Responding When the Attacker has a Foothold – Part 1

By Tom Chmielarski, RSA Practice Lead, Advanced Cyber Defense Services (Americas)

Eventually most people in IT Security will face that dreaded day when they discover the organization has been breached and an attacker has established a foothold. This could be in the form of a hacked web server, a desktop beaconing with “APT” malware, a point-of-sale terminal harvesting credit card data, or countless other scenarios. Until you’ve gone through that a few times – and especially if you don’t have solid, useful, well-documented processes – you may be uncertain of what to do. As every incident is a bit – and sometimes a lot – different even well intentioned processes may fail you. What you do to respond will determine how quickly and effectively the incident is contained, as well as potentially limiting the damages.

For the purposes of this multi-part blog I’m going to use an incident scenario of the discovery of a single internal system actively communicating to a Command and Control (C2) server on the internet. I’ll refer to the external entity responsible for the intrusion as the Adversary.

First: don’t panic and don’t have a knee-jerk reaction. Spend a little time to assess the situation: what do you know and what don’t you know? A few questions to consider are:

• How accurate is your information and analysis, and what assumptions have you made?
• What is the function and role of the affected system, and thus the operational business impact and data value of that system?
• What is the scope of the compromise? Is a singular system the full extent of the compromise or is this just one of many?
• What is happening right now? A system that is “only” beaconing to an Adversary is less of an immediate threat than one that is currently under interactive control of an adversary.

From the moment you know about the intrusion until the Adversary realizes you’ve detected (and possibly eradicated) the intrusion you have the opportunity to gain useful threat intelligence. You may even be able to gain intelligence after that point as the Adversary attempts to re-gain access. This intelligence is not merely academic! Without it you may remove only part of the compromise, thinking it completely removed, while the Adversary continues to operate freely.  However, knowing the Adversary is there you can study his movements, learn his tools, understand the scope of the intrusion, and learn the external infrastructure used to facilitate the attack.

You will not gain that threat intelligence, however, unless you expend some effort to do so. In my next blog post I shall discuss response options and considerations.

Tom Chmielarski is Practice Lead within the RSA Advanced Cyber Defense Practice serving the Americas. Tom has over 15 years of IT experience, primarily in security, spanning operations, incident response, malware, forensics, data analysis, and strategy. He has experience in the Defense, Industrial Controls, Electronics manufacturing sectors. He is a subject matter expert in incident response, security monitoring, forensics, malware, and data analysis.