When cyber criminals strike, they go out of their way to hide actions, misdirect investigators, and even evade detection tools. Often, security teams start the incident response process in the dark, with little more than source and destination IPs, a category, and a proposed severity. Verizon1 reports that cybercriminals start to exfiltrate data in seconds or minutes, creating an urgency to respond “now”. Responding without the right information could mean the difference between amputating a limb vs using a band aid -- but how can you respond wisely with so little information?
Responding wisely means taking appropriate action for the threat, but that comes from understanding the threat reports and any included data. Sometimes an appropriate action means blocking every IP, domain, and URL provided in a threat report, but in other cases that could be disastrous. In addition to leveraging cloud storage and popular free email services, cyber criminals have added social media2 to the toolkit for command and control. A response that blocks the corporate cloud storage or key social media sites could lead to internal chaos. Clearly, responding wisely can insure business operations while mitigating a threat.
Responding wisely includes understanding a cyber attack and escalating response activities when a high value target or serious threat is involved. In addition, verifying if malware has infected targeted systems can reduce additional work caused by false positives. Lastly, situational awareness leads to informed quarantine and containment actions that can prevent further internal infection spread and prevent access to attacker sites and command and control servers.
Understanding a cyber attack is the anchor for appropriate incident response, and understanding comes through situational awareness of internal and external context and intelligence.
Join Proofpoint as we highlight key factors and common gaps in situational awareness for incident response in our upcoming webinar: Solving Puzzles: Threat Intelligence informed Incident response, on May 12 at 11am.