The recent breach at the Office of Personnel Management (OPM) has garnered significant attention over the past three months – and justifiably so, given the extent and value of the stolen data. However, in many respects, the scope of data loss is the only unique characteristic of this incident. The storyline of the OPM compromise, or at least what has been disclosed thus far, unfortunately remains consistent with nearly every targeted attack I’ve investigated during the last decade.
The challenges begin with incident detection. Organizations often fail to detect successful targeted attacks until months or years have elapsed, and may ultimately rely on third-party notifications to do so. I’ve investigated many cases where existing security solutions successfully detected and alerted upon early stages of a compromise, yet were overlooked because analysts were unable to scope or prioritize these events amidst the background noise of daily operations. Likewise, many organizations eagerly pursue sources of threat intelligence, but lack the tools or visibility necessary to effectively use them.
Once an incidentis detected, leadership naturally want answers to the fundamental questions: “What happened?” “Where did it happen?” “How did it happen?” and, “Is it still happening?”
SOC and CIRT analysts must perform challenging forensics work to collect and analyze the evidence needed to produce these answers. Investigators must fully scope the extent of compromise in order to truly succeed at this phase of the incident response process. This means identifying all affected systems, devices and accounts across an environment and determining the extent of attacker activity on each.
This isn’t just a hunt for malware, and cannot be solved by point-solutions that solely focus on finding remnants of exploits, backdoors or other unwanted software. In many cases, the most important systems in an incident may have been simply accessed by an attacker using previously stolen credentials.
Speed is also critical. The longer an investigation drags on, the more dwell time an attacker may retain in a compromised environment. An investigation team’s pace is directly impacted by two factors: the time required to conduct deep-dive analysis of each system of interest, and the time required to iteratively search all available systems and evidence for indicators of compromise and new findings.
Even the best-staffed teams may take many months to complete investigations for an enterprise-scale targeted attack, especially if encumbered by tools that are slow or fail to provide sufficient visibility across all potentially impacted assets. In circumstances where the incident has “gone public,” victims must also contend with external and internal forces demanding immediate disclosure and accountability.
The importance of scoping an incident goes beyond building a tally of malware samples, infected systems or stolen credentials. The findings from an investigation are essential inputs to short and long-term remediation plans, which ideally should be developed in concurrence with the investigation from day one. Missing a single infected system, backdoor command-and-control address or compromised set of user credentials could potentially allow an attacker to maintain a foothold in a compromised environment, or easily regain access – thereby nullifying the entire remediation effort.
Likewise, failing to identify and address more fundamental vulnerabilities exploited during an incident leaves a victim with no net improvement to their security posture.
Particularly in the government, security and operations teams are often driven to play “whack-a-mole” by rebuilding compromised systems as soon as they are identified, without ever fully ascertaining the extent of compromise or implementing a comprehensive remediation effort. This approach is often intended to minimize the period of compromise, but instead only extends it; burning threat intelligence, alerting an attacker without successfully driving them out of the network, and leaving the victim at risk of ongoing or future attack. This approach is unsustainable given the current threat landscape.
How can organizations, especially those in the government, break free of this vicious cycle of failed incident detection and response? Agencies can begin by taking the following steps:
- Vulnerability scans and compliance checks will not identify evidence of an attacker that has already compromised an environment. Agencies should proactively examine their networks for evidence of existing intrusions. The most mature organizations combine searches for known indicators of compromise, which can detect the “low hanging fruit” of attackers that re-use the same tools, tactics, and procedures, with outlier analysis and anomaly detection to identify unknown threats across account usage, network traffic flows, and endpoint activity.
- Ensure SOC and CIRT teams are equipped with tools that provide sufficient visibility across an environment and agility to keep up with active compromises and effectively use threat intelligence. Security professionals with deep forensics and incident response skills will remain in short supply for the foreseeable future. Technology must serve as a force multiplier, particularly when addressing the challenge of monitoring or investigating tens of thousands of systems in an efficient and scalable manner.
- Eliminate technical and procedural barriers that may stand in the way of security and IT operations teams from working effectively with one another during an incident. In particular, agreeing upon and executing remediation plans for complex targeted attacks require close coordination among both parties.
- And, do not underestimate the value of good security hygiene, particularly when evaluating the lessons learned from an investigation and remediation effort. There will always be another zero-day exploit that helps an attacker gain initial access, but effective controls can dramatically increase the likelihood of containment and detection beyond that point. Enforcing secure baseline configurations across all systems and devices, maintaining operating system and application patch levels, and utilizing network controls to isolate key hosts and data can all significantly reduce the attack surface of an environment.
Ryan Kazanciyan is the chief security architect at Tanium.