing in some way.* Hexis Page 2

It is only a matter of time before you are hacked. Why? Because hackers only need to exploit one vulnerability and defenders need to defend all. It only takes one click by an unknowing user and the hacker is in. It s that simple. To make matters worse, the Verizon Data Breach Investigations Report (VDBIR) found that in 66% of cases the breach wasn t discovered for months or even years. During that time critical data and assets are at risk. How quickly and effectively you respond matters a lot. It isn t realistic to expect you ll never get hacked. But it is realistic to expect you can improve your response and mitigate the impact of attacks now and in the future. These 5 steps can help. * 2013 Verizon Data Breach Investigations Report (VDBIR) 66 % In 66% of cases it took months or even years to discover a breach.* Hexis Page 3

1. De 1. Detect and Identify # 1 Error messages, suspicious events in logs, poor performance and unusual bandwidth usage can all indicate a possible event. Once you ve validated that you re dealing with a malicious situation and not noise, such as an instance of misconfiguration or a false positive, you need to establish a cross-functional team to oversee all aspects of the response process and immediately begin to: Locate patient zero if possible, or any device known to be compromised If you can gain access to the actual malware and have the skills, analyze it to determine how it got in, how it is behaving, how it is spreading and if it has exfiltrated any data Even if you can t directly do malware analysis, examine a compromised device to determine Indicators of Compromise (IOCs) so you can search other hosts for signs of exploit Collect and correlate log data from as many sources as available, including server logs, firewall and IDS/IPS logs and flow data, to gather more details about what happened and determine if other hosts are infected Time is of the essence. Given the amount of work and expertise required, you may need to hire professional services to supplement your in-house security team. Do this at your discretion. Hexis Page 4

2. To Contain or Not to Contain? # 2 Now that you ve identified the nature, extent and severity of the attack, you have two options contain it or jump straight to removal. Traditional incident response plans dictate you contain and stop it. This involves: Quarantining the compromised host(s) or system(s) or disabling certain functions Removing user access or login to the system Determining the access point and blocking it to prevent ongoing damage Containing is appropriate if you re dealing with a drive-by type attack in which a virus or other rudimentary threat is introduced and the attacker quickly moves on to the next victim. But if you believe you re dealing with advanced malware or an APT that watches and alters its techniques depending on your reaction, the more effective approach could be to jump directly to #3 and coordinate the removal phase. Quarantining systems and blocking access is an immediate tip-off to the attacker that you re on to them. They ll simply hide and lay dormant within your environment to launch at a point in the future, or alter their methods in a way that you can t detect and continue on their mission. Hexis Page 5

3. Remove and Recover # 3 Whether you choose to contain the attack or not, comprehensively removing the threat is critical so that you can reduce the risk of reinfection and get back to normal operations. This is particularly important when dealing with an APT that will simply move elsewhere in the network and attack again, requiring you to repeat this entire process. If possible, identify all infected hosts on the network and then perform the following steps on the hosts known to be compromised: Stop or kill all active processes of the attacker Remove all the files, back doors and malicious programs the attacker created and save them as evidence for the investigation Protect sensitive data by separating it from the compromised system(s) or network Check all associated systems including those through trusted relationships Apply patches and fixes to eliminate vulnerabilities and correct any improper settings/misconfigurations to prevent subsequent similar attacks Update all login accounts and passwords that may have been accessed by the attacker Perform a damage assessment on each system/file Reinstall the affected files or the entire system as needed Turn on functions in stages in order of priority, verify successful restoration, and notify all affected parties Disconnect the infected hosts and, if necessary, obtain forensic information Perform daily reboots of systems to eliminate memory-only resident malware Hexis Page 6

