Incidence response is slowly turning from a post-mortem exercise to live fire-fighting, says the executives of Finnish cyber-security major F-Secure.
Un unprecedented visibility is changing the incidence response challenge," said Edward Parsons, managing director of F-Secure’s subsidiary MWR InfoSecurity, talking to SC Media UK. "With a lot of companies investing heavily in detection, we often find ourselves in a situation where we are battling a live attacker within the network."
Acting in such a situation, you have to understand the implications of your move as well as anticipate any counter move by the attacker, which is particularly challenging, he said.
Companies are concerned about indiscriminate, disruptive attacks, where vulnerabilities are quickly weaponised or cases like Shadow Brokers where exploits and tools are being made available for others to use. Many companies remain worried about another WannaCry or NotPetya cropping up, he said.
Two trends that worry major enterprises are the evidence of more targeted ransomware attacks, where attackers cast their net over specific points in the networks of the chosen target, ensuring the maximum ranson, as well as the pace in which these attacks spread, Parsons noted.
"Rather than indiscriminately encrypting (data on) computers or servers, they are looking to adopt a position of privilege, identifying critical assets within the network and encrypting them, and ensuring that the backups are inaccessible," he said. This ensures that when they strike, the effect will be detrimental, forcing the company to pay the ransom.
A primary countermeasure is maintaining broad visibility throughout the company network that allows detecting an attack and understanding the position of the attacker within the network, said Parsons. Thus, you will be able to confidently take a measures to contain the attacker or take them off the network.
"While probing the attack, our investigators look for where a compromise is detected on one machine within the network. Are there are any more compromised devices in the network? Is this the only place where the attacker (program) exist? If we take action here, can we be confident that we’ve ejected them from the network?," he explained.
You must invest well on your network and have reliable internal professionals and partners who can identify these points of breach on time. And time is a luxury these attacks rarely allow. "When an attack happens, global companies don’t have 24 or 48 hours to respond, waiting for an incident responder to reach the site and assess the situation," he said.
Three most common internal vulnerabilities are legacy networks, weak user behaviour and misconfiguration, said Parsons. A misconfigured system, coupled with weak user behaviour offers an easy breach for a hacker without tapping the legacy systems. However, regulating vendors is not an effective counter-step, he said. A responsible vendor will ensure that their products are well-patched.
Making the vendor liable for the damage they cause would be an effective step in this direction, said Mikko Hyppönen, chief research officer at F-Secure Labs.
"If you buy a washing machine, there is a short circuit and you get an electric shock, the vendor is liable… If you buy an IoT washing machine, it loses your wifi password and every computer in your house is encrypted by ransomware, they are not liable, which is a little bit weird," he said.