Incident Response Evolution and Current Challenges

Incident Response Evolution and Current Challenges

Incident Response?(IR) is the approach used to manage security incidents to reduce the damage to an organization and improve the recovery of affected services or functionalities. IR activities follow a plan, which is the set of directions that outline the response procedures and the roles of different team members. IR has become a necessity for organizations facing rising threat levels, and this chapter discusses its importance.

With the focus of this article being the evolution and then the challenges of IR, we’ll begin by looking at how IR has evolved with threats and advancements in technology. We’ll then look at the challenges that IR teams face today, especially with the tasks of assessing current levels of security in the organization, anticipating and protecting systems from future threats, being involved in legal processes relating to cyber-attacks, uniting the organization during crises, and integrating all security initiatives. We’ll cover the following main topics:

  • The evolution of incident response
  • Challenges facing incident response
  • Why do we need incident response?

We’ll begin by exploring some recent history, and how IR has evolved over time.

The cybersecurity threat landscape

With the?prevalence of 24-hour connectivity and modern advancements in technology, threats are evolving rapidly to exploit different aspects of these technologies. Any device is vulnerable to attack, and with the?Internet of Things?(IoT) this?became a reality. The IoT has seen increased usage of digital communication and the increased transfer of data via digital platforms increases the risk of data interception by malicious individuals. Pervasive surveillance through digital devices is also a recent threat with the increased use of smartphones. Governments can now engage in digital surveillance of their citizenry with the excuse of providing security against potential terrorist threats. Criminals can also do similar tasks to the detriment of the targeted victims. In 2014, ESET, an internet security company, reported 73,000 unprotected security cameras with default passwords.

Understanding the attack surface

In very simple terms, the?attack surface is the collection of all potential vulnerabilities that, if exploited, can allow unauthorized access to the system, data, or network. These vulnerabilities are often also?called?attack vectors, and they can span from software to hardware, to a network, and to users (which is the human factor). The risk of being attacked or compromised is directly proportional to the extent of attack surface exposure. The higher the number of attack vectors, the larger the attack surface, and the higher the risk of compromise.

Just to give you the extent of an?attack surface and its exposure, let’s look into MITRE’s?Common Vulnerabilities and Exposures?(CVE) database, here:?https://cve.mitre.org/cve/ . The database provides a list of cybersecurity vulnerabilities that?have been targeted in the past, to make organizations aware of them should they?use the same software or hardware systems. It has 108,915 CVE entries at the time of writing, which have been identified over the past few decades. Certainly, many of these have been fixed, but some may still exist. This huge number indicates?how big the risk of exposure is.

Any software that is running on a system can potentially be exploited using vulnerabilities in the software, either remotely or locally. This applies particularly to software that is web-facing, as it is more exposed, and the attack surface is much larger. Often, these vulnerable applications and software can lead to the compromise of the entire network, posing a risk to the data it is managing. Furthermore, there is another risk that these applications or software are often exposed to: insider threat, where any authenticated user can gain access to data that is unprotected due to badly implemented access controls.

An attack surface may be?exposed to network attacks that can be categorized as either passive or active, depending on the nature of the attack. These can force network services to collapse, making services temporarily unavailable, allow unauthorized access to the data flowing through the network, and other negative business impacts.

In the event of a passive attack, the network might be monitored by the adversary to capture passwords, or to capture sensitive information. During a passive attack, an attacker can leverage the network traffic to intercept communications between sensitive systems and steal information. This can be done without the user even knowing about it. Alternatively, during an active attack, the adversary will try to?bypass the protection systems using malware or other forms of network-based vulnerabilities to break into the network assets; active attacks can lead to the exposure of data and sensitive files. Active attacks can also?lead to?Denial-of-Service?(DoS) type attacks. Some common types of attack vectors are:

  • Social engineering scams
  • Drive-by downloads
  • Malicious URLs and scripts
  • Browser-based attacks
  • Attacks on the supply chain (which are becoming increasingly common)
  • Network-based attack vectors

Verizon data breach report

To find out more about this topic, I would highly recommend that you download and read?Verizon data breach reports:?https://enterprise.verizon.com/resources/reports/dbir/ .

