For tackling advanced threats, would you choose Clint or Mel? A hard choice but the wizened journalist who can follow a scent is likely the better choice than the axe-wielding warrior. Sometimes you will need both.
The security industry talks a lot about advanced threats, a new model for Incident Response and the better approach to detect and respond to the ceaseless and vast sea of security events.
A growing number of incident response teams use “Red” and “Blue” teams to simulate attack scenarios where Red tries to get in and Blue defends. Some organizations are moving towards “purple” and these teams, once the province of only the elite security corps of defense and the top five financials, are moving across verticals, and deeper into the populace of security teams of “early to mid adopter” organizations. SANS even has a course, the “CyberGuardians” to train up their best troops.
But is the “siege” mentality and focus on training teams to attack and defend forts and battle posts the most effective direction?
Recent conversations in the industry and various research studies indicate close to 70% of all severe or critical indicators of compromise or alerts, cannot be investigated in less than 24 hours. The average IR/forensics statement of work is greater than 30 hours per incident.
Advanced threats — the series of planned attacks to get in and infiltrate the network to steal or destroy valuable assets — require a different state of mind and set of activities to quickly understand what happened. Its about fast surfacing and prioritizing of relevant indicators and pulling together a convincing view of what happened next, and where and by whom.
Piecing together what happened next is less about the Red Team blazing the attack path, and more about a team focused on “Gray” — piecing together fragments and footprints to build an accurate and whole picture of what happened before and when the indicator surfaced.
A “Gray” team requires smarts, strong visual and detective skills to determine if the indicator is a good clue to a crime:
Can your team, when they see an indicator…
- Know where to look next to see what happened before the indicator was identified?
- Go back to see where concerted efforts of focus on a network service or asset first stared?
- Know where to go next? Where would your team start tracking conversations between hosts and attackers from first signs of activity?
From there, how would your team build up a picture of the host or entity that was tracked in conversations of interest? Can you see what happened and build up an accurate picture to hand to your legal or IR incident team?
And, the big question: Can you do this in less than 24 hours?
Clint has 12 hours in the movie and just made it.
Would your team make it?
The post If Security Operations were a movie appeared first on Arbor Insights - Our People, Products and Perspective.