Presented by Chuck Leaver, Chief Executive Officer Ziften Technologies Written By Dr Al Hartmann
1. Security Operations Center (SOC).
You have a Security Operations Center established that has 24/7 coverage either in company or outsourced or a combination. You do not desire any gaps in cover that could leave you open to infiltration. Handovers need to be formalized between watch supervisors, and appropriate handover reports provided. The supervisor will offer a summary daily, which provides information about any attack detections and defense countermeasures. If possible the cyber crooks need to be determined and differentiated by C2 infrastructure, attack method etc and codenames given to these. You are not trying to associate attacks here as this would be too difficult, but simply keeping in mind any attack activity patterns that correlate with different cyber lawbreakers. It is important that your SOC familiarizes themselves with these patterns and have the ability to separate attackers or perhaps spot new attackers.
2. Security Vendor Support Readiness.
It is not possible for your security workers to understand about all aspects of cyber security, nor have visibility of attacks on other organizations in the same market. You need to have external security support groups on standby which could include the following:.
( i) Emergency response group support: This is a list of providers that will respond to the most severe of cyber attacks that are headline material. You must ensure that one of these vendors is ready for a major threat, and they must receive your cyber security reports regularly. They should have legal forensic capabilities and have working relationships with law enforcement.
( ii) Cyber hazard intelligence support: This is a supplier that is gathering cyber risk intelligence in your vertical, so that you can take the lead when it concerns risks that are emerging in your vertical. This team needs to be plugged into the dark net searching for any indications of you organizational IP being pointed out or chats between hackers discussing your company.
( iii) IoC and Blacklist support: Due to the fact that this includes numerous areas you will need numerous vendors. This includes domain blacklists, SHA1 or MD5 blacklists, IP blacklists, and indications of compromise (suspect config settings, pc registry keys and file paths, etc). It is possible that some of your installed security products for network or endpoint security can offer these, or you can designate a third party specialist.
( iv) Assistance for reverse engineering: A supplier that focuses on the analysis of binary samples and provides detailed reports of content and any possible hazard and also the family of malware. Your current security suppliers might provide this service and specialize in reverse engineering.
( v) Public relations and legal support: If you were to suffer a significant breach then you have to make sure that public relations and legal assistance remain in place so that your CEO, CIO and CISO do not end up being a case study for those studying at Harvard Business School to discover how not to deal with a major cyber attack.
3. Inventory of your assets, classification and preparedness for security.
You have to make sure that of your cyber assets go through an inventory, their relative worth classified, and implemented value proper cyber defences have been enacted for each asset category. Do not rely entirely on the assets that are known by the IT group, employ a company unit sponsor for asset identification particularly those hidden in the public cloud. Also ensure crucial management procedures are in place.
4. Attack detection and diversion readiness.
For each one of the major asset classifications you can produce reproductions using honeypot servers to lure cyber crooks to attack them and disclose their attack approaches. When Sony was infiltrated the hackers discovered a domain server that had a file named ‘passwords.xlsx’ which consisted of cleartext passwords for the servers of the business. This was a good ruse and you must use these tactics in enticing locations and alarm them so that when they are accessed alarms will sound instantly suggesting that you have an instant attack intelligence system in place. Modify these lures frequently so that they appear active and it doesn’t appear like an apparent trap. As a lot of servers are virtual, hackers will not be as prepared with sandbox evasion methods, as they would with client endpoints, so you may be lucky and actually see the attack occurring.
5. Monitoring preparedness and continuous visibilities.
Network and endpoint activity must be kept an eye on continuously and be made visible to the SOC team. Because a lot of client endpoints are mobile and therefore beyond the organization firewall software, activity at these endpoints should likewise be monitored. The monitoring of endpoints is the only certain approach to carry out process attribution for monitored network traffic, because protocol fingerprinting at the network level can not constantly be trusted (it can be spoofed by cyber crooks). Data that has been monitored should be conserved and archived for future reference, as a variety of attacks can not be identified in real time. There will be a requirement to rely upon metadata more regularly than on the capture of full packets, because that enforces a significant collection overhead. Nevertheless, a variety of dynamic risk based monitoring controls can lead to a low collection overhead, as well as react to major risks with more granular observations.