Top Five 2015 Cyber Readiness Checklist Items
Presneted by Charles Leaver, Chief Executive Officer Ziften Technologies - Written By Dr Al Hartmann
1. SOC Readiness
Your enterprise Security Operations Center is appropriately staffed for round-the-clock coverage, either in-house or by an MSSP or some mix. There are no coverage gaps that invite unnoticed intrusions. SOC shift handoffs are formalized between watch commanders, with appropriate situational status relayed at each handoff. SOC leadership prepares daily security summaries, noting observed attacker adaptations and defender countermeasures. Where possible, attackers are identified and differentiated by C2 infrastructure, attack artifacts, toolmarks, tradecraft, etc. and codenames assigned. Note this is not attack attribution, which is very challenging, but simply noting patterns in the attack activity that seem to relate to different groups of attackers. Your SOC should get sufficiently familiarized with spotting these signs that differentiating attackers or spotting new attack groups becomes almost routine.
2. Supporting Security Vendor Readiness
Your security staff cannot be expert in all aspects of cyber-security, nor see attacks unfolding at other enterprises in your same industry or vertical segment. You will need to ensure readiness of your outside vendor support teams. This may include some of the following assistance types.
• Emergency response team support: There is a short list of vendors that respond to the most severe breacches and compromises that make headlines. One of these should be primed and ready before a major emergency, and be receiving your regular cybersecurity summary reports.
They should have established law enforcement working relations and legal forensics capabilities.
• Cyber threat intelligence support: This support vendor is locating cyber threat intelligence specific to your vertical, to get out in front of emerging threats in your sector. Ideally this support team member is also listening on the dark nets for any sign of your organizational IP or any hacker chatter mentioning your enterprise.
• Blacklist and IoC support: This usually constitutes multiple vendors, since it involves different coverage areas, including domain blacklists, IP blacklists, MD5 or SHA1 blacklists, indicators of compromise (suspect registry keys, filepaths,config settings, etc.). Some of your enterprise security products for network or endpoint security may be able to provide these, or you may choose another third party that specializes in an area.
• Reverse engineering support: This is a vendor specializing in analysis of binary samples to provide a detailed report of its content and threat potential, as well as likely malware family membership. Again, this may be one of your present security vendors or a third party that specializes in just reverse engineering.
• Legal and public relations support: In the event of a major breach, you should have legal and public relations assitance on call so your CISO, CIO, and CEO don’t become a Harvard Business School case study in bungled breach handling.
3. Asset inventory, classification, and protection readiness
Your enterprise has inventoried your cyber assets, classified their relative values, and configured value-appropriate cyber defenses for each asset category. You have not relied soley upon assets known to IT, but have enlisted business unit sponsors to identify assets that may be hidden away somewhere in the public cloud as an end-run arount IT. You have reviewed your asset categories and protection of data at-rest and in-transit, with appropriate crypto safeguards, key management, etc.
4. Attack diversion and detection readiness
For each of your inventoried major asset categories you have created replica versions and honeypot servers to lure attackers into divulging ther attack methods by touching these tripwire fakes. The attackers who recently struck Sony discovered a domain server with a file named ‘passwords.xlsx’ that contained cleartext passwords for the company servers. Sprinkle some bait like that around in tempting locations, armed with instant alerting when accessed, and you have your own instant attack intelligence system. Refresh it periodically so that it looks recent and active, so your bait doesn’t get stale or too obvious. Note that since most servers are virtual, that attackers will not be as ready with sandbox evasion techniques, as they would be with client endpoints, so you may get lucky and be able to observe the attack in action.
5. Continuous visibilities and monitoring readiness
Endpoint and network activity should be continuously monitored and visible to SOC staff. Since many client endpoints are mobile and operated outside the enterprise firewall, network activity must also be observed at the endpoints. Endpoint monitoring is also the only sure way to perform process attribution for observed network traffic, since protocol fingerprinting at the network level is not always accurate (especially when spoofed by evasive attackers). Monitoring data should be retained and archived for future reference, since many attacks are not identified in real time. This implies a need to rely on metadata more often than on full packet capture, since that imposes substantial collection overhead. Still, some dynamic risk-based monitoring controls can allow both low collection overhead, while also responding to high risk situations with more granular observations.
