By Don Smith, director of technology, Dell SecureWorks

Not only are security breaches on the rise, but the hackers are more sophisticated, organised and persistent in their approach. This creates a complex threat landscape for security and IT professionals to battle against. In today’s climate, businesses need to recognise that it’s not a question of if their company is going to be compromised by cyber criminals, but when.

Hackers have many goals when attacking a business; obtaining financial or customer information, intellectual property and achieving notoriety to name a few. Suffering a breach at the hands of cyber criminals can be expensive from both a cost and resource perspective, but it can also destabilise customer trust and affect a company’s reputation. Businesses need to have a proactive plan in place to minimise the impact of a security incident when it occurs and to quickly get the company back to its normal operations.

When hackers attack

The best way to prepare your response to a security incident is to create and periodically rehearse an incident response plan. This describes all of the people, processes and resources needed to detect, contain and recover from cyber attacks. Your incident response plan should cover the handling of an incident from the moment it is noticed to its conclusion. The most important part of the plan is organisational – ensure everyone understands their role when an incident occurs, re-enforce this by testing your IR plan. The plan should be holistic – developed by the security, management and IT teams with input from the entire organisation.

The first step should be defining what a security ‘incident’ is, as opposed to a generic IT incident. Organisations will very likely have well developed plans for handling general IT incidents. Good IR planning will take account of existing incident response plans – but should clearly define a separate process for the organisation to follow for security incidents. Incidents could include any of the following: malware outbreak, suspicious activity seen from monitoring logs and networks, lost or stolen computers and equipment, domain hijacking, third-party vendor mistakes, a spike in the levels of spam email, targeted phishing attacks against the organisation, theft of intellectual assets, intentional destruction of data and espionage.

Preventing an attack

With the right preventative and detective controls in place, an incident can be contained before it spreads across the organisation. Such controls include automated network and system log monitoring, establishing what “normal” activity looks like and taking advantage of global threat intelligence services to augment your organisation’s awareness of threats that apply to your environment.

An ounce of prevention is worth a pound of cure

Having a response plan and practicing it at reasonable intervals is key to its success. There’s no use having a great plan on paper, if you’re unable to put it into practice because your circumstances have changed since the plan was written, have a plan and test it.

Rehearsing your incident response plan ensures that everyone involved knows their role and responsibilities and the wider organisation knows who to turn to, should an incident occur. It also prepares you for mundane showstoppers: For example, how will you coordinate your response if the email system is down?

The zombie incident

If an attack does happen, it’s imperative to ensure that the cause is fully eradicated and that no traces of malware (malicious code) are left within your network. Dormant malware can be reactivated months after an attack, hence the importance of due diligence at the time of the initial attack. To help achieve this, a robust plan should log the incident and analyse the success of the incident response activity. This information will not only ensure that all the necessary steps are completed to remove the threat but will also help the business to reflect on the steps that were taken and improve its response to future incidents.

Consider the wider picture, was this a commodity attack or targeted? If targeted, you should assume the bad guys have expanded their reach beyond the point of initial compromise and a much wider net should be cast when looking for further evidence of activity. Eradicating malware is one thing, but the threat is the actor not the malware and the actor could still be active.

To summarise, given the current threat landscape all businesses need an incident response plan. The following steps should be taken when developing a plan:

• Decide what constitutes an incident
• Build and enforce a data classification scheme
• Work with the whole business to develop the incident response plan
• Practice! Make sure the plan works in reality as well as on paper
• Ensure everyone involved knows their roles and responsibilities
• Use threat intelligence to monitor what’s happening around your business

If a business has implemented rigorous controls and monitors its network continuously for suspicious activity, whether that be through a managed services approach or otherwise, it will have a much greater chance of stopping an incident before it spreads throughout the network. When conducting IR engagements we very often find evidence that wasn’t spotted which could have led to early containment of the incident. Make sure you are getting the best from your deployed security technologies (look at their logs!), if you don’t have time then get help from an MSSP.

A well-prepared and rehearsed incident response plan will allow your organisation to minimise the loss of intellectual assets, money and reputation. It’s a valuable investment that will help reduce the impact and duration of the adverse incidents you will face in the future.

Don Smith
Director of Technology, Dell SecureWorks
Dell SecureWorks, Inc.

Don Smith is the technical lead for Dell’s EMEA information security practice. His close ties with Dell SecureWorks’ Counter Threat Unit give him unparalleled visibility into the threat landscape as well as effective countermeasures and protective security strategies. This insight is shared at government conferences and security gatherings around the world.

Don is a leading information security expert with 19 years’ experience working in the IT industry. Originally joining dns in 2005, Don was instrumental in the development of its identity management and managed security services portfolio. With SecureWorks’ acquisition of dns in 2009 Don took responsibility for EMEA security strategy and now continues this role as part of Dell.