Cyber Incident Response: Detect – Respond – Contain

Old No Comments on Cyber Incident Response: Detect – Respond – Contain 47

In talking with a customer recently about Cyber Incident Response, he helped me realize that when dealing with the cleanup of cyber threats we need to follow a methodical protocol. His focus on Detect, Respond and Contain helped inspire me to write about the topic and how flow collection allowed him to reach his investigation goals.

Detect

Sure, we want to be proactive and detect the malware before it wreaks havoc on our important resources but, we also know that this isn’t always going to happen.  Unfortunately, despite best efforts to be proactive, many of us can tell of a time where we’ve hacked.

Infections are simply going to penetrate our best defenses and when they do, they can hide almost anywhere – on nearly any type of network device. This is why we need to have a solution that monitors traffic in every corner of the internal communication fabric. The next threat could come from any direction and when it makes a move, you should have a system in place that will uncover it’s stealthy intentions. Detection today watches internal-laterally moving traffic as well as connections headed for the Internet.

The problem with detection is that advanced malware often behaves like many common applications. In order to spot subtle abnormal behaviors we need baselines which archive seemingly normal behaviors. For example: how many flows does a host normally create in a given time frame? How many bytes, packets and end systems does it reach out to or receive connections from?

The combinations of how we need to consider past behaviors is nearly endless. For this reason, we need to make the right choices because ideally, all traffic should be scrutinized for abnormal traffic patterns at all times. Read the 4 Tell Tale Signs of Data Exfiltration.

Respond

Even when the incident response solution isn’t involved with actual detection, it is almost always the turn to solution when the next step to take action. This generally means research into finding out how bad the infection has spread.  To do this, a scaleable flow collection architecture needs to save all flow details for as long as necessary.  Security professionals realize that forensic discovery often requires in depth filtering in order to narrow in on specific details.

Digging in and identifying all of the details surrounding a threat means that we need to understand how the threat entered the network, who was responsible, how it infects others and what other machines it has spread to. When a specific host needs to be tracked down, a central interface capable of reaching across ‘oceans’ to initiate a collective searching effort from potentially dozens of distributed collectors is required. And, the system must bring the details back to a single console – fast.

Contain

Once the infected machines are uncovered, believe it or not, the best strategy is often to avoid a quarantine of the compromised machines. Sometimes it is best to carefully monitor the traffic behaviors of the host infected with the malware to learn it’s behaviors. By identifying certain characteristics, the IT team can leverage this information to sleuth out other infections. A good incident response system allows you to save profiles and further leverage them to search for similar behaviors across distributed locations all from a single web interface.

Uncovering all traces of the malware should be a methodical step-by-step process leading to eventual isolation and eradication of all infections. Once all infected machines have been identified, we can start cleaning and leveraging the flow collection system to continually monitor for the infection behaviors long after the malware has been removed from the network.

Damage Control

In the end, we have to be concerned about damage control. Industry compliance requires that many businesses come forth when an electronic security breach has successfully extracted sensitive customer information. A system that empowers your team to get their arms around the infection fast is imperative.

 

Author

Michael Patterson

Michael Patterson is the Founder and CEO of Plixer International. Prior to starting the company in 1998, he worked for Cabletron Systems in Support, Training and Professional Services. He is an experienced leader with strong insight into the industry and the needs of his customers. He has an aptitude for delivering high performing, value added, systems and service solutions to meet challenging business demands. He started the company as a one man shop and has grown it into a multi-million dollar organization. All this done without the assistance of venture capital. Michael is passionate about how the company grows, the technologies it pursues and continues to participate at many levels of the organization. By taking a hands on approach with the hardware and software, he works with the software developers and in quality assurance testing to help ensure that the products behave in a format that continually supports the collective vision of the company. He has a Bachelor’s Degree from the University of Maine and a Masters in Computer Information Systems from Southern New Hampshire University.

Related Articles

Leave a comment

Back to Top