Six Questions For Damage Control Prior To A Cyber Attack – Chuck Leaver

Written By Michael Bunyard And Presented By Ziften CEO Chuck Leaver


The reality of modern-day life is that if cyber attackers wish to breach your network, then it is just a matter of time before they will be successful. The endpoint is the most typical vector of attack, and the people are the most significant point of susceptibility in any company. The endpoint device is where they interact with whatever info that a cyber attacker seeks: intellectual property, information, cyber ransom, etc. There are new Next Generation Endpoint Security (NGES) systems, where Ziften is a leader, that supply the needed visibility and insight to assist reduce or avoid the chances or duration of an attack. Methods of avoidance consist of lowering the attack surface area through getting rid of recognized susceptible applications, reducing version proliferation, eliminating malicious procedures, and guaranteeing compliance with security policies.

However avoidance can only go so far. No service is 100% reliable, so it is important to take a proactive, real time approach to your environment, viewing endpoint behavior, detecting when breaches have taken place, and responding right away with the necessary action. Ziften also supplies these abilities, usually called Endpoint Detection and Response, and organizations should alter their frame of mind from “How can we avoid attacks?” to “We are going to be breached, so what do we do then?”

To comprehend the true breadth or depth of an attack, companies need to be able to take a look back and reconstruct the conditions surrounding a breach. Security analysts require answers to the following 6 questions, and they require them fast, considering that Incident Response officers are outnumbered and dealing with limited time windows to reduce damage.

Where was the attack behavior first seen?

This is where the capability to rewind the clock to the point in time of preliminary infection is critical. In order to do this successfully, organizations have to have the ability to go as far back in time as required to identify patient zero. The unfortunate state of affairs in accordance with Gartner is that when a cyber breach happens, the average dwell time prior to a breach is spotted is a stunning 205 days. According to the 2015 Verizon Data Investigations Breach Report (DBIR), in 60% of cases, cyber attackers were able to penetrate organizations within minutes. That’s why NGES solutions that do not constantly monitor and record activity but rather occasionally poll or scan the endpoint can lose out on the preliminary critical penetration. Likewise, DBIR discovered that 95% of malware types appeared for less than four weeks, and 4 out of 5 didn’t last 7 days. You require the ability to continually monitor endpoint activity and look back in time (however long ago the attack occurred) and reconstruct the initial infection.

How did it act?

Exactly what took place piece by piece after the initial infection? Did malware execute for a second every 5 minutes? Was it able to obtain intensified privileges? A constant image of what took place at the endpoint behaviorally is vital to obtain an examination began.

How and where did the cyber attack disperse after initial compromise?

Normally the adversary isn’t really after the info readily available at the point of infection, however rather wish to utilize it as a preliminary beachhead to pivot through the network to find its way to the valuable data. Endpoints consist of the servers that the endpoints are linked to, so it is necessary to be able to see a total picture of any lateral movement that took place after the infiltration to know exactly what assets were compromised and potentially likewise contaminated.

How did the infected endpoint(s) behavior(s) change?

What was going on prior to and after the contamination? What network connections were being attempted? Just how much network traffic was flowing? What procedures were active before and after the attack? Immediate answers to these concerns are vital to quick triage.

What user activity happened, and was there any potential insider participation?

What actions did the user take previously and after the infection occurred? Was the user present on the machine? Was a USB drive inserted? Was the time period outside their typical use pattern? These and much more artifacts must be offered to paint a full picture.

What mitigation is needed to solve the cyber attack and avoid the next?

Reimaging the infected computer(s) is a lengthy and pricey solution but lot of times this is the only way to understand for sure that all harmful artifacts have been removed (although state-sponsored attacks might embed into system or drive firmware to stay immune even to reimaging). However with a clear image of all activity that took place, simpler actions such as getting rid of harmful files from all systems affected might be sufficient. Re-examining security policies will most likely be in order, and NGES systems can help automate future actions should comparable circumstances occur. Automatable actions consist of sandboxing, cutting off network access from infected machines, killing processes, and a lot more.

Don’t wait till after a cyber attack happens and you need to employ an army of specialists and spend valuable time and cash piecing the realities together. Make certain you are prepared to answer these six key questions and have all the responses within your grasp in minutes.

Leave a Reply

Your email address will not be published. Required fields are marked *

You may use these HTML tags and attributes: <a href="" title="" rel=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>