Page 18 - Cyber Defense eMagazine - June 2018
P. 18
INTRUSION DETECTION & RESPONSE
With many companies still trying to figure out how to respond to new vulnerabilities
when disclosed, to what degree have companies successfully organized tactical
intrusion detection and response operations? Even if they have such teams and
programs, do they have any concrete appreciation for their actual execution while under
live attack?
I’d speculate that the majority of organizations probably have, at best, a network
monitoring tool and perhaps a SIEM for intrusion detection; and some kind of policy and
designated personnel in the event that indent response is required. These are
necessary parts of the equation, but devoid of live simulations and rehearsals, nothing
can ultimately be concluded about the ability to deal with a real attack.
Going back to the original three examples: how well could an athletic team be expected
to perform in a game if they never practiced or scrimmaged? How well would a doctor
perform in the operating room if never involved in a prior surgery? What could be
reasonably expected from a platoon of soldiers who had never rehearsed coordinated
troop movements and war games? Yet in security, there seems to be a perception that
operations can be played by ear when an attack occurs, and a favorable outcome will
result.
During a live attack, the answers to the following questions hang in the balance:
• Will the attack go unnoticed, or will it be detected?
• Will the app or system be successfully exploited, or will the attack be thwarted?
• If the app or system is exploited, will the attacker gain a foothold, or will they be
identified and locked out?
• How long will an intruder foothold persist before it is detected?
• What undesirable impact will intrusion have against apps, systems, and data?
• How quickly and to what degree can the organization recover from destructive
impact?
The answers to the above questions are highly dependent upon the speed of execution
of both intrusion detection and intrusion response. The attacker most likely has
performed the attack before, and has scripted their intended actions to some degree.
They know they are working against time and detection. Unless your organization can
efficiently execute quicker than the attacker, you will lose.
GOAL: CONSTRUCT A COORDINATED PLAN FOR INTRUSION DETECTION AND
RESPONSE. PUT THE PLAN TO THE TEST UNDER LIVE ATTACK CONDITIONS,
TIMING THE SPEED OF DEFENSIVE OPERATIONS AND ULTIMATE SUCCESS
MILESTONES. ANALYZE THE OUTCOME, AND REVISE STRATEGY TO
COUNTER WEAKNESSES. RUN SIMULATIONS AGAIN, TRYING TO LOWER THE
AMOUNT OF TIME IT TAKES TO NULLIFY THE ATTACK.
18 Cyber Defense eMagazine – June 2018 Edition
Copyright © 2018, Cyber Defense Magazine, All rights reserved worldwide.