Six key principles for efficient cyber investigations
Many organizations today are not equipped to defend against traditional cyberattacks, as demonstrated by the ever-increasing numbers of successful breaches reported daily – the Privacy Rights Clearinghouse’s latest number is 900,875,242 records breached in 5,165 attacks over the past decade – and that’s U.S. only.
Even the largest companies appear to be less equipped to deal with more sophisticated cyberattacks, like the latest IoT-based Mirai DDoS attack or the attacks detected months or years after the initial breach, such as the Yahoo and Dropbox attacks.
Inundated by alerts, analysts lack the automated and intelligence-driven processes to hone in on attacks across the kill chain and breaches continue far too long. To address this fundamental mismatch, organizations need a new perspective on the way they detect and respond to attacks.
Like police investigations in the real world, every cyber investigation starts with a lead upon which a hypothesis is built. As more evidence is gathered in the field, the case continues to build until investigators can confirm or refute the direction of the investigation. This process is iterative until a conclusion is reached, and it must be thoroughly documented for future reference. This same process needs to be followed when investigating a cyberattack.
Organizations can improve their detection, investigation and response processes and enable analysts to hone in on and stop cyberattacks more efficiently with these simple steps.
Automate where it hurts the most
To really make a difference, saving time and resources, you need to automate the time-consuming analysis and investigation stages and not just the response. By automating the collection and analysis of leads across your security infrastructure, you can reduce the number of alerts and confirm real incidents worthy of investigation. Not only will this alleviate alert overload, it sharpens the skill set of less experienced analysts and frees senior analysts to let them focus on the complex, sophisticated attacks where human judgment is required.
Document everything to show the evidence and the rationale
Documentation is essential to presenting the chronology and context of an event, including situational and environmental information, such as initial findings, areas affected and evidence to support the incident storyline. Particularly in automated investigations using machine-based analysis, it is critical to document what decisions were made during the investigation process and why. Visualization tools create representative pictures that “connect the dots,” ensuring that analysts get a complete picture without missing critical details.
This information is important when a complex incident is handed off for manual investigation as well as scenarios where an investigation is passed from one analyst to another. With all evidence fully documented, security teams are better equipped to make decisions, conduct shift handover, and create managerial reports.
Combine the strengths of humans and machines
Machine-based analysis is essential for productivity and allowing professionals to focus their skills on the more complex tasks where human experience and intuition is needed. Machines can be built to simulate the way humans investigate – automatically take a lead and confirm or refute it by gathering intelligence from multiple sensors. Once the machine has collected all the relevant pieces of evidence and automatically pieced them together into an incident, humans can use their judgment to add new leads and evidence to the incident. In a continuous, self-learning process, this new evidence can be fed back into the machine, which applies it to past and future analyses to improve threat detection.
Collect the right information
Savvy attackers use multiple methods and vectors – such as malware, phishing and social engineering – to reach their targets. They study your network topology and find the weak points in your defenses. To address this challenge, your security coverage needs to consider multiple elements including network topology, attack chain and IT assets. Whether your organization has one central site or multiple campuses, you need visibility into traffic coming into each site and among sites using a variety of attack vectors.
In terms of the attack chain, it’s becoming increasingly difficult to detect attacks at the perimeter due to the many ways in. Therefore, you need to be able to identify and verify indicators of compromise across the attack chain through detection of lateral movement and command and control communications. Your IT assets, such as endpoints, servers and files, should also be protected using endpoint analytics and forensics.
Create unified workflows and a seamless investigation workspace
Once all the evidence has been gathered from multiple sensors across your network, it needs to be brought together and presented to the investigator in a coherent and logical manner designed for attack representation. Unified workflows and a single workspace enable analysts to access information from every sensor and perform network and endpoint forensics as needed to build the attack story.
Use machines to model how attackers operate and simulate the way analysts investigate
The key to boosting the efficiency of cyber analysts is to provide them with better insight into raw data to simplify the decision-making process. Start by modeling an attack – the attack surface, the attack components, steps, methods, technology – and how all those might be linked into an attack operation. Then focus on the human investigation workflow so you can mimic it properly and scale it up with accuracy. For example, how to dissect leads into individual pieces of forensic information that can be fused, correlated, triaged and connected into an incident view or how to decide which forensic query option is the best next step at each point in the investigation flow. Then you need to figure out how to interpret and apply the results.
Holistically applying these principles to design, implementation, data modeling, APIs, user interfaces and other components will result in a purpose-built, mission-centric defense system that makes your analysts more effective and productive.
The time has come for a new approach to cyber defense – let the automated system do the heavy lifting, and then empower your analysts to use their intuition and experience to stop the attacks in their tracks.