According to the Verizon breach report, hackers’ tactics and motives have not changed much over the last 5 years, with 63% of breaches launched for financial gain, and 52% of breaches featuring hacking. Ransomware attacks account for nearly 24% of attacks involving malware, and breaches continue to take a long time to be detected, with 56% taking several months or longer to be discovered. And typically, by the time the breach has been discovered, the damage has already been done.

The Verizon data breach report should catch your attention in three areas. Knowledge of these areas will help you to build a better IR plan, which we will cover?later in this book:

1, Misconfigurations are the fastest-growing risk that you need to address 2. Vulnerabilities are more often than not patched too slowly, leading to breaches 3. Attacks against web applications are now the fastest-growing category

To combat the many threats facing an organization’s attack surface, modern IT security defense should be a layered system: a single-layer approach to security is simply not enough anymore. In the event of a network breach, the victim individual or organization can sustain huge damage, including financial and operational implications, and loss of trust. In the recent past, the number of breaches has increased for various reasons. The attack vectors for these breaches could be many, such as viruses, Trojans, custom malware for targeted attacks, zero-day-based attacks, or even insider threats.

With every passing day, the network of connected devices is increasing, and, while this growth of connectivity continues to grow bigger, the risk of exposure is also increasing. Furthermore, it is no longer dependent on how big or small businesses are. In today’s cyberspace, it is hard to establish whether any network or application is prone to attacks, but it has become extremely important to have a sustainable, dependable, and efficient network system, as well as applications. Properly configured systems and applications will help reduce the risk of attack, but we might not ever be able to eliminate the risk of attack completely. However, this book will attempt to relay insight into the world of cybersecurity, highlight the dangers that digital networks and technology pose to individuals and companies, and provide guidelines on how to better prepare for such threats.

Now, having established the cybersecurity landscape and the relevance of the attack surface, let’s move on to a key element of this book: what is incident response?

What follows is a relevant excerpt, which indicates the various factors that shape an organization’s attack surface:

The evolution of incident response

The general notion regarding the?origin of hacking is that it started in the 1960s, around the time of the invention of modern computers and operating systems. To disprove this notion, let’s next briefly explore the history of data breaches, to develop?an idea of the context behind the modern attack environment.

The history of data breaches

Data interception?associated with hacking activities goes as far back as 1836, when two persons were caught intercepting data transmissions in a criminal manner.

During the last decade of the 1700s, France implemented a national data network, which was one of a kind at the time, to transfer data between Paris and Bordeaux. It was built on top of a mechanical telegraph system, which was a network of physical towers. Each tower was equipped with a unique system of movable arms. The tower operators would use different combinations of these arms to form numbers and characters that could be read from a similar distant tower using a telescope. This combination of numbers and characters was relayed from tower to tower until it reached the other city. As a result, the government achieved a much more efficient, speedier mechanism of transferring data.

Interestingly, all this happened in the open. Even though the combinations were encrypted and would’ve required an experienced telegraph operator to decode the message at the far end to bring up the original message, the risks were just around the corner. This operation was observed by two bankers, Francois and Joseph Blanc. They used to trade government bonds at the exchange in Bordeaux, and it was they who figured out a method to poison the data transfer and obtain an indicator of current market status, by bribing the telegraph operators. Usually, it took several days before the information related to bond performance reached Bordeaux by mail. Now, they had an advantage to get that same information well before the exchange in Bordeaux received it.

In a normal transmission, the operator included a backspace symbol to indicate to the other operator that they needed to avoid the previous character and consider it a mistake. The bankers paid one of the operators to include a deliberate mistake with a predefined character, to indicate the previous day’s exchange performance, so that they could assume the market movement and plan to buy or sell bonds. This additional character did not affect the original message sent by the government, because it was indicated to be ignored by the receiving telegraph operator. But this extra character would be observed by another former telegraph operator who was paid by the bankers to decode it by observing through a telescope.

