The Five Ws of Incident Response
Good incident response starts with answering these basic questions.
While the media is typically focused on the number of accounts breached, as an incident responder I take a far more detailed view of incidents to understand as much around the process as I can to learn from it with the goal of never having a repeat offense. A security professional would love to stop every breach, every time, but the reality is some things will get through; either through a novel attack, an extremely persistent attacker, or a misconfiguration and good timing. The effectiveness of your team, tools, and processes will dictate how serious the repercussions are in the event something does happen. I am often asked how I structure my breach (someone got in and was able to get something out) or attack (someone tried to get in, or did get in, but nothing was taken) analysis; it is both an evolving and fluid process, but using large brush strokes, I call upon the questions a good reporter might ask:
Who: State-sponsored attackers, while the most gossip worthy, are still a small part of the overall attack pattern, yet leverage some of the most advanced techniques and malware to take aim on specific organizations and gain a foothold within the targeted network. Cybercriminals are a larger, and a little more easily identifiable threat often financed and headed by underground criminal organizations. Their targets vary from small businesses and individual consumers to large enterprises. While hacktivists are arguably the least worrisome, they still have succeeded in causing havoc for many organizations and government entities.
What: Defacing web sites has fallen out of fashion, ransomware and straight up data theft are the typical attacks. DDOS attacks, both directly targeting a company’s digital infrastructure or indirectly targeting its service providers, are a growing concern the underlying critical infrastructure attached to your network (as seen in the Ukrainian power attack). More recently and growing in popularity, attackers have begun implementing mass data destruction attacks leaving victims with a corrupted Master Boot Record, which is required for bringing up the operating system. These attacks have proven to be detrimental to a company’s bottom line!
When: With a global hacking community there are no holidays, though certain groups do tend to take vacations during key holiday periods or even purposely engage in a cyber-attacks during the target’s holiday, when they know security personnel will be on low alert.
Where: Attackers look for entry points ruthlessly; your network, your remote workers, your partners, your suppliers, and the ever-present candy drop of a USB stick can still lead to a breach. However, the most common method used today is via a phishing attack targeting the weakest link in the security chain, the end user.
Why: Financial motive is still the top reason for attacks, even state-sponsored attacks are financially driven in some sense. It may cost years and millions to develop that which can be stolen in mere hours and cost a fraction of the price in developing toolsets, malware, & bulletproof hosting infrastructure.
How: Tactics, techniques, and procedures are evolving and some of the old tricks (MS Office Macros) are making a comeback. The black market for toolkits and “hackers for hire” means that anyone can buy the technical savvy they need. Not long ago, the ability to purchase an exploit kit (pre-built toolkit used to exploit security holes in an effort to spread malware more easily) was confined to individuals that were well-connected or had access to various sites within the dark web. Nowadays, exploit kit makers are heavily advertising their offerings and services in the open market for a fair price that anyone can snag! Additional causes for a data breach may include disgruntled employees, lost or stolen devices such as laptops/cell phones, and unintentional sharing of sensitive information.
Having a solid plan prior to an event is paramount; in the heat of the moment mistakes can be made, even with breach simulations and the most talented team. By planning ahead of time you can focus on gathering the critical facts, limiting any emotional-driven actions.