Incident detection and response, also known as attack/threat detection and response, is the process of finding intruders in your infrastructure, retracing their activity, containing the threat, and removing their foothold. By learning how attackers compromise systems and move around your network, you can be better equipped to detect and stop attacks before valuable data is stolen. This blog covers the different components of the attack lifecycle to help identify and remediate a threat before perpetrators steal your data.
What is a breach?
A security breach, also known as a data breach, is when sensitive, protected, or confidential data is copied, transmitted, viewed, or used by an individual unauthorized to do so. This data can be stolen, held for ransom, or even destroyed, most often for financial gain. Let's imagine the scenario of a hospital getting breached. This means that an outside attacker or insider threat has unauthorized access to private information such as patient social security numbers, medical records, or payment plan data. This private data can then be used by attackers to perform identity theft or sold on secondary markets, making it a lucrative mission target.
Today's concern is the amount of time attackers lurk undetected on the network ecosystem. After an initial breach, attackers aren't in and out after a few minutes – it takes most teams 100 to 200 days to recognize an attack, and another 20 to 30 days to contain it1. The challenge is threefold: properly detecting the attack, scoping the exact users and assets affected, and taking the proper steps to fully remove the intruder from the system. In many cases, the initial compromised machine gets properly remediated, but the other attacker-created backdoors are not, resulting inevitably in a second breach.
What is a security incident?
A security incident is an action that goes against organization security policy. So what makes a security incident different than a data breach? A security incident is a violation of policy that, if perpetrated with malicious intent, is a breach.
A security incident can be something from a range of activities. Some of the more purposeful, malicious examples include a compromised user account, or being a victim of a phishing attack. Other can be more accidental, such as losing a flash drive that contains private information, or unintentionally disclosing sensitive information that should not be made public. Whether intentional or not it is important to let your cyber security incident response team know so they can be aware of possible attacks and make sure information is kept secure.
What is an incident responder?
A responder is someone who investigates and contains attacks quickly and accurately. They may not be the first to detect the attack, but are charged with assessing the severity of the cyber security incident, scoping the affected users and assets involved, and remediation – cleaning up the attack so that the intruders no longer can access the internal network. A responder doesn't necessarily have to be an employee of your company however, as there are companies that provide external responders for other businesses. External responders can offer a wide array of services, from being an extension of your security team to helping you accelerate your investigation and containment, as well as helping you develop your own security team.
How do intruders breach a company?
The way intruders breach a company can vary, but in any breach an intruder must take at least one of the steps on the attack chain, which is a graphical representation of the steps required to breach a company. The attack chain is broken down into five different steps, infiltration and persistence, reconnaissance, lateral movement, mission target, and maintain presence. It's important to note that attackers do not have to complete all of these steps for a successful breach, nor do they have to do them in this exact order, although step one is always executed by attackers in order to perform a successful breach.
- Infiltration and Persistence: This step is when attackers work to initially breach your network, to get a foothold within it. Ways to do this include phishing, stolen credentials, and malware, among others.
- Reconnaissance: In this part of the attack chain the attackers assess the situation and plan their next target.
- Lateral Movement: When an attacker moves from one endpoint to another, it is referred to as lateral movement. During this section of the attack chain an attacker will use compromised credentials to access other machines. If a compromised credential succeeds on another machine the attacker will log in, scrape the password hashes or clear text credentials from the machine, and continue lateral movement until they get the information they desire. The objective of the attacker is to obtain credentials with elevated permissions so they can have access to any machine on the network.
- Mission Target: Mission targets are critical assets or systems with significant value, such as protected health information or credit card information. When the attacker reaches this information, they will then try to exfiltrate the data. This is commonly done through the attacker's malware, or through a cloud service or FTP set up for the attack.
- Maintain Presence: The final step of the attack chain is maintaining presence. An attacker will set up backdoors across the network so that even if the first machine infiltrated, patient zero, is properly remediated, the attacker can still access the network at a later date.
Why is it difficult to detect cyber attacks?
There are many ways attacks can get into your network, but the top three attack vectors behind breaches are compromised credentials, malware, and phishing. While organizations are good at catching known malware, they are less proficient when it comes to catching credential-based attacks, as preventative systems can't detect an attacker once they are on the network. Today's preventative technologies, like firewalls and anti-virus, don't alert on attackers successfully stealing employee credentials and masking as company employees.
A way to visualize this is to imagine the exposed attack surface as though it were a balloon. The more users, assets, and technologies that are introduced, the more the surface expands. The larger this surface, the more ways an attacker could potentially become a network threat. This is also true for mobile devices and cloud services. As more things move to the cloud, the bigger the attack surface will grow because you have less control over what your users log into and where your data is stored, making it harder to monitor activity outside your network. And much like how a balloon can get so big it pops, the bigger the attack surface, the higher the risk of an organization experiencing attack should they not perform proper attack surface management.
Another reason it is so hard to detect cyber attacks is the size of security teams. In general security teams are on the smaller size, which results in them becoming strained under the onslaught of attacks. Teams, once overwhelmed, can begin to miss real threats while they are investigating false alarms, as organizations receive a ton of alerts from many different parts of their security stack, and validating that they are real and the investigation that follows is time consuming. Smaller teams also have more difficulty taking on more comprehensive projects like SIEMs, as they don't have the time nor manpower to commit to the project.
What To Do Next
- Rapid7 can assist in developing your People, Process, or Technology for Incident Detection and Response
- Want to get into the minds of 271 security practitioners? Check out our 2015 Incident Detection and Response Survey Results
 2015 Verizon Data Breach Investigations Report