The Need for Incident Response

On an average day in the UK more than 100 .co.uk domain websites are hacked  according to the statistics in the Zone-h.org online database.

Website hacks are increasing the volume of targeted attacks today. If we look at industry statistics, more than 80 percent of websites have vulnerabilities that would mean they would not meet OWASP Top 10 tests (source: Veracode). In addition, the U.S. CERT believes that 75 percent of new attacks specifically target the application layer of systems in order to exploit these weaknesses.

Why does Web security matter? Website watering hole attacks are becoming increasingly popular with attackers – if they can plant an invisible iframe that redirects a user from a legitimate website, they can push a user to a compromised website hosting a cocktail of exploits to attack the client computer connecting to it. We have see some great examples in the media over recent months including high profile sites like the Council of Foreign Relations and U.S. Department of Labor.

Among the targets this year – the UK Mole Valley website in August. Why was Mole Valley website hack interesting?

The Mole Valley website was hacked as a revenge attack against the UK authorities detaining David Miranda, Glenn Greenwald's partner. Glenn Greenwald is the journalist responsible for publishing the information obtained by Edward Snowden from the NSA and Anonymous hackers. Anonymous responded to the arrest by hacking a UK government website. The Mole Valley site was offline for more than two days as a result of the incident, an inconvenience to the council and its constituents one would imagine.

Why do we care?

One assumes that the UK government, with rigorous incident response (IR) capabilities, spent some time fully understanding what happened via their incident response capability– something that many businesses could learn much from.

If businesses do not have clear and accurate information of infections, businesses continue to do little or nothing until detection is made. Once a computer is recognized as infected, which may take months or even years (source: Verizon 2013 Data Breach Report), businesses typically re-image the computer in question without spending any time to gather important information. It’s important to be able to answer the who, what, how, when, and why questions that should be addressed, and critical if it’s a high value computer that has been infected.

If it’s a Web server, as in the Mole Valley case, it was apparent, with the motive of Anonymous, to know that defacement was the reason for the hack to publicize their anger with the UK authorities. However, it could have easily have been an invisible iframe that redirects a user to a trusted website to a Web server hosting a Zbot or Poison Ivy Trojan, that could have been distributed to hundreds or thousands of users to steal data and login credentials prior to any clean up.

Anyway, the point of this post was to link the initial hack to the clean up at the end – what could you do if you had the people, skills, and time to do IR and ensure that you learn from past attacks and ultimately improve your security posture?

  1. Identification: This is the number one issue in the industry today. What should you do quickly when a PC or server has been hit? The quicker you move, the smaller the risk typically.
  2. Containment: Contain the computer and move it away from production systems ASAP. Most infections, with malware today, spread quickly using key loggers to capture login credentials, as an example, to log in to other systems such as databases, AD controllers, and other critical systems.
  3. Forensic investigation: Take the time and use a number of open source and commercial tools to understand what happened to the computer system, where it came from, what is has accessed, what it did to make itself persistent and survive reboot, etc…assuming it merits forensics investigation.
  4. Remediate/Recover: Get the computer system back online and in production once forensics are complete.
  5. Report: A full review of who, what, when, where, how, and how to avoid this from happening again.

For most businesses, they move from step 1 to 4 without dwelling on 2, 3, and 5 – which leaves them open to repeating the same mistakes over and over again.

The containment and remediation process has up until now been a primarily manual human process, but lots of vendors FireEye partners with today are seeking to redress the balance by automating the containment and forensics parts with software products. The pain is recognized that skilled humans do not scale and sadly not every organization has the budget to spend on this.

Whether your business faces a website defacement attack or a true zero-day targeted attack, an incident response plan should be something every business small or large considers now. Over 95 percent of businesses are already compromised with malware (source: FireEye) but don’t know it…..the mindset needs to change from when we are compromised, to we are already compromised and how do we better protect our assets, intellectual property, etc. and mitigate future risks?

Even the World Economic Forum recognizes this – from their 2012 Cyber-Resilience Guidelines stated that:-

‘Recognizing that 100% risk mitigation is not possible in any complex system, the overarching goal of a risk-based approach to cyber security is system resilience to survive and quickly recover from attacks and accidents’

In summary - we cannot eradicate or remove all of the threats today but every business now can mitigate the threat from cyber attacks better and get back to running their business quickly. Building out an incident response capability is something that should be on your list of actions for 2014!