Threat actor containment: Increasingly ‘surgical’ and best with a plan: Even after an intruder has been identified, today’s rapid pace of adversary activity is also straining cybersecurity teams’ ability to contain intruders before they can cause damage.”If I’m a CISO, if I’m responsible for detecting and remediating that incident before it progresses to becoming a big problem in my environment, I need to be able to move faster than the adversary,” CrowdStrike’s Etheridge says. “And being able to have the confidence in your capabilities in your team to be able to stop an adversary within 48 minutes of being able to break out in your environment is a daunting activity.”The trick, Etheridge says, is not to overcorrect and jam up your systems. “You need to be very, very surgical about it. There are plenty of examples where containment actions can overcorrect and create business disruption, operational, and potentially financial impact.”Resiliency in the face of intrusion has become a greater emphasis today, and CISOs must consider this as part of their containment plans. Here, Okta’s Immler advises employing automation to ensure a more targeted approach to triaging issues.”I am always a big proponent of automation in those security systems as a first line of defense, particularly if it’s not going to be an overly damaging action,” Immler says. “Automations are really helpful as first lines of defense when you see something happen and you need a chance to triage it, where that can get problematic if you go overboard.”He adds, “I think it’s good to be very nimble and selective and recognize this account just tried to do something that it should never be doing and disable that account for a little while or issue a logout for a universal logout, something like that to remove their access to what they’re doing until somebody’s had a chance to go, ‘Hey, is this what you should have been doing? Or did you mean to do this? Was it an accident?’”Moreover, having an incident response plan beforehand and then following it is a must when containing a threat actor, Cisco Talos’ Cadieux emphasizes. “It goes back to the IR plan that they should have developed. There should be a basis for how to do containment, the options based on our people and technology, and how to execute those. And then, of course, the plan should be tested.”The methods for containing and ejecting the intruders depend on the nature of the breach and response plan, “but the things that you can do technically to block them without them noticing immediately are the best,” Immler says. “Otherwise, if you see sensitive data going out, you have to bring down the hammer and cut them off.”
Incident post-mortems: Improving future responses to accelerating threats: The pace of adversarial activity is also placing greater emphasis on the importance of conducting post-mortems on any intrusion to fine-tune incident response plans for better future performance. Here, sound logging systems are essential, Immler says.”That’s where having a good SIEM [security information and event management] system in place is vital for all of your critical systems because you’re going to go through your logs and say, ‘Okay, we identified and contained the attacker. Let’s look at every single system they touched,’” he says.”Often when we deal with ransomware, for instance, we are dealing with an accelerated threat that’s happening right then, which the bad thing is actually triggering right now,” Cisco Talos’ Cadieux adds. “If root cause analysis or initial point of entry are critical, you must consider how long you retained those logs.”After that, CISOs must stay ahead of the curve by following industry trends and staying informed about the latest threat actor characteristics. “You need to look at the newer technologies and ensure that you’re keeping up with them,” Immler advises. “So just because something worked last year or the year before or has served you well for 20 years doesn’t mean that it’s going to keep up with the changing landscape.”
First seen on csoonline.com
Jump to article: www.csoonline.com/article/4009236/cisos-must-rethink-defense-playbooks-as-cybercriminals-move-faster-smarter.html
