Information security practitioners operate in a multi-dimensional field requiring speed and agility in order to adapt to constant change. We must be swift at detection and response in order to prevent compromises and data breaches.
Just recently I worked with my FireEye Mandiant Managed Defense colleagues to remove a threat actor from a customer’s environment after detecting the usage of BLOODHOUND, an Active Directory recon tool. Our rapid detection and response prevented the customer from data loss, and we went on to improve their security posture with preventative security configuration changes to their network environment.
Find and outmaneuver. These are aspects of the security field over my entire career—from the U.S. Air Force and carried through to Managed Defense. With each new customer, operation and engagement, I have noticed that there are some striking similarities on how to fortify security operations to better battle the adversary, regardless of the job.
1. Take Action Now
There is rarely a good time to pause. From APTs to FIN groups (financially motivated attackers), attackers are innovative, resourceful and highly motivated to breach a network. As I write this, we’ve seen a resurgence of opportunistic attacks and actors are organized to deliver malware as a service. Take MAZE ransomware for example. Operating through an affiliate of bad actors, this particularly nasty form of cyber ransom doubles as a data breach exposing the victim’s data publicly. Though we continue to see organizations prioritizing and resourcing security, they are not nimble enough. We recently reported that 68 percent of ransomware attacks were unnoticed when validating the effectiveness of security controls. If organizations don’t become more proactive, they will inevitably be compromised.
This means developing capabilities that allow security teams to detect the latest mutli-stage attacks and rapidly respond. Often this requires a combination of process, threat intelligence and expertise into the SOC.
2. It's Not Either Or
Very few of the organizations I’ve encountered can do information security entirely themselves, or through only one vendor/service provider relationship. The steps it takes to run an incident response require multiple tools, teams and input from several security, forensic and incident response specialists—not to mention IT teams. In many cases organizations look to their managed services providers to collect and correlate technology-led detections. This leaves incident triage, analysis and forensic investigation up for tier 3 SOC teams. Rapidly detecting and limiting the impact of an incident requires a proactive, expert-driven approach. Once an incident is detected and analyzed, and remediation recommendations are identified, the containment and reconstitution of the network is executed by the IT operational teams. Partnership among these groups is essential. The most effective way to build up security operations capabilities and execute a proper response engagement is to pair a managed detection and response team with the SOC or a MSSP provider and leverage internal IT Operations.
3. Upskill: Address the Biggest Problem
An organization’s defense is only as good as the people they have leveraging their capabilities. They are ultimately reliant on their analysts skills to keep the environment safe. Their trained eyes and investigative process determines how quickly the organization can respond and how thoroughly they can remediate. Expert hunters think differently—we systematically combine knowledge, tactics and procedures to proactively search for covert signs of an active or attempted compromise. An organization may experience two or three big incidents per year, but a MDR team like, Mandiant Managed Defense, routinely handles two-to-three incidents per week. This type of practical experience is difficult to grow and maintain organically and is not often honed with organizations, where the focus is on something besides finding and eradicating evil.
It’s been my experience that technology alone cannot defend against a determined, persistent adversary. Expertise, fueled by threat intelligence, will complement technology and help to refine processes and train teams.
At FireEye Mandiant, we work to create capabilities in security operations that establish proactive threat monitoring and response procedures, including collaboration among pertinent vendor, IT and security teams. Please join me at the upcoming FireEye Virtual Summit where I’ll elaborate more about these fortifications—up-leveling the expertise of in-house teams, combining "buy" and "build" for more effective defense, and innovating on the ways of managing risk. The webinar is scheduled for June 11, 2020.
Register today and I look forward to seeing you there.