Teaching Analysts to Fish; How to Become Better at Detection and Response – RSAC 2015

Daily the media replays stories of yet another company that is the victim of an intrusion or breach. With all this attention, and sometimes hyperbole, are we as practitioners improving at detecting malicious activity inside our networks?

Regardless of the size of your company and its vertical or horizontal markets, your network may become the target of an attack simply because it exists. With everything that security/threat/anti-virus vendors bring to the market, why are so many attacks continually successful? Why are adversaries able to persist in an organization without being noticed? As an organization, are you even sure what you are trying to protect? How is your team hunting and identifying the relevant events that can be easily lost in a sea of device output noise or missed by automated methods?

Organizations rarely plan for a data breach. This concept is usually too complex to plan a defensive strategy for, until long after it has occurred. Unfortunately experience breeds solutions and most organizations lack the insight into a large-scale data breach, from beginning to end, to determine the best way to secure their own network.

The RSA Incident Response team has helped all of our clients gain better situational awareness through a practical process of identifying normal behavior. This leads into a heightened recognition of abnormal activity across the enterprise. In a majority of our response efforts there have been missed indicators that at the very least could have significantly decreased the duration of the breach. In most instances the targeted organizations cripplingly relied on third party feeds and intelligence, which supply IOCs (typically in the form of IP Addresses, URLs, and hash values of malicious files), and reactively waiting for alerts from different devices. If these organizations had provided advanced instruments to proactively hunt for the existence of behavior and trade-craft that is present in some form, regardless of where the attacks originate from, they would have successfully thwarted most attackers before a domain-wide compromise occurred. A pivotal facet of detecting and defending against attacks is being able to locate artifacts and remnants that are representative of malicious activity, both in network traffic and on endpoints in a timely manner.

By harnessing years of incident response practices, methodologies and successes, the presentation that I am giving at this year’s RSA Conference, covers a brief overview of the evolution of both targeted and advanced attacks. Feedback and results of a large-scale response to a recent targeted attack aims to prepare security teams to learn from the experience of others before disaster strikes their organization. By being tool agnostic, and focusing on advanced methodologies, we unveil how to hunt for and investigate targeted attacks. An overview of an actual attack, detailing aspects from the reconnaissance phase through remediation efforts will be discussed in detail revealing how organizations can address the continual challenge of early detection.



No Comments