Presented by Chuck Leaver, Chief Executive Officer Ziften Technologies – Written By Dr Al Hartmann
1. Security Operations Center (SOC).
You have a Security Operations Center implemented that has 24/7 coverage either in company or outsourced or a mix. You do not want any gaps in cover that might leave you open to intrusion. Handovers need to be formalized between watch managers, and proper handover reports offered. The supervisor will supply a summary daily, which provides information about any attack detections and defense countermeasures. If possible the cyber wrongdoers need to be identified and distinguished by C2 infrastructure, attack approach etc and codenames attributed to these. You are not attempting to attribute attacks here as this would be too challenging, but just keeping in mind any attack activity patterns that correlate with different cyber crooks. It is very important that your SOC acquaints themselves with these patterns and be able to separate attackers or perhaps identify new attackers.
2. Security Supplier Assistance Preparedness.
It is not possible for your security employees to understand about all aspects of cyber security, nor have knowledge of attacks on other companies in the same market. You need to have external security assistance teams on standby which might consist of the following:.
( i) Emergency situation response team support: This is a short list of suppliers that will respond to the most severe of cyber attacks that are headline material. You must make sure that one of these suppliers is ready for a significant threat, and they need to get your cyber security reports on a regular basis. They need to be legal forensic capable and have working relationships with law enforcement.
( ii) Cyber risk intelligence support: This is a vendor that is collecting cyber hazard intelligence in your vertical, so that you can take the lead when it comes to threats that are emerging in your vertical. This group needs to be plugged into the dark net looking for any signs of you organizational IP being mentioned or talks between hackers discussing your organization.
( iii) IoC and Blacklist assistance: Because this involves numerous areas you will need numerous vendors. This consists of domain blacklists, SHA1 or MD5 blacklists, IP blacklists, and signs of compromise (suspect configuration settings, windows registry keys and file paths, etc). It is possible that some of your installed security products for network or endpoint security can offer these, or you can appoint a third party specialist.
( iv) Support for reverse engineering: A vendor that focuses on the analysis of binary samples and offers detailed reports of content and any potential risk and also the family of malware. Your present security suppliers may provide this service and concentrate on reverse engineering.
( v) Public relations and legal assistance: If you were to suffer a major breach then you have to guarantee that public relations and legal support remain in place so that your CEO, CIO and CISO do not become a case study for students at Harvard Business School to learn more about how not to handle a significant cyber attack.
3. Inventory of your assets, category and readiness for protection.
You have to ensure that all of your cyber assets undergo an inventory, their relative worth classified, and implemented worth proper cyber defences have been enacted for each asset category. Do not rely entirely on the assets that are understood by the IT group, get a company system sponsor for asset recognition specifically those hidden in the public cloud. Also ensure key management procedures are in place.
4. Attack detection and diversion readiness.
For each one of the significant asset categories you can develop replicas using honeypot servers to tempt cyber wrongdoers to infiltrate them and reveal their attack approaches. When Sony was attacked the hackers found a domain server that had actually a file named ‘passwords.xlsx’ which consisted of cleartext passwords for the servers of the business. This was an excellent ruse and you ought to utilize these tactics in tempting places and alarm them so that when they are accessed alarms will sound right away implying that you have an instant attack intelligence system in place. Change these lures typically so that they appear active and it does not look like an apparent trap. As a lot of servers are virtual, hackers will not be as prepared with sandbox evasion approaches, as they would with client endpoints, so you might be fortunate and actually see the attack occurring.
5. Monitoring preparedness and constant visibilities.
Network and endpoint activity need to be kept an eye on constantly and be made visible to the SOC team. Because a lot of client endpoints are mobile and therefore outside of the organization firewall software, activity at these endpoints should likewise be monitored. The monitoring of endpoints is the only specific approach to perform process attribution for monitored network traffic, because protocol fingerprinting at the network level can not always be trusted (it can be spoofed by cyber criminals). Data that has been monitored needs to be conserved and archived for future referral, as a variety of attacks can not be determined in real time. There will be a requirement to rely upon metadata more frequently than on the capture of complete packets, since that enforces a considerable collection overhead. Nevertheless, a number of dynamic threat based monitoring controls can lead to a low collection overhead, and also react to significant dangers with more granular observations.