4. Be Proactive # 4. At this point you probably think you re out of the woods. And in some ways you are, having executed a thorough response, mitigated the impact of the attack, and learned from it to prevent future similar attacks. But sophisticated and relentless attackers learned from the experience as well. They ll return with nuanced versions of the attack and you ll be back on the defensive, repeating this process again and again. If you ve hired professional services to help with incident response and remediation then dealing with reinfections can cause security costs to spiral out of control. To break the cycle, you need to take a proactive stance by: Changing your mindset from if to when an attack will happen so that you can better anticipate threats and take action to reduce the amount of time an APT lives in your organization Actively investigating your environment for IOCs by continuing to collect data from multiple sources and looking for known malware via signatures and unknown malware via behavioral detection algorithms Staying current with the latest threat intelligence and available countermeasures and deploying them as required within the context of your environment Hexis Page 7

5. Automate Incident Response Being proactive can be potentially time consuming because you are now investing resources in looking for attacks before they occur. In the long term it makes financial sense, but it may be difficult to justify in the short term because of the additional resources required. This is why automation goes hand in hand with a proactive approach. Automation eliminates the need to perform manual work that is crucial but time consuming, such as collecting endpoint data from a large number of hosts and searching for IOCs. # 5. To begin to incorporate automation into your approach to incident response: Select solutions that you and your team trust and that integrate well with your existing security infrastructure Evolve from manual methods to automation over time as your comfort level grows and the value is demonstrated begin with low hanging fruit such as searching for and removing files with known bad MD5 hash values on endpoints; move to more sophisticated methods of analyzing data to identify IOCs and kill processes or remove files Report back to the business on how automation is saving costs while enhancing security by freeing up highly skilled security staff to be proactive Status quo is not an option. If you shun automation entirely you ll find yourself at a constant and mounting disadvantage against attackers. Hexis Page 8

STOP Don t tip your hand needlessly. You may decide to contain the attack but be careful how you respond. Actions such as hacking back or submitting the malware to a reporting site will inform the adversary you re on to them. The same is true if you use your compromised network to coordinate incident response efforts, rather than establish out-of-band communications. Before you know it, hackers will deploy another technique while you re still dealing with the first attack. Don t start investigating without a plan. An overzealous response can compound the damage. For example, utilizing an external tool to attempt to find the threat can taint the data required to perform proper timeline analysis. External tools can also overwrite data that may provide valuable forensic artifacts such as prefetch data (data that is preloaded to speed the boot process and shorten application startup time). Prefetch data may help to answer the what, where and when of an attack. Don t keep it to yourself. Inform management and the right people using the incident notification call list and call tree. Collaboration can help you more effectively deal with the situation. If you ve hired professional services to help, make sure knowledge transfer is part of their process to help keep costs in check. Hexis Page 9

After you ve been hacked, reducing the amount of time an APT lives in your organization is the goal. To get the job done you need a methodical approach that includes steps to detect/identify, contain or perhaps not, and remove/recover from the attack as quickly as possible. But you can t and there s no reason why you should stop there. Attackers are increasingly creative in their methods of attack. You need to become more creative in how you identify and remediate the growing number of security incidents you organization will continue to face. By adopting a proactive approach that includes the option of policy-based automation you can reduce the time and costs your team spends on incident response. Only then can you shift the bulk of your resources from focusing on what happened in the past, to creating a safer future. 5 Steps to Stop the Cycle Hexis Page 10

Attacks are inevitable Companies should devote more time and effort to detection and remediation; preventing attacks becoming breaches, and breaches becoming financial and reputational disasters.* For more information: Request the full white paper or arrange a demo of proactive defense from inside the network: info@hexiscyber.com. 86 % Is IT spending time on the right prevention measures? 86% of breaches were discovered by non-it efforts; 76% were by external parties.* * 2013 Verizon Data Breach Investigations Report (VDBIR) Hexis Cyber Solutions, Inc., a subsidiary of The KEYW Holding Corporation (Nasdaq:KEYW), serves commercial companies, government agencies, and the Intelligence Community (IC) with tools and capability to detect, engage, and remove both external and internal cyber threats. To learn more, phone 443-733-1900; e-mail info@hexiscyber.com; or visit www.hexiscyber.com. Hexis Page 11

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information