Ahead of the breach
Cyber experts recommend proactive approach to incident response
Chances are high that your network is already compromised.
That's one reason why businesses must shift from a reactive to a proactive security posture; to survive in today’s digital ecosystem, explained Mark Orlando, chief technology officer of Cyber Protection Solutions at Raytheon.
Digital adversaries are likely lurking on your network right now. Forgotten systems with critical vulnerabilities offer unfettered access to key systems and data.
“It’s time to change the narrative,” Orlando said. “Organizations need to operate under the assumption that they are already compromised.”
There are only two incident response approaches: those that include a proactive threat hunting program and those that don't. Organizations must “shift left of the breach,” working to identify signs of compromise as early as possible, according to Orlando.
“Proactive threat-hunting should be built into your incident response plan,” he said. “Incident response can no longer be a reactive activity.”
If you respond to cyber incidents after breaches are successful, you're already too late, experts said.
“It’s the aftermath of a cyberattack that truly impacts an organization,” said Jon Check, senior director of cyber protection solutions at Raytheon. “Ultimately, it is the hours, days, weeks, months and years that follow a successful cyberattack that cause the most damage.”
Being proactive is the only option, according to Orlando and Check. They shared steps to implement a successful, proactive hunting and incident response strategy:
Step 1: Make a plan
The first step to a proactive security posture is making sure you have a plan in place to respond to incidents should they occur.
“The most successful incident response programs are developed and integrated into business operations well in advance of a security incident,” said Check.
Step 2: Start digging
Thanks to the proliferation of modular, reusable malware, today’s advanced cyber adversaries are able to bypass legacy security controls and extract critical data from even the most closely monitored enterprises, according to Orlando.
Threat hunting is the process of proactively searching through networks or datasets to detect and respond to advanced cyber threats that evade traditional rule- or signature-based security controls.
“If I am proactively hunting and have the right visibility and understanding of attacker tools and methodology, compromises can be identified in days instead of weeks and months,” Orlando said.
“Identifying compromises before the adversary can disrupt operations or steal data can save an organization time, money and a PR headache,” explains Check. “Proactive threat hunting is no longer a nice to have, it is a must have.”
Step 3: Respond and automate
The best threat hunters work smarter, not harder, according to Orlando. Once a hunter has used the tools to identify a hidden threat, the incident response process kicks in.
But the hunter’s work doesn’t stop there, explained Orlando. “While the threat is being contained, that sequence of queries and pivots must be captured for future use,” he said. “This custom content development is critical in saving analyst cycles and tracking how a given threat evolves over time.”
Step 4: Communicate
The first step to developing and implementing an effective communications strategy is to engage your communications department. They will work with your team to develop a plan that engages the entire organization, from legal and HR to your supply chain. When an incident is identified, having an effective communications plan in place is critical to a successful response.
“There are many different components to the communication that needs to happen during an incident,” explained Check. “You have internal communications, external communications – likely involving the press or law enforcement – and communications to stakeholders or investors.”
Step 5: Practice
Practice makes perfect. Your organization should actively practice identifying and responding to incidents.
“Practice helps an organization identify areas of improvement,” explained Check. “Just because you wrote a plan down to start does not mean the work is done.”
Organizations that do not have the bandwidth or resources to support a 24/7 proactive incident response protocol should engage an outside service providers.