Advanced persistent threats continue to test organizations’ strength by exploiting new vulnerabilities, organizing massive supply chain incidents and targeting specific industries. According to one study, 84% of enterprises globally acknowledge that cyberattacks have become more sophisticated. They worry about vulnerabilities, attack surfaces, threat tactics, malware, mobile device security and the use of consumer cloud services by employees.
Fortunately, there are plenty of tools, sources of information and guidelines (such as NIST, SANS, or MITRE D3FEND Knowledge Graph), which help finetune responses to sophisticated attacks. They give a clear understanding of how to hunt threats and remediate IT systems. In this piece, I want to focus on a particular question regarding incident response: when is it time to move from the investigation to the response stage?
According to Kaspersky Incident Response report, the average rush attack lasts 1.5 days. That’s fast. If an actor is that experienced, the security team needs to react quickly. But a timely response doesn’t necessarily mean malicious actions should be immediately blocked. As Gandalf the Grey said ‘A wizard is never late. Nor is he early. He arrives precisely when he means to’.
It is important to understand the right moment to start the containment, eradication and recovery phases of response. An untimely reaction can signal to attackers that their actions are no longer secret. For example, if the incident response team blocks infected software, malicious IP addresses or URLs as soon as the first signs of a threat are detected, then the attackers can hide in the network or change their tactics. This would then require the investigation cycle to be restarted all over again. Attackers can hide so well and for so long, discovery would then be almost impossible until their next activity is revealed
APTs use lateral movement techniques to stay unnoticed for days, months or even years. They can seek out crucial assets in the victim’s environment. For example, in one Lazarus attack, the actor managed to overcome network segmentation and reach the restricted network thanks to laterally finding a way to compromise the administration machine that connected both the corporate and restricted segments. Analysis of TunnelSnake’s APT operation, published in 2020, revealed a case in South Asia where the threat actor had a foothold within the network from as early as 2018.
Another issue with early reaction is that it can cause a situation where some attack artefacts are left unnoticed during the eradication stage because the IT security team didn’t detect them or relate them to the attack during the investigation stage.
Furthermore, the entry point might remain unclear. This could include a vulnerability, an unprotected endpoint or any other vector. In this case, even if the attack was stopped and all malicious elements were wiped out, a risk of intruders making another attempt through the same gates but with new tactics, techniques and procedures would remain.
There are several steps that can be taken to avoid this outcome:
- Find the attack kill chain
As soon as an IT security team discovers that their organization is compromised and there is a human on the other side, not just malware, they need to follow the attack and find as many traces as possible. The attacker’s actions should be followed across the whole network, not just the immediate perimeter. The further the attack goes, the more traces it leaves, which hunters can attribute to an APT group or at least guess its target and then hunt it down in the most effective way. It is extremely important to find the attack entry point to avoid repetition of this type of incident.
It draws to mind a theory that suggests investigation is the essence of incident response. Described further by Jason T. Luttgens, Matthew Pepe and Kevin Mandia: The end goal of incident response is accomplished through two activities – investigation and remediation. Investigation involves determining the attack vector, tools, affected systems, damage, intrusion time frames and so on. In other words, comprehensive analysis is a must before moving to remediation. Threat Intelligence and attack evaluation approaches, such as MITRE ATT&CK, are key at this stage.
- Know when to stop the attack
Of course, it is important that the team is still able to stop the intruder before they reach critical business services or move to another organization the company connects with. This is where the team’s skills come in – collecting the maximum amount of data about the attack to enable planning the most effective response while still acting before the intruder can affect the business.
This leads us to the next – and probably most important – point.
- Learn and monitor the network
IT security teams should have a clear picture of the whole enterprise network, including edge devices, endpoints, network segments and connected equipment. This is achievable through network monitoring, regular audits, scanning of connections and so on. Big enterprises with many entities, supply chains and subsidiaries need to consider this a must.
Implementing network audits and monitoring along with measures such as policies and network segmentation, helps decrease the number of potential entry points.
Knowing and being familiar with the network is also crucial to understanding when to contain and eradicate an attack before it reaches critical business processes. At the eradication and remediation stages, all malware tools and traces should be removed from all endpoints, and all compromised systems re-installed and credentials reset. Overlooking any piece of malware in the backend of the network can allow another round of attacks in the future.
Fortunately, the more time spent dealing with these attacks, the more we know about cybercriminals. Threat intelligence and specific tools have been designed to help enterprises detect malicious actions. But the most effective way to protect against attacks and avoid repetition is for organizations to develop internal, or attract external, expertise – to enhance incident response plans, know when to react and be able to completely clean out all malware.
By Sandra Lee, Managing Director for Asia Pacific at Kaspersky
26 April 2022