Infrastructure Insights
Showing results for 
Search instead for 
Do you mean 

The Anatomy Of A Hack: Network Security With A Network Of Defenses

Insights_Guest on ‎08-07-2015 09:00 AM

By: Eric J. Bruno

 

According to James Comey, director of the FBI, there are only two types of companies: those who've been hacked and those who don't know they've been hacked. This is a sad assessment of cyber crime. Worse yet, according to Verizon, the time it takes to compromise an organization is decreasing, while the time required to detect a breach is increasing. In 60 percent of all network security incidents, attackers are able to compromise an organization within minutes. And according to George Kurtz of CrowdStrike, the average malware infection lives for more than 200 days before detection.

 

On the corporate side, according to Computerworld, spending on IT security will increase 46 percent in 2015. Clearly, IT solutions alone aren't enough to protect against cyber crime; you need to have a concise plan in place.

 

Time line of a hack and corresponding response

What follows is an outline of a hack or data breach with a moment-by-moment response plan, roughly marked out in time, beginning with preparation before an attack occurs. Follow along and see how your plan compares.

 

T(-1): Preparation

Let's assume you have an IT solution in place, with appropriate firewalls, security detection software, and a monitoring solution to discover attacks when they occur. If you don't, this should be your first step. Leveraging a cloud vendor or security solution with the latest in intrusion detection and mitigation is an excellent choice here.

 

But even with safeguards in place, chances are you're going to have to deal with an attack and/or an actual breach at some point. The worst-case scenario is not being prepared or not appearing to be. Instead, create an incident response plan that will first establish team members. Second, outline roles and responsibilities for multiple teams and their members. Third, outline clear notification and communication channels and methods.

 

You should also create a central command center, with geographic command centers in a hierarchy, and identify candidates to be in charge of them. You need multiple people to account for different time zones and locations. These commanders should be employees with the authority to make high-level decisions, and they should have executive member support.

 

T(-0): Detection

Use threat detection solutions to discover, in real time, that an attack is occurring. Uncover request sources for known bad addresses, analyze network traffic patterns for man-in-the-middle and similar attacks, and use the latest in threat analytics and intelligence to discover patterns that reveal both internal and external system attack potential.

 

T(+1): Identification

It's extremely important to know who's attacking you. Your next step is to understand the type of threat you're dealing with by mobilizing a team to identify three important aspects: who the attackers are, what they're after, and why they want it (their motive). It's not always about money. In the recent Sony attack, for example, one motive may have been revenge.

 

T(+2): Communication

Once an attack or breach is detected, get the word out within your company, and remember to notify other affected parties. Many attacks are conducted through a third party, such as a compromised web server belonging to another company. Plan to alert this third-party attacker, to limit the damage. Also, if any data is breached, alert the parties involved.

 

T(+3): Reputation

While being attacked is never good, poor media communication is even worse. Instead, prepare a generic media report and generate subsequent reports specific to the attack at hand. It's best to be forthcoming with information and details about how you're fighting the attack or limiting the breach. Lack of communication or poor communication will only hurt your reputation.

 

T(+4): Isolation

One goal of attackers is to infiltrate as many of your systems as possible in order to get deeply embedded. Your immediate goal is to limit the attack by first limiting the specific data breach, and second, by protecting internal systems, such as HR or CRM, against secondary attacks. The longer the attackers are inside and the greater number of systems they infiltrate, the harder it will be to eradicate them.

 

T(+5): Eradication

Removal of attackers and their malware from your systems is your next goal. This is a tricky process of detection, restoration, and verification that the attackers and malware are gone. Here, you'll need to rely on a combination of software, good backups, and expert help.

 

T(+6): Fortification

Unfortunate events such as cyber crime are an educational opportunity. Be sure to learn from the attack to build defenses against future attacks, uncover incidents of employee impropriety, or identify partners with weak defenses. In all cases, you'll need to come up with ways to protect yourself.

 

T(+7): Investigation

Even if the attack is successfully detected and mitigated, you should hire an outside firm to independently conduct a forensic breach investigation. This helps to bolster key learning; ensure internal responses were appropriate, effective, and efficient; ensure malware is eradicated; and work with regulators, where appropriate.

 

Always remain prepared

Being prepared and staying prepared are two different things. As attackers continue to update their strategies, you need to update your network security, plan, and response. To do so, follow these steps:

  • Review and revise incident response plans
  • Keep your plan up to date with current names and roles
  • Keep up to date with breaches across the industry
  • Research the bad guys to understand their motives, strategies, and tactics
  • Bolster security with the latest software and techniques
  • Always look for outside help

What's the best way to impact your enterprise? Should you be capitalizing on big data or exploiting mobile to provide a better user experience? Get expert insights from A Letter to the CIO of the Future.

 

 

 

Eric Bruno

 

Eric Bruno is a computer scientist skilled in the art and science of full life cycle, large-scale software architecture, design, and development. His accomplishments span client/server development, highly distributed development, multi-tiered web development, real-time development, and transactional software development. He writes and speaks often on software architecture and development related topics.

Connect with Eric:

  @ericjbruno

0 Kudos
About the Author

Insights_Guest

Events
June 6 - 8, 2017
Las Vegas, Nevada
Discover 2017 Las Vegas
Join us for HPE Discover 2017 in Las Vegas. The event will be held at the Venetian | Palazzo from June 6-8, 2017.
Read more
Apr 18, 2017
Houston, TX
HPE Tech Days - 2017
Follow a group of tech bloggers for a new HPE Tech Day, a full day of sessions about how to create a hybrid IT, from hyperconverged to Composable Infr...
Read more
View all
//Add this to "OnDomLoad" event