Analysis Techniques: Responding When the Attacker has a Foothold – Part II

By Tom Chmielarski, RSA Practice Lead, Advanced Cyber Defense Services (Americas)

This is the second part in a series: refer to part one for the introduction.

This blog series examines response options to an enterprise intrusion of some sort, be it by “APT” or Hacktivists” or some other category involving a purpose-driven actor. I’ll refer to these as targeted attacks even though they are often not targeted too specifically, but that’s a different topic. These threats pose a risk to the organization that is, generally speaking, more severe than typical malware on a single system. A hactivist attempting to discredit your company will probably have more of a business impact than a single computer infected by the Zeus crimeware trojan. Of course, that “common” Zeus infection could happen to be on a system used by someone in finance who has access to company records, as seen in actual attacks, and may indicate a major threat to your organization.

This brings us to the concept of threat intelligence before we delve into the actual response.

Determining what type of risk is posed by a given incident is difficult. We can’t afford to over-respond and examine every antivirus detection for indicators of a targeted attack, for example, but if we don’t find these intrusions and respond appropriately we may not contain them. Yet failing to respond appropriately can result in an adversary freely accessing a network for months or longer, doing whatever they wish. As an example we can look to the reported 10-year long breach of Nortel. However, this is a balancing act and mistakes will always be made.

“A well-run threat intelligence team can substantially improve the organization’s ability to prevent, detect, and respond to targeted attacks by allowing that organization to separate commodity attacks from high-threat attacks…”

A great way to improve an organization’s ability to assess the risk of a given threat, and to improve detections of higher-risk threats, is through the development of a threat intelligence function. This is typically a sub-team within the Incident Response function tasked with:

• Thoroughly examining targeted attacks, both those that resulted in intrusion and those that did not
• Examining malware to identify technical indicators and actor-specific markings
• Researching and correlating domains, IP addresses, and email addresses used by the adversaries
• Processing external intelligence, open and closed source, to improve detections
• Coordinating with partners who also have threat intelligence functions

A well-run threat intelligence team can substantially improve the organization’s ability to prevent, detect, and respond to targeted attacks by allowing that organization to separate commodity attacks from high-threat attacks, and blocking technical resources (email addresses, for example) associated with targeted attacks. To use a rough analogy, a threat Intelligence team can provide information about the attack landscape just as a weather forecaster can predict and understand the weather. When reducing the dwell time of an attack can mean the difference between a single-system compromise and an enterprise-wide breach, that additional insight can be a tremendous advantage.

Tom Chmielarski is Practice Lead within the RSA Advanced Cyber Defense Practice serving the Americas. Tom has over 15 years of IT experience, primarily in security, spanning operations, incident response, malware, forensics, data analysis, and strategy. He has experience in the Defense, Industrial Controls, Electronics manufacturing sectors. He is a subject matter expert in incident response, security monitoring, forensics, malware, and data analysis.