Page 31 - CDM Cyber Warnings November 2013
P. 31
soon as possible, to reach the goal it is necessary the definition and deployment of best
practices to mitigate the risks of exposure to the menaces.
Another essential factor is the information sharing on the cyber threats, organisms like
CERTs must fulfill this function also, businesses must receive accurate information of
infections to adopt proper mitigation strategy.
Businesses, and in particular each single employee, must have a clear idea of task to
do in case of incident, roles and responsibilities must be clearly defined and all the
actions must be carried on to repairs an ordinary situational and preserving information
useful for investigation.
Incident response is a critical component in a cyber strategy, it must be accurate and
detailed as it provides valuable guidance in the immediate aftermath of an accident,
moments when it is necessary to preserve as much as possible the critical assets of an
organization.
"It’s important to be able to answer the who, what, how, when, and why questions that
should be addressed, and critical if it’s a high value computer that has been infected."
states the post.
Which are the critical actions for an effective incident response procedure?
1. Identification: This is the number one issue in the industry today. What should
you do quickly when a PC or server has been hit? The quicker you move, the
smaller the risk typically.
2. Containment: Contain the computer and move it away from production systems
ASAP. Most infections, with malware today, spread quickly using key loggers to
capture login credentials, as an example, to log in to other systems such as
databases, AD controllers, and other critical systems.
3. Forensic investigation: Take the time and use a number of open source and
commercial tools to understand what happened to the computer system, where it
came from, what is has accessed, what it did to make itself persistent and
survive reboot, etc…assuming it merits forensics investigation.
4. Remediate/Recover: Get the computer system back online and in production
once forensics are complete.
5. Report: A full review of who, what, when, where, how, and how to avoid this from
happening again.
Based on my personal experience the trend is to secure the victim organization, but in
the majority of the case are ignored all the action necessary to collect evidence of the
attacks and to produce sharable results, the side effect is the lack of information about
ongoing attacks that is the base for cyber threat identification and mitigation.
31 Cyber Warnings E-Magazine – November 2013 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
