Kittens and Yetis and Bears, Oh My! - Incident Response in a Bad Bad World

By: (GCIH, GPEN, GWAPT)

Publication: The Colorado Banker , September/October 2017

Colorado Banker Sept/Oct 2017It seems that every week a news story appears detailing new hacking activity originating from organized groups with interesting names such as Energetic Bear, Rocket Kitten, Crouching Yeti, Night Dragon and Sad Panda. While these names are colorful, the groups they are associated with are deadly serious. One might think that these groups are interested only in government or military secrets. However, businesses from all sectors are subject to attack. Successful compromises have been detected in areas such as power and water utilities, communications, and in business holding personal identifying information. The motivations behind these attack groups are tied to political, commercial, and security needs. When considering this, it becomes obvious that all businesses and many individuals have information that would be valuable to the groups. Making the problem more complex, many organizations do not realize they are compromised until they are notified by an external source, usually law enforcement.

Technologies and practices like cyber threat hunting and cyber threat intelligence are a popular trend. Many companies offering these services seem to advertise services that make finding advanced attackers as simple as playing the old video game "Duck Hunt". There is a need for cyber threat intelligence and hunting; however, a more foundational practice, incident response, needs to be developed in businesses first.

What is Incident Response?

Banks have been familiar with the concept of incident response for many years. Formally, incident response is the process conducted to manage security incidents. Regulatory guidance requires incident response policies. However, many institutions don’t ever progress past the policy stage. With the risk environment at the current level, this is no longer an acceptable practice. Institutions must be capable of detecting intrusions and responding appropriately.

The Incident Response Process

The National Institute of Standards and Technology (NIST) has published a document titled “Computer Security Incident Handling Guide”.  This guide represents a four step process for incident response. The four steps are:

  • Preparation
  • Detection & Analysis
  • Containment, Eradication and Recovery
  • Post-Incident Activity

Many financial intuitions may not be able to develop full incident response capabilities that will cover all four steps. However, preparation, detection and basic analysis are tasks and skills that institutions must be capable of performing.

The first step, Preparation, is critical as it will determine the success of any intrusion response. Preparation includes development of policies and procedures. Additionally, it is important to invest in appropriate training for on-site IT staff so that they will be able to detect intrusions and perform basic analysis. On-site IT staff are best qualified for this since they operate in the environment on a daily basis and can determine abnormal activity. Third-party IT providers can also be very valuable provided they have dedicated staff trained in intrusion response. Another key element in the preparation step is to test response capabilities. Testing should be conducted frequently and can include scenario and tabletop testing. It is also important to test the actual technical response processes, including use of any tools to be used in detection and basic analysis. Any additional work in the Preparation phase can make subsequent tasks, such as detection and analysis. much easier.

Network Visibility

The second step, Detection & Analysis, can quickly become complex. An institution must have the capabilities and resources to determine if there has been an intrusion.  This includes full content packet captures and Netflow data from all ingress and egress points in the network and appropriate system logs from all devices such as firewalls, routers, switches, virtualization hypervisors, servers, antivirus products and workstations. The goal is to aggregate and retain all data so that on-site IT staff has complete visibility into what is happening across the all areas of the network at all times.

Not If - But When

The saying “It’s not if, but when” applies to intrusions today. Every business has a need for intrusion response now. Some may not know until law enforcement informs them. Smart businesses will have prepared their incident response ahead of time and will detect when Sad Panda intrudes.