How do you know if you’ve successfully removed an attacker from a former client environment?
 |
Answered by Nick Klein,Executive Director, Digital Forensics and Incident Response |
The challenge of incident response is that it is easy to only deal with the problem that is immediately in front of you and miss the bigger picture. For example, you might have a server containing malware, which you clean up, but have you really contained the situation? Consider three stages before you can confidently say you’ve contained an incident.
The first is obtaining a thorough understanding of what happened across the network, that means a proper forensic investigation. Look at all the hosts that are compromised, identify all the accounts that have been used, all the malware and all the attacker’s activity. Conduct a proper investigation across the network so you confidently know what happened and what the scope of the breach was.
Number two is fixing what’s broken. That could be taking malware out of the network, securing accounts that have been compromised, or fixing security holes that caused the incident. For example, your investigation may find no multi-factor authentication on your ingress points. Once this is complete you know that you’ve properly remediated and contained the attack.
The third is monitoring for “badness”. You can confidently see when bad things are happening by monitoring at the network level, particularly your ingress points into the organisation. Email and VPN, which are common attack vectors, should be monitored at the operating system level. In particular, where you’ve got critical information, monitor the account usage and privileged access, then if suspicious activity occurs, you’re going to see it.
However, you must consider a strategic attacker, one who has a need or an interest to target your organisation. It is likely they’re going to come back. So, treating it as one incident you have cleaned up and contained, then going back to business as usual, is not the right approach. The end of one incident is really the start of monitoring for the next one.
View our 5 easy steps to improve your cyber resilience.
