Which Incident Response Investments Are You Prioritizing in 2020?

January 22, 2020
| |
6 min read

The new year is upon us with predictions and forecasts for the future of cybersecurity. There’s no crystal ball here, but based on the campaigns and trends we’ve seen in previous years, there are some key areas of incident response that would benefit from cybersecurity investment. Ideally, you will have a sufficiently large budget to invest in people and tooling so your team can mature and improve in a variety of services. Unfortunately, this is often not the case, and you’ll likely have to make choices about where you will invest time and resources.

According to the FireEye Cyber Trendscape Report, 51 percent of organizations do not believe they are ready to respond well to a cyberattack or breach event. The same report shows that 8 percent do not have incident response plans and 29 percent have plans but have not tested or updated them in the last 12 months. Needless to say, developing, testing and improving incident response plans should be the number one priority for future investment by these organizations, but there are other pressing areas to consider as well.

Invest in the Future of Digital Forensics

Digital forensics has always played a crucial role in incident response. The ability to analyze systems and networks and trace back the footsteps of an intruder is essential to understanding and mitigating a security incident. Conventional forensic activities focus on workstations, servers and network devices built on traditional hardware and software. Although some environments require a specific approach (industrial sites, for example) most seasoned investigators will have no difficulties entering a new site and completing a successful investigation.

In recent years, organizations have moved critical data to the cloud. One of the consequences was that the incident response capabilities had to be extended with cloud forensics. If your organization has yet to make a cybersecurity investment in cloud forensics, then now is the time. As with any type of forensics, to perform cloud forensics you need to have access to relevant data. The first step is to ensure that you understand exactly where the cloud data is, how you can access it and what type of cloud environment you have to deal with. Working on an incident response plan for cloud services, having communication channels with your cloud providers and knowing what security data is provided by the cloud platform are also important.

But the challenge of digital forensics doesn’t stop with cloud services. Bring-your-own-device (BYOD) is getting more popular, which raises new concerns. Are you allowed to do incident response on a non-corporate device? What about the privacy of your employees? These matters can be included in a BYOD policy, but there are other sharks in the water. Are you technically capable of investigating the devices? Even if your investigators are skilled with Microsoft Windows, will they be able to dive deep into a Linux or OSX system? How about mobile devices?

Furthermore, do you have the technical equipment to access personal devices? The variety of hard drive and memory types and differences in computer architecture can make it difficult to obtain data from a suspected infected device. It’s impossible to be ready for every possible architecture or software, but you can get ahead of the game by knowing what personal gear your employees typically use so you can have hardware and software ready to do investigations. One tool that can help you is the freely available SIFT Workstation, which can support a variety of environments.

BYOD devices may not be the only devices introducing exotic hardware and software to your environment. Embedded and internet of things (IoT) devices are appearing on the work floor more and more to provide organizations with small but essential services. These items can range from devices for physical security, video recording and HVAC to automation and payment systems. Printers and scanners are also included in this category. Because these devices have become some of the preferred targets for attackers, it’s an area where a cybersecurity investment would certainly be beneficial for your environment.

You can start by regularly (and perhaps automatically) inventorying these assets and exposed services and then isolating them in dedicated network segments. Acquiring forensic data can sometimes be difficult because everything can be stored in volatile memory. If this is the case, spend at least a few bucks on monitoring and capturing communications from these devices as well as centralizing their log events.

Get Ready for Changes in Network Monitoring

Network monitoring is one of the cornerstones of incident response. For a long time, network monitoring professionals had to adapt and change their working methods due to increased use of such tools as encryption. One of the communication channels that remained fairly easy to monitor, however, was the Domain Name System (DNS), partly because it was mostly available in an unencrypted form. Now, with DNS over TLS (DoT) and DNS over HTTPS (DoH), this will likely change, as both use an encrypted transport.

Whether or not you are in favor of DoT or DoH, it is important to invest time and resources in adapting your DNS monitoring and to be prepared for when they become more mainstream. First, as an organization you need to decide on preferred resolvers and then configure these on the systems under your control. Take into consideration that not all applications will use the system-configured resolvers, like web browsers or apps on mobile devices, to name a few. You will have to accept the fact that you will have less visibility into DNS queries, although work is being done to distinguish DoH and “normal” HTTPS traffic. Train your incident response team to be mindful of this change and use other means to spot anomalies. In the case of DNS, newer versions of Sysmon can now also track client DNS queries.

Prepare for Supply Chain Attacks

One form of security incident which will likely occur more often in the future is the supply chain attack. The benefit for attackers lies in the fact that, instead of targeting an organization directly and possibly setting off alarms, they can aim for the smaller, less secure components. The complexity and variety of platforms used and the lack of visibility into supply chain processes can make this strategy very lucrative for attackers. Adding to the problem, many smaller organizations do not consider themselves targets for such attacks and lack proper computer security as a result. The importance of improving security in these cases is stressed by the Verizon 2019 Data Breach Investigations Report, which stated that 43 percent of breaches involved small business victims in 2019.

Attackers can target popular applications in the style of NotPetya/M.E.Doc, but they can also target commonly used software libraries. The traditional supply chain attack operates through hardware, which, although it may be very rewarding from an attacker’s point of view, can be fairly expensive to achieve. A key concern that will certainly get more attention in the near future is supply chain attacks conducted via service providers, as was the case with APT10.

There’s no silver bullet for protection, but from an incident response perspective, you can already prepare by bringing the procurement team on board and ensuring their involvement with running risk assessments for your suppliers. Furthermore, it’s worth investing in monitoring the activity of your suppliers and expanding your threat model to include any threats that could target your service providers. These additional variables can then be taken into consideration when you conduct cyber simulations.

Align on Standardized Frameworks

As attacks get more complex and attackers become bolder, it’s important to refer to standardized frameworks. Using a standardized framework allows you to speak the same language as everyone else in the organization, which can make it easier to report cases, exchange threat intelligence on observed attack campaigns and assess your defensive capabilities in light of these campaigns.

One framework worth looking into is MITRE ATT&CK, a globally accessible knowledge base of adversary tactics and techniques based on real-world observations. Depending on your threat model, pick the techniques described in ATT&CK which might affect your organization, make the most out of the data sources that you already have, identify the missing data sources and invest in onboarding these sources to expand your coverage.

Your Investments Will Depend on Your Business

As is stated above, unless you have a limitless budget, you will naturally have to choose which areas require investment first. Since most organizations have some data stored in the cloud, getting insight into which forensic data is available from cloud providers can be a good first step. Next, understand how your organization communicates with suppliers and how they connect to your network, which may be via VPN. These communication channels, including those for the cloud, are most likely encrypted, so evaluate other available log sources that can be used to monitor for abnormal behavior. Lastly, the data sources covered in the ATT&CK framework can be used as inspiration to identify the gaps in your defensive capabilities, which can then enable you to connect the dots between events.

Koen Van Impe
Security Analyst

Koen Van Impe is a security analyst who worked at the Belgian national CSIRT and is now an independent security researcher. He has a twitter feed (@cudes...
read more

Banner ad leading to the Cost of a Data Breach Report for 2020.
Banner ad leading to the Cost of a Data Breach Report for 2020.
Your browser doesn’t support HTML5 audio
Press play to continue listening
00:00 00:00