Successfully navigating a cyber incident and the changing face of Incident Response
The future of IR is in delivering an automated triage-level analysis of relevant artefacts...
In its Cyber Security Breaches Survey for 2022, the UK Government found that only 19% of companies have a formal incident response (IR) plan. This is potentially problematic, as roughly double that amount - 39% of those surveyed - stated that they had suffered a cyber attack in the past year. Of those affected, 31% of businesses and 26% of charities estimate they experienced some form of attack at least once a week.
The steadily increasing number of attacks, coupled with the deeper integration of technology into every aspect of our lives, will lead to more incidents that need to be investigated, writes Larry Gagnon, SVP Global IR at eSentire. IR is about understanding the financial and business risks associated with a cyber attack. It is not about technology. For businesses affected by a cyber attack, IR helps them consider the potential damage to reputation, regulatory obligations for reporting and notifications, and the potential for future litigation.
At a minimum, the IR provider’s investigation should answer three key questions:
- What was the initial attack vector?
- Are there any persistence mechanisms on the network?
- What, if any, files did the threat actor access, modify, or exfiltrate?
These investigations can be carried out by internal security teams, but normally companies will bring in external investigation support. External IR providers have access to more specialist skills and relevant knowledge than the majority of companies’ in-house staff.
While the scope and extent of IR investigations will evolve, the total number of incidents will increase substantially. Given these projections, there is a tremendous amount of pressure on IR providers to find ways to become more effective and efficient in how to carry out these projects.
Growing demands on Incident Response teams...
To meet today’s IR requirements and demand levels, providers must find ways to become more efficient in how they deliver security. For example, the current need for cybersecurity talent still far outweighs the candidate pool - according to the International Information System Security Certification Consortium (ISC2), there are 2.7 million open security roles globally that have to be filled.
This lack of qualified workers goes alongside a trend of reductions in insurance claim coverage, as the cost for cyber insurance rose by 110 percent according to Marsh’s Global Insurance Market Index for Q1 2022. There was also downward pressure on consulting fees for IR companies, which also has a significant impact on the traditional IR consulting model. As the need for IR has become so prevalent, the processes used to provide that service have evolved to become somewhat universal amongst providers. The advantage of this universal approach is that it creates an opportunity to deliver efficiency through automation.
IR and automation
What does this mean in practice? The future of IR is in automating, not only the event detection piece, but also in delivering an automated triage-level analysis of relevant artefacts. The investigation of malware events, such as ransomware, typically relies on collection and analysis of a standard group of log files, registry artefacts and memory samples taken from the impacted systems.
The analysis of the relevant artefacts seeks to identify common events or behaviour associated with attacks, such as an outbound connection to an unknown server in a country where the company has no business operations at 3:00 AM, or a user account logging into a domain controller and executing a new, unknown process on a Sunday. The ability to convert forensic analysis logic to a set of indicators and scan resident artefacts for those indicators will greatly accelerate the initial analysis of an impacted network.
See: From C2 to C3 -- Hackers use Slack API, print jobs to exfiltrate data
This automation does not replace the experience and knowledge of a veteran Digital Forensics and Incident Response (DFIR) analyst - instead, it cuts the number of hours spent getting to the point where the advanced analysis and decision making happen. This brings down the overall cost of the engagement, as well as making it easier to conduct analysis in a shorter time frame.
The automation of forensic analysis will evolve over the next several years, delivering more meaningful results across a broader range of investigations. There will be a point in the future where the logic supporting this automated analysis will be so robust that we could begin to build networks that self-heal, based on the diagnosis of malicious events. IR will evolve to focus on building the logic that supports the analysis, rather than the current model of paying, by the hour, for access to specialised talent.
Getting Incident Response right: What good IR should look like
For businesses under attack, the rush to do something can be overwhelming. However, there are some elements that should be considered in advance.
Time is the most critical component of a good IR approach. The length of time it takes to provide definitive answers to the key questions may significantly impact a company’s ability to recover from this specific attack, as well as how the company can survive and manage the impact of an attack. This is particularly important when there is so much pressure for information from different groups. Internally, IT leaders will want to know specifically what went wrong, while the Board will want to know the risk and impact. Externally, other groups like customers, partners and compliance bodies will all want to know what happened as well.
To improve the efficiency of any IR means looking at how investigative actions should be prioritised, as well as looking at how to scale the response to meet size and jurisdictional needs, and how to work with the legal team under privilege. Any IR firm should be able to demonstrate their adherence to industry best practices throughout their response process, and be able to defend the whole of the investigation in court. Foundational components to look for in an IR team are relevant training, experience and capacity to take on the work.
How companies can keep their operations going alongside IR events
There are a couple of models, of rapid return to operations, that have been used with much success. The first is migration to a cloud hosted space, entirely separate from the client network. This cloud space is a highly secure environment in which the affected company can conduct business at a basic level. They would have access to all the usual productivity tools, file storage, sharing and remote access. Clean or known clean artefacts can be migrated to the new environment over time. This may appeal to smaller firms that use common off- the -shelf solutions to run their business.
The second model - often used by larger corporations which have security teams - is often referred to as a greenfield rebuild. The IT personnel in the client company will create a new Virtual Local Area Network (VLAN) and encircle the VLAN with new, proven security controls. Known clean devices are then stood up within the environment, generally using pre-scanned and certified clean backups. Sometimes, a complete ground-up build is required. Relevant data is then scanned and brought over into the new environment as needed.
Although it takes longer to recover than the first option, it can be completely customised to the client environment, and therefore, help them to return to a higher level of operation. It can also include any unique or proprietary solutions they may have in place.
The future for IR
There are two key drivers that will increase the number of cyber security events that require some level of investigation, at least for the foreseeable future. There is the increasing level of technological saturation into every aspect of our lives, and the steadily increasing number of regulatory controls that drive basic security standards and reporting obligations. Stricter rules will lead to more events being recognised for investigation, while more digital processes will lead to more events due to faults in how those processes are deployed in the first place.
This increase in IR requirements will affect companies, and it will be part of the wider increase in spending on IT security that is taking place. IDC predicted that security spending in Europe in 2021 would be $37.2 billion in 2021, and the analyst firm announced this would continue, surpassing $50 billion in value in 2025. Companies will rely heavily on security to make their businesses run securely, and they will need IR to ensure that they can return to operations quickly when, not if, they have issues discovered. Where IR can make the most difference is to help businesses respond to those challenges, ensuring that they do not occur again, and that the whole industry can apply those lessons learned elsewhere. An attack on one company is an attack on all companies - getting Incident Response right means we can all ensure those lessons get applied faster.