Last week at Black Hat, I presented a briefing entitled, "Targeted Intrusion Remediation: Lessons from the Front Lines." During my presentation I made three key points:
- Traditional remediation approaches often fail when applied to intrusions by targeted, persistent adversaries.
- At the outset of the incident response, begin planning a "remediation event" during which the attacker will be removed from the environment while simultaneously denying the attacker visibility into your actions. Simultaneously, conduct a thorough investigation to determine the scope and impact of the intrusion.
- Rather than addressing perceived risks, inhibit the activities the attacker is actually executing and improve your ability to detect and respond to them. Understand the lifecycle typical to these types of attacks. This is especially important during an incident response scenario; however, organizations should apply this principle proactively to maximize the benefit of the resources they allocate to information security.
For a more in-depth look into the topic, please read my whitepaper.