Nowadays, companies need to assume that they will be attacked, so preventive measures are no longer enough. Safety officers need to develop a strategy for incident detection and response – despite the challenges that implementation brings.
Text: Andreas Heer, Image: Unsplash,
“Assume the breach.” When it comes to IT security strategies, this is the paradigm that safety officers need to follow today. Growing numbers of increasingly sophisticated attacks are forcing companies to improve their safety measures. After all, how long will it take for the Drovorub Linux rootkit, which was recently discovered by the US National Security Agency and is presumed to be of Russian origin, to breach our (cloud) servers?
Drovorub is attributed to the Russian APT28 group of hackers, also known as Fancy Bear or STRONTIUM. They are suspected of working on behalf of the Russian government. APT28 and many other cyber criminals, such as the hackers behind Emotet, have proven that cybercrime has long since become a professional business. Today, given the effort and financial resources that go into these activities, it’s no longer a question of whether or not a company will be attacked, but when. That means safety officers need to assume that the attacker has already breached their networks.
With this in mind, solely relying on preventive measures is no longer sufficient. While prevention is still important in repelling most attacks, current conditions mean that incident detection and response are increasingly important factors in counteracting successful breaches. To put it another way: the more sophisticated an attack, the more mature a company’s IT security has to be.
The NIST Cybersecurity Framework describes methods and best practices for cyber defence. It divides IT security into five phases: Identify, Protect, Detect, Respond and Recover. As the third and fourth phases, detection and response are concerned with incident handling in the event of an attack
In addition to automated measures such as identifying and blocking malicious network traffic, detection also includes a large number of manual methods. These methods are used to uncover attack patterns that are too complex for automated defensive measures. IT security specialists use a variety of tools for this purpose. With the situation changing so rapidly, procurement of information is key. Security blogs, knowledge databases such as the Mitre ATT&CK Framework, and forums on the Darknet are just as important as regular discussions with other specialists. This is the only way for a company to ensure that they are even familiar with the indicators of an attack and can therefore recognise these indicators in their own infrastructure.
One strategy for recognising attack indicators is referred to as “threat hunting”. IT security specialists scan their internal corporate network for patterns that indicate an ongoing cyberattack. This task requires in-depth expertise. But it allows specialists to uncover anomalies that cannot be detected by security systems.
Once they uncover a successful attack using these detection measures, an appropriate response is required. This response needs to be not only fast and agile, meaning adapted to the situation at hand; it also needs to follow a defined procedure, ideally one that is based on best-practice strategies. As with incident detection, the response to these attacks combines a number of measures at both the technical and communicative levels. One proven strategy is to create a Computer Security Incident Response Team (CSIRT) that is made up of IT security specialists with in-depth knowledge in this field.
If the idea of recruiting these security specialists is not enough to give a company’s security officer grey hairs, then the budget discussion certainly will. After all, IT security measures are like an insurance policy. If everything goes well, it could be thanks to the skill and expertise of the specialists and the use of the right technical measures. Or it could just be because the company has not yet been attacked. The unpredictability of cyberattacks in particular makes it difficult for the CISO to properly allocate resources and discuss budgets with the CFO.
One elegant, financially transparent measure is to outsource detection and response to a managed security service provider (MSSP). Furthermore, this approach is easier to scale because the resources can be used as needed, making the costs easier to calculate. After all, you don’t need to be clairvoyant to predict that, given the complexity of cyberattacks, uncovering and combating these attacks will only increase in importance as time goes on. Partial outsourcing, also referred to as outtasking, offers security officers an answer to these challenges.
More on the topic: