Brian Hussey, VP of cyber threat detection and response for SpiderLabs at Trustwave, explains what elements firms need to have in place if they are to detect, contain and survive a cyber attack.
With the global outbreak of the NotPetya ransomware following less than two months from WannaCry, it’s all too easy to get sucked into the narrative that the cyber criminals are winning the race against security defences. However, while it is certain that advanced and effective new attacks will continue to appear and take their toll, what is often overlooked is that defensive security teams have been making significant progress as well.
In fact, the 2017 Trustwave Global Security Report actually found that the time it takes to detect an intrusion has decreased significantly over the past year. The median time from intrusion to detection of a compromise for incidents in 2016 was 49 days, down from 80.5 days in 2015. The range of times we encountered varied wildly, from the same day to over 2000 days – more than five years.
Keeping up with the attackers
It should be taken as an encouraging sign that times are improving so rapidly, particularly as both the volume and sophistication of attacks increases. However, detecting an intrusion is only half the battle, and the amount of time it takes to neutralise the threat can make a huge amount of difference in the financial and reputational damage caused by the incident. Likewise, while the first priority will always be triage activity to limit the impact, it is also vitally important to follow up with a thorough investigation to discover how the attack was carried out.
An organisation needs to find out how they were breached, what was affected, and if they are likely to be hit again through the same vector or an additional infection. Not only is it essential to ensure that the same vulnerability is not exploited again, but they also need to assure affected customers and regulators that the incident being taken seriously.
However, we find that while some organisations, such as financial services, will always engage in thorough investigations, others such as hospitals, will be looking for any excuse not to investigate due to the budgetary requirements.
We have also found that incidents which have been self-detected by an organisation were discovered an average of 60% faster compared to those found through a third party like law enforcement or a regulator. The median detection time for internal discoveries was just 16 days.
At the same time, our investigations also showed that, on average, companies were also managing to contain breaches relatively quickly once they had detected them. The median number of days from detection to containment in 2016 was 2.5.
Quantifying containment can lead to some unusual figures however, as it is possible to contain a breach through activities such as patching without actually having detected the intrusion. In one notable case, we found an incident had been contained for a full year before it was officially detected. Good security hygiene, such as keeping regularly patched and updated, can prevent many common breaches, while a managed security services approach will enable an organisation to quickly access expert help to detect and contain more serious incidents.
Helping the cyber sleuths
In addition to ensuring the organisation has access to detect and contain an attack as soon as possible, it is also important to have a company-wide playbook in place, ensuring all employees are aware of what they can do to limit the impact of an attack and aid in the recovery and investigation.
We frequently encounter cases where a well-meaning IT team has destroyed vital forensic evidence in their efforts to protect the company from attack or clean up the mess. For example, wiping an infected endpoint device may seem like a logical step to take, but this will make the job of an investigator much more difficult. Similarly, network traffic is also often set to delete after a set time, and while this appears to be good data housekeeping, it will also remove potential clues about when and how a network was accessed by an attacker. While a forensic expert can still recover evidence from data that has been deleted, much can be lost and it will generally cause the investigation to take longer and cost more.
By combining the skill and support of third party security experts with a well-planned incident response plan at all levels of the business, organisations can greatly increase their ability to identify unfolding threats and contain them before the damage is done. Even if the worst happens and an attack is successful, the ability to investigate the cause quickly and efficiently will make all the difference in the financial and reputational impact of any incident.