Quick and agile response to incidents is a basic aspect of a good cybersecurity strategy. Little by little, more and more companies are becoming aware of this, and this is shown by the favourable evolution of the remediation time.
This statement is corroborated by the latest study published by SANS on incident response, which shows that, for the second consecutive year, there has been an improvement in the way staff teams respond to incidents. 67% of those surveyed indicated that they had gone from detection to containment in less than 24 hours, an 6% of increase over the previous year. In addition, 89% of remediation efforts occur within the first month, a period which, depending on the nature of the incident, can be considered reasonable. However, and as a result of these figures, there is still room for improvement.
In order to secure and maintain an TI infrastructure (Threat Intelligence), the cyberdefence strategy must be able to detect all abnormal activity, identify it and react quickly to the incident as soon as possible. Furthermore, it is also essential to carry out advanced analysis of all security events to gather patterns and potentially malicious information in what is called an Indicator of Compromise (IOC), which helps give context to the description of the incident. Thus, companies can understand the nature of the damage they have suffered and can react to it.
Searching for IOCs: A Necessity
Given the speed at which cybercrime advances, the speed at which an incident is detected and mitigated is crucial to the survival of any business. In order to speed up the identification of devices and the response to threats, having a service provider that has support for retrospective and real time searches for IOCs, as well as advanced rules for hunting (Yara) in the endpoint, is not an option, but a necessity.
But why is this so important? In the event of an incident in an organisation, the possibility of searching for Indicators of Compromise in real time throughout the company’s set of endpoints makes it possible to speed up the identification of the devices being attacked. And thereby, to take the relevant remedial measures to contain the breach as quickly as possible and reduce the exposure time.
In short, with the search for IOCs, the TI team and the CISO have greater visibility of the surroundings and what is happening, and so, be able to anticipate the problem and put a stop to it before the consequences get worse.
Reinforcing the Strategy with an Incident Response Plan
Cybersecurity personnel should not only use these Indicators of Compromise to their advantage, but also reinforce their strategy with an Incident Response plan and leading-edge solutions that enable them to maintain a proactive approach and face threats in a more effective way.
To reach – and exceed – standards of effectiveness when responding to cybersecurity incidents, there are five steps to consider: prepare a solid response plan in advance to help avoid gaps; once the threat is detected, determine the cause of the incident to try to contain it; assess all efforts made and needed to provide the best response (triage and analysis); contain the damage, eradicate it and recover; and implement appropriate changes to the cybersecurity strategy to prevent this from happening again.
Visibility and Intelligence at the Service of Incident Response
In this context, where the advantages of the search for IOCs and having a firm and updated response and remediation plan to mitigate the damage have been clearly seen, it is very important to have the most advanced leading technology available. For instance, there are solutions on the market that can accelerate the response to incidents and the search for malwareless threats based on behavioural analysis from the cloud.
In this sense, technologies such as Threat Hunting libraries or Jupyter Notebooks are resources that must be present to give visibility and intelligence to the effective search for threats, accelerated research and immediate action on the endpoint. The preconstructed investigations, Jupyter Notebooks, also favour a short learning curve for analysts and hunters as they are self-explanatory, extendable and repeatable.
Early detection is undoubtedly the first step in containing and eradicating an attacker from the network, but this is useless without immediate action at the endpoints as a response mechanism, and that is where advanced tools that can amplify the capabilities of the SOC come into play: in order to distinguish between expected activity and abnormal actions that may indicate the presence of a threat.