Incidents, incidents everywhere: Here's how to respond

What do incident responders do?

Let's say an employee gets a phishing email and they click on a malicious Excel file, word document, or link. Then malware is downloaded onto the system, infecting the machine, and eventually the whole organization. When this happens, it's the incident response (IR) team that gets called in. They will do a thorough investigation of all the systems, try to identify the first machine that got infected, and pinpoint the root cause of the infection. They will also find out when the infection actually occurred, how serious it is, and whether it is ongoing. Once this is done, they will analyze the best ways to contain the infection.

After finding the root cause, the responders try to eradicate the malware or the malicious files from the system. There are multiple tools and solutions available on the market that enable incident responders to do this effectively.

IR teams also work on forensics, wherein we collect digital evidence of everything that occurred.

What are the challenges you face in your role?

There are two hurdles we commonly face.

1. Log retention and archival: Let's suppose that an attacker breaches an organization's network and remains dormant for three months. After three months, they decide to carry out an actual attack. Only then, the IR team is called in. Now suppose that the organization doesn't retain activity logs for more than 15 days. In this scenario, an incident responder can't trace it back to the phase when initial access occurred. They do not have the right logs. Log retention is expensive, but it is needed to conduct a thorough investigation.
2. Client organizations' hesitancy in sharing relevant information: The second hurdle is when client organizations are hesitant to share sensitive data. If an attacker has infiltrated an organization using Windows machines, 99% of the time, they will attack the Active Directory (AD). AD is managed by a network administrator. If the administrator is not completely well-versed in the sensitive aspects of AD and not following industry best practices, they will eventually face a cyberattack. Once they do, the incident response team is called in. Since the network admins know the attack is their fault, because they didn't follow the proper procedures or measures, they may be hesitant to give access to the important forensic data that we need.

How much of your work is AI-dependent right now?

There are two approaches to cybersecurity: proactive and reactive. Most cybersecurity techniques are reactive. Only after an incident happens, you react—conduct an investigation, forensics, identify what is wrong, what is missing, and so on. With the proactive approach, you try to stop an attack before it happens.

ML and AI are based on identifying behavioral patterns in the network, and help with proactive security. The ML algorithms depend on a large set of test or training data. Attackers will try to circumvent the ML measures you have put in place. So you have to do continuous testing to evaluate the performance of your anomaly detection engine.

Do you create rules to detect attacks?

Yes, we create rules. We research different methodologies criminals use to carry out attacks. MITRE ATT&CK, for example, is a framework that helps us understand the behavior of attackers. It has a comprehensive list of the techniques and sub-techniques used by cybercriminals. We also have our in-house lab which we use to identify patterns, in case we do not find the code on the internet. We create rules for several types of attacks this way. We also write rules for east-west traffic, internal traffic of an organization as well as internet traffic. We also write rules for our IDS systems.

Let's say a ransomware attack occurs. Can you take us through one such attack and the role you would play as an incident responder?

You're an employee who has come home from the holidays and opens your system to see that all files are encrypted, and you are unable to access any of them. Then you see a text file on the desktop. It is a ransom note. You will contact your supervisor who will reach out to your in-house security team. If your in-house security team says it does not have the capability to deal with this, you will call seasoned incident responders. Small companies usually don't have specialized incident response teams. Bigger companies that can afford them have in-house SOC teams.

There are six stages in which an incident response plan is phased out:

1. Preparation: Isolate the infected machines.
2. Identification: Identify the problem and its scope for incident response.
3. Containment: Contain the infection.
4. Eradication: Remove malcode from infected machines.
5. Recovery: Monitor the machines to ensure the infection does not occur again.
6. Lessons learned: Write a report to the cybersecurity manager and the CISO, explaining what went wrong, what was fixed, and what they should do to ensure it doesn't happen again.

In the 6 stages incident response, where does a SIEM fit in?

A SIEM solution can be used from the identification to recovery stages.

• Identification and containment: In order to contain or eradicate an infection, we need to know which machines are infected and what is happening in the network. A SIEM solution gives us this information through data, graphs, or logs. It tells us which machines were infected and what logs/activities seem suspicious and need to be investigated.
• Recovery: After we eradicate the infection, we use it to monitor the machines to ensure they are not talking to a suspicious IP.

False positives. How big of a problem are they for you?

For any organization, false positives are always a concern. An analyst's job is to identify anomalies in network traffic. Even if they do have an automated alert system in the background, based on some pattern, they will need to identify whether the alert is worth investigating or is a false positive. Ninety percent of the time, it is a false positive. False positives never go away. But organizations can aim to reduce them by 30-40% using a SIEM solution so that a person who normally spends six hours can now spend only three hours on them.

There is a gap in demand and supply for IR. What are the solutions you would recommend?

There is a need for proper training. We interview a lot of people here, and I've seen people who say they have three to four years of experience and have completed certified courses. But when you ask them to perform tasks as part of the recruitment process, they are unable to execute them. For one cybersecurity position, you get 700-1000 applications. But skilled people are limited in number. The practical knowledge most professionals possess is insufficient. To pick up practical knowledge, I would recommend they do online challenges. There are multiple websites where they can advance their skills and learn multiple tools.