Attack detection has come on leaps and bounds over the past few years, and is improving still. However, there is still a large time gap between an attack being detected and the appropriate response actions being taken to contain and remediate it.
According to the Ponemon Institute, it takes an average of 69 days to respond to an attack once it has been detected (detection alone takes on average 100 days from initial compromise). The median cost to resolve a breach is upwards of 18,000Euros per day, not counting the associated costs of system downtime, recovering lost or compromised data, restoring business-critical functions, paying regulatory fines, and managing both public relations and the increase in customer queries and communications.
The faster a data breach can be contained, the lower the cost and impact to your business.
There are a number of complex reasons for the response gap. Many relate back to an organization’s structural set-up, including how much investment is given to response, and how the associated tasks, roles, and responsibilities are allocated, resourced, and supported. If we separate these reasons out, they look like this:
Reason 1: Attacks are detected but not actioned appropriately
Attack detection encompasses a wide range of functions, whether it is known malware triggering an AV alert or a threat hunter querying whether a legitimate Windows function is masking malicious activity. Regardless of how suspicious activity is detected, many organizations do not have pre-existing processes in place for how suspicious activity is flagged, actioned, and escalated. One of our clients recently suffered a devastating breach that resulted in their entire server being corrupted; their anti-virus had flagged alerts, but resource hadn’t been allocated to monitor them.
Reason 2: Attacks are detected but the organization doesn’t have the right technology to respond
There are a wide range of scenarios that lead to an attack being detected. Sometimes they are detected while in progress, but most often the compromise is only revealed as the business is suffering (or has suffered) impact. From a response perspective, all scenarios can be very difficult if the requisite technology isn’t in place. The kinds of technologies that can make or break an investigation include an endpoint detection agent that covers as many assets as possible, and also contains the ability to pull rich forensic data and a variety of logs. Configuring the agent to retain data and logs can also be the defining factor in historic breaches – evidence fades over time. In addition, IT environments are constantly changing, companies are acquired; all of these things make it much more difficult to gain full visibility if response doesn’t begin for months – or sometimes even years – after that attack.
Reason 3: Attacks are detected but the cyber skills shortage impedes an organization’s response
Detecting and responding to attacks requires a high level of constantly updated skill. However, half of all organizations suggest that they are suffering a cybersecurity skills gap that ranges from the teams responsible for patching and system maintenance right up to incident responders, including ‘first responders’ who are the first port of call. Appointed ‘first responders’ are crucial in preparing for response and ensuring you have a range of relevant people from across the organization who can lead and deputize; this should extend to beyond just the IT team.
Reason 4: Attacks are not detected at all
Most organizations – from enterprises to SMEs – aren’t able to allocate resource to dedicated security staff. This means – ultimately – that attacks are not detected until, in some cases, law enforcement knocks on the door. This is usually months and sometimes years after attackers have reached their objective.
Why is the response gap problematic?
There are a number of reasons why the response gap is not sustainable against the current and evolving threat landscape.
Evidence – and the learnings from it – fade over time
The longer it takes to respond, the less an organization can glean crucial information about the attack, including how the attackers got in, what they targeted, and if they were successful – all of which are crucial to minimize the wide-ranging potential impacts. Forensic and log evidence especially suffer with the passage time, due in many cases to log retention policies not being in line with an organization’s threat profile. The fluidity of many IT estates means technology gets updated, employees come and go, companies get acquired – all of these contribute to evidence becoming obsolete or deleted.
Impact increases over time
The longer an attacker is on your estate, the more knowledge they gain of your business and its practices, including which assets are of the most value. Many attackers – especially state-sponsored groups – lurk on estates for years, gaining full access to business practices and long-term strategic plans.
What can companies do to narrow the response gap?
For many organizations, narrowing the response gap requires a complete cybersecurity strategy reset. However, there are also a number of common sense approaches that can lead to better response readiness for all organizations.
1) Prioritize response from the top down
A survey by MWR InfoSecurity revealed that only 12% of companies prioritize response spending across the Prediction, Prevention, Detection, and Response (PPDR) framework, instead of the recommended equal spend across each of the four areas.
Decisions to equalize this type of spend must come from the highest corners of the organization, with the board and management of your business prioritizing and effectively communicating your security program to the wider business.
However, experience tells us that the board and senior management don’t necessarily arrive at this type of understanding on their own. The business case for response is strong, but you can and should engage an experienced third party to assist any leadership team that needs support in understanding and identifying where and why more investment is necessary.
2) Take a look at what you already have
Good response is in part down to the ability to interrogate necessary artefacts when an incident occurs, leveraging the right tools to accelerate the team and their actions. Often times the tooling required for a vast portion of response activity may already be in your organization – for example, if you already have an endpoint agent, understanding and making sure you have the right elements activated can improve response readiness.
3) Implement basic readiness across people, processes, and technology
If we could recommend three basic response actions across people, processes, and technology, they would be:
People – who is doing what?
We mentioned that your ‘first responders’ should be more than just your technology team and should be in place throughout your organization. It is crucial that – when an incident occurs – there is a designated lead (or leads) and deputies, accounting for the fact that attacks often occur at the most inconvenient of hours and when people are on holiday. It should also factor in that first responders should be fully versed in your cybersecurity policy – for example, if it is suspected a machine or server is compromised, it should be company-wide policy that this machine not be turned off, as evidence might be lost.
Consider how you will communicate during an active incident. Quite often, today’s cyberattacks compromise an organization’s communications infrastructure. The attacker may be live and able to see all communications, so a pre-determined alternative is crucial for successful remediation.
Process – develop your playbook
A playbook for response gets everyone – literally – on the same page. In our whitepaper, Rethinking Response, we include a sample playbook, which could serve as a starting point for you and your teams. The main benefit of a playbook is that it involves thinking through as many scenarios as possible in terms of what to do what an attack is suspected – how and when to escalate it, at what point an incident becomes confirmed, who then needs to be involved, and how you are going to communicate.
If you already have a playbook, revisit and test it, and make sure it is still fit for purpose.
Technology – visibility, control, and flexibility
In our whitepaper, Rethinking Response, we provide a framework for guiding internal discussions around your threat profile. Once your organization is in agreement of the risks you face, these learnings need to translate into implementing the appropriate technology for responding to the threats you face. The core functionalities for effective response are:
- 100% coverage is difficult, but organizations should get as close to that percentage as possible.
- You’ve got to have the right data, and the ability to analyze and act on it as quickly as possible. A lot of tooling will prioritize retrieving artefacts over processing them, which can add additional lead time when you’re trying to figure out what’s going on.
- The vast majority of tooling should enable actions that slow or frustrate the attacker without making them aware of your presence.
Based on your risk appetite and threat profile, identify the appropriate amount of logging on your assets to enable forensic investigators to find the right information. DNS logs, for example, are essential, as many different malware families still rely on DNS to substantiate their initial communication. Not having the ability to trace back DNS queries from gateway logs to the initial host can delay response activities.
Where should you start?
There are many examples of companies suffering long-term impacts of a cyberattack. While we don’t want to operate in terms of fear, when we’re discussing cybersecurity and response readiness with our boards it’s important to help them understand how a few targeted investments can help not just in terms of money, but in time, effort and people. Speed of response within a narrow window of opportunity can dramatically change how a business recovers from compromise.
If you don’t have the required information to hand, bring in people who can represent you appropriately and bring your board up to speed, then engage a third party that can help you tease out the correct metrics. Making your organization aware of and actioning these elements could make the difference between you controlling a cyberattack, and a cyberattack controlling you.