1. SOC Readiness
Your enterprise Security Operations Center is appropriately staffed for round-the-clock coverage, either in-house or by an MSSP or some mix. There are no coverage gaps that invite unnoticed intrusions. SOC shift handoffs are formalized between watch commanders, with appropriate situational status relayed at each handoff. SOC leadership prepares daily security summaries, noting observed attacker adaptations and defender countermeasures. Where possible, attackers are identified and differentiated by C2 infrastructure, attack artifacts, toolmarks, tradecraft, etc. and codenames assigned. Note this is not attack attribution, which is very challenging, but simply noting patterns in the attack activity that seem to relate to different groups of attackers. Your SOC should get sufficiently familiarized with spotting these signs that differentiating attackers or spotting new attack groups becomes almost routine.
2. Supporting Security Vendor Readiness
Your security staff cannot be expert in all aspects of cyber-security, nor see attacks unfolding at other enterprises in your same industry or vertical segment. You will need to ensure readiness of your outside vendor support teams. This may include some of the following assistance types.
• Emergency response team support: There is a short list of vendors that respond to the most severe breacches and compromises that make headlines. One of these should be primed and ready before a major emergency, and be receiving your regular cybersecurity summary reports.
They should have established law enforcement working relations and legal forensics capabilities.
• Cyber threat intelligence support: This support vendor is locating cyber threat intelligence specific to your vertical, to get out in front of emerging threats in your sector. Ideally this support team member is also listening on the dark nets for any sign of your organizational IP or any hacker chatter mentioning your enterprise.
• Blacklist and IoC support: This usually constitutes multiple vendors, since it involves different coverage areas, including domain blacklists, IP blacklists, MD5 or SHA1 blacklists, indicators of compromise (suspect registry keys, filepaths,config settings, etc.). Some of your enterprise security products for network or endpoint security may be able to provide these, or you may choose another third party that specializes in an area.
• Reverse engineering support: This is a vendor specializing in analysis of binary samples to provide a detailed report of its content and threat potential, as well as likely malware family membership. Again, this may be one of your present security vendors or a third party that specializes in just reverse engineering.
• Legal and public relations support: In the event of a major breach, you should have legal and public relations assitance on call so your CISO, CIO, and CEO don’t become a Harvard Business School case study in bungled breach handling.
3. Asset inventory, classification, and protection readiness
Your enterprise has inventoried your cyber assets, classified their relative values, and configured value-appropriate cyber defenses for each asset category. You have not relied soley upon assets known to IT, but have enlisted business unit sponsors to identify assets that may be hidden away somewhere in the public cloud as an end-run arount IT. You have reviewed your asset categories and protection of data at-rest and in-transit, with appropriate crypto safeguards, key management, etc.
4. Attack diversion and detection readiness
For each of your inventoried major asset categories you have created replica versions and honeypot servers to lure attackers into divulging ther attack methods by touching these tripwire fakes. The attackers who recently struck Sony discovered a domain server with a file named ‘passwords.xlsx’ that contained cleartext passwords for the company servers. Sprinkle some bait like that around in tempting locations, armed with instant alerting when accessed, and you have your own instant attack intelligence system. Refresh it periodically so that it looks recent and active, so your bait doesn’t get stale or too obvious. Note that since most servers are virtual, that attackers will not be as ready with sandbox evasion techniques, as they would be with client endpoints, so you may get lucky and be able to observe the attack in action.
5. Continuous visibilities and monitoring readiness
Endpoint and network activity should be continuously monitored and visible to SOC staff. Since many client endpoints are mobile and operated outside the enterprise firewall, network activity must also be observed at the endpoints. Endpoint monitoring is also the only sure way to perform process attribution for observed network traffic, since protocol fingerprinting at the network level is not always accurate (especially when spoofed by evasive attackers). Monitoring data should be retained and archived for future reference, since many attacks are not identified in real time. This implies a need to rely on metadata more often than on full packet capture, since that imposes substantial collection overhead. Still, some dynamic risk-based monitoring controls can allow both low collection overhead, while also responding to high risk situations with more granular observations.