Using this unique information related to market movement, the Blanc brothers had an advantage over the market for two years, until they were caught in 1836. The modern equivalent of this attack would perhaps be data poisoning, a man-in-the middle attack, misuse of a network, or social engineering. However, the striking similarity is that these attacks often go unnoticed for days or years before they get caught. Unfortunately, the Blanc brothers could not be convicted as there were no laws under which they could be prosecuted at that time. Maybe the Blanc brothers’ hack was not so innovative compared to today’s cyber-attacks, but it does indicate that data has always been at risk. And, with the digitization of data in all shapes and forms, operations, and transport mechanisms (networks), the attack surface is huge now. It is now the responsibility of the organization and individuals to keep the data, network, and computer infrastructure safe.

Let’s fast-forward another 150 years, to 1988. This is when the world witnessed the first-ever computer virus—the?Morris worm. Even though the creator of the worm, Robert Tappan Morris, denied the allegation that it was intended to cause harm to computers, it did, indeed, affect?millions of them. With the intention of measuring the vastness of the cyber world, Morris wrote an experimental program that was self-replicating and hopped from one computer to another on its own.

It was injected into the internet by Morris, but, to his surprise, this so-called worm spread at a much faster rate than he would have imagined. Within the next 24 hours, at least 10% of internet-connected machines were affected. This was?then targeted to the?Advanced Research Projects Agency Network?(ARPANET), and some reports suggested that the number of connected computers at the time was around 60,000. The worm exploited a flaw in the Unix email program Sendmail, and a bug in the?finger?daemon (fingerd). Morris’ worm infected many sites, including universities, military organizations, and other research facilities. It took a team of programmers from various US universities working non-stop for hours to reach a solution. It took a few more days to get back to a normal state. A few years later, in 1990, Morris was convicted by the court for violating the?Computer Fraud and Abuse Act; unlike at the time of the Blanc brothers, when there was no law to prosecute, Morris was criminally liable.

Moving forward another two decades to 2010, when the world saw what it never imagined could happen in?Stuxnet: an extremely coordinated effort to create a specifically crafted piece of software, which was purpose-built to target the Iranian nuclear?facility. It targeted?Industrial Control Systems?(ICSes). This was designed only to target a specific brand and made of Siemens ICS, which manages the speed of?centrifuges in a nuclear facility. It is presumed that it was designed to deliver onsite because the Iranian facility that it was targeting was air gapped.

This was one-of-a-kind industrial cyber sabotage. The malware was purpose-built so that it would never leave the facility of the nuclear plant. However, somehow (there is still speculation as to how), it still made its way out to the internet. It took researchers many months after its discovery to figure out the working principle of the malware. It’s speculated that it took at least a few years to develop it to a fully functional working model. Since Stuxnet, we have witnessed many similar?attack patterns in the?form of?Duqu?and?Flame, and it’s believed by some experts in this field that malware similar to these are still active.

Currently, we are seeing new variants of attack with new modus operandi. Their intent is to earn money by using ransomware or to steal data in order to sell or destroy it. Ransomware attackers use computer viruses to infect a computer, encrypting and locking information in the?computer. They then ask for a ransom from the owners to regain access to their computers. Alternatively, attackers might use victims’ infrastructure to run crypto miner malware to mine cryptocurrencies.

Today, security has taken center stage, not only because the attack surface has increased for each entity, or the number of successful high-profile and mass attacks is?more normalized, but because of the fact that each one of us knows that the need to secure data is paramount, irrespective of whether you are a target or not.

There will be a part to of this article shared here soon :

Article 2 will cover

  • Modern cybersecurity evolution
  • Challenges facing incident response
  • Protecting the company brand
  • Preventing future breaches
  • Preparing for attacks
  • Developing cyber resilience

K.P. Finke-H?rk?nen

Excellence in Technology Diplomacy

1 年

...looking forward to Article 2 which will cover 'cyber resilience"

要查看或添加评论,请登录

社区洞察

其他会员也浏览了