Page 18 - Cyber Defense eMagazine - June 2018
P. 18

INTRUSION DETECTION & RESPONSE
               With  many  companies  still  trying  to  figure  out  how  to  respond  to  new  vulnerabilities
               when  disclosed,  to  what  degree  have  companies  successfully  organized  tactical
               intrusion  detection  and  response  operations?  Even  if  they  have  such  teams  and
               programs,  do  they have any concrete appreciation for their actual execution while under
               live attack?


               I’d  speculate  that  the  majority  of  organizations  probably  have,  at  best,  a  network
               monitoring tool and perhaps a SIEM for intrusion detection; and some kind of policy and
               designated  personnel  in  the  event  that  indent  response  is  required.  These  are
               necessary  parts  of  the  equation,  but  devoid  of  live  simulations  and  rehearsals,  nothing
               can ultimately  be concluded about the ability to deal with a real attack.

               Going back to the original three examples: how well could an athletic team be expected
               to  perform  in  a  game  if  they  never practiced or scrimmaged? How well would a doctor
               perform  in  the  operating  room  if  never  involved  in  a  prior  surgery?  What  could  be
               reasonably  expected  from  a  platoon  of  soldiers  who  had  never  rehearsed  coordinated
               troop  movements  and  war  games? Yet in security, there seems to be a perception that
               operations  can  be  played  by  ear  when  an  attack  occurs,  and  a  favorable  outcome will
               result.

               During a live attack, the answers to the following  questions hang in the balance:

                   •  Will the attack go unnoticed,  or will it be detected?
                   •  Will the app or system be successfully  exploited, or will the attack be thwarted?
                   •  If  the  app  or  system  is  exploited, will the attacker gain a foothold, or will they be
                       identified and locked out?

                   •  How long will an intruder  foothold persist before it is detected?
                   •  What undesirable impact will intrusion  have against apps, systems,  and data?
                   •  How  quickly  and  to  what  degree  can  the  organization  recover  from  destructive
                       impact?

               The  answers  to  the  above questions are highly dependent upon the speed of execution
               of  both  intrusion  detection  and  intrusion  response.  The  attacker  most  likely  has
               performed  the  attack  before,  and  has  scripted  their  intended  actions  to  some  degree.
               They  know  they  are  working  against  time  and  detection.  Unless  your  organization  can
               efficiently  execute quicker than  the attacker, you  will lose.
               GOAL:  CONSTRUCT  A  COORDINATED  PLAN  FOR  INTRUSION  DETECTION  AND
               RESPONSE.  PUT  THE  PLAN  TO  THE  TEST  UNDER  LIVE  ATTACK  CONDITIONS,
               TIMING  THE  SPEED  OF  DEFENSIVE  OPERATIONS  AND  ULTIMATE  SUCCESS
               MILESTONES.  ANALYZE  THE  OUTCOME,  AND  REVISE  STRATEGY  TO
               COUNTER  WEAKNESSES.  RUN  SIMULATIONS  AGAIN,  TRYING  TO  LOWER  THE
               AMOUNT  OF TIME  IT  TAKES TO  NULLIFY  THE ATTACK.


                   18    Cyber Defense  eMagazine – June 2018 Edition
                         Copyright © 2018, Cyber Defense Magazine,  All rights reserved worldwide.
   13   14   15   16   17   18   19   20   21   22   23