Responding When the Attacker has a Foothold – Part 1

Eventually most people in IT Security will face that dreaded day when they discover the organization has been breached and an attacker has established a foothold. This could be in the form of a hacked web server, a desktop beaconing with “APT” malware, a point-of-sale terminal harvesting credit card data, or countless other scenarios. Until you’ve gone through that a few times – and especially if you don’t have solid, useful, well-documented processes – you may be uncertain of what to do. As every incident is a bit – and sometimes a lot – different even well intentioned processes may fail you. What you do to respond will determine how quickly and effectively the incident is contained, as well as potentially limiting the damages.

How broken is security?

Last week Mandiant produced their report entitled ‘Mandiant APT1 report’ that was widely covered by global media and essentially exposed a ring in China allegedly responsible for APT attacks. To many, this in itself is startling news and there have been many stories pointing the finger at hackers in China. However, on reading the report…

Building a Lean Forward Approach to Offense as a Defense

Last weekend information security professionals from around the globe gathered in a conference forum for the 2013 Suits and Spooks Conference in Washington, DC. The focus was on offense as a defensive tactic, often referred to as “active defense”. I was both an attendee and a speaker / panel moderator at the conference. The event was awesome. It featured collaboration and intellectually driven discourse on matters of extreme importance to our industry. Heated discussions seemed to be taking place everywhere –hallways, foyers and of course in the session rooms.

New name, Same Game: Red October and the Question of Attribution

Earlier this month, Kaspersky Labs announced the discovery of a new style of cyber espionage campaign. Research on this threat campaign began in October of 2012 according Kaspersksy’s whitepaper. I’m not convinced that it is entirely new but let’s press on and see what the boys there have to say. The researchers there began their investigation by examining the aftermath of a series of attacks conducted against networks belonging to the diplomatic services of various governments and their respective agencies.

Keep Calm, Analyze On: The Role of the Analyst in Detecting and Monitoring for Advanced Attacks

I was quoted recently in a piece that was featured in Dark Reading that discussed the idea of monitoring environments to detect persistent adversaries. It was a solid article and I stand behind my contribution especially my comments on the importance that the analyst (not the tools they have or are using – though those are important in their own right) plays in the full lifecycle of triaging these types of threats.

Premature Counter Offensive Actions Could Yield Painful Results

Recently there has been a flurry of activity and discussion related to the concept of counter offensive measures being launched by private sector organizations in response to some form of targeted attack (criminal, industrial espionage-driven, state sponsored etc.). Counter Offensive (CO) operations are not new; however, in the context that they have been discussed lately, one may ask oneself if there isn’t a blurring of lines occurring within the private sector in particular that is new.

Trust them not to go around killing people!

I recently hosted a dinner debate for a number of C-level attendees in London.  The topic of discussion for the evening was the one topic that everyone is talking about – namely Advanced Persistent Threats. The discussion quickly moved on to what should organizations be doing to protect themselves against APT’s?  On the basis that…

Time to Change the Game Plan on DLP

I was at a customer event recently and was party to a discussion on the ‘disappointment’ or disillusionment in deploying Data Loss Prevention and comments like ‘well, it just doesn’t do what it’s supposed to do’ or ‘it’s too tricky to deploy’. Well, the truth is DLP technology is not something that comes off the shelf in a one size fits all package. Here are the things DLP is not going to do for you: