14 DAY TRIAL // When responding to a cyber-security breach, many incident response (IR) teams rush to conclude that the attacker is not sophisticated based on the initial evidence they collect. This is a big mistake, experts say.
According to Marc Bleicher of security solutions provider Bit9, IR teams should not assume anything before the situation is properly assessed. That’s because what might seem an indicator of the attacker’s lack of sophistication could actually be part of the perpetrator’s plan.
“During the initial phase of an incident, IR teams usually find a few indicators hiding in plain sight, the low-hanging fruit. These could be job files, batch scripts in the temp directory, a piece of malware in system32, etc,” the expert noted in a blog post.
“Why is it important to assume nothing at this phase of the investigation? Because chances are the low-hanging fruit were put there for a reason, either the attacker didn’t care that they would be discovered or they knew and/or wanted you to find them to possibly throw you off – a red herring,” he added.
“The low-hanging fruit is also most likely just the first stage of the attack. It’s the subsequent artifacts, like the intellectual property (IP) flowing out of your network over port 443, rootkits and backdoors, etc., that you probably won’t find because the attacker has gone to great lengths to conceal them using the latest tools, tactics and procedures (TTPs) in their repertoire.”
Bleicher believes that the proper way to handle a data breach is by assuming that everything has been compromised.
“If the initial infection vector was through an external-facing Web server and you have discovered some data that has been taken off an internal file server, you should also assume that your domain controllers are probably compromised and that several backdoors or rootkits have been placed on various other systems throughout your environment,” he said.
The expert explains that the right way to contain a breach is by locking down the entire environment and analyzing it for vulnerabilities and “unlocked doors.”