There are three main periods in the incident response lifecycle. The first is dwell time, which is the time from compromise to detection. Second is containment, to prevent attacker activity and re-entry to the system. Finally, the remediation phase addresses updates to the network to remove vulnerabilities and strengthen security against future similar attacks.
From an attacker’s perspective, a typical attack starts with the initial compromise, followed by the attacker establishing a foothold by downloading malware, escalating privileges and then exploring the network. Up to this point, the attacker is probably limited to a single machine and has not been able to exfiltrate data.
Their next steps, however, will be to move laterally and establish persistence by installing different malware on a small number of other machines. This keeps their risk of detection low, while providing means of re-entering the network should the initial compromise be detected. The attacker is now established in the system and will start to execute their mission.
Two things are clear from this. First, it is much easier to contain and remove the attacker before they start moving laterally. Once an attacker has infected several other machines with disparate malware, they are far more difficult to remove.
If you do detect one of the infected machines and remove the malware, they will recognise this and simply place more malware on other machines to maintain persistence. When you are at this stage, your incident response team will need to identify all the infected machines without the attacker knowing and then simultaneously clean them all – or else end up playing “whack-a-mole” each time they pop up.
Second, data exfiltration, or other damaging activity, is only likely to start after persistence is established. It is therefore much simpler to contain the attack before the lateral movement phase.
So how can this be tackled? Assuming the initial attack has got through your defences, there is little evidence of the attack at this stage, and it will be confined to the initial endpoint and the command and control channel back to the attacker.
Command and control can be detected using network monitoring, based on analytics use cases, anomaly detection, or another specialised appliance. Endpoint activity, such as privilege escalation, network scanning and attempted lateral movement, may be detected using indicators of compromise (IOCs), antivirus heuristics and analytic use cases of endpoint events.
However, in most cases, this indicates – rather than confirms – a compromise, so it will be down to your operational team to respond to these alerts and interpret the results. This is particularly important given their time to react will be critical, but these skills are in short supply and cannot be fully replaced by technology.
Skilled staff are essential to identify attacks quickly and not put them down as false positives. It is also critical to mobilise your incident response plan once the clock is ticking, so you need to have a tested plan in place.
Finally, while I have assumed the attacker has successfully avoided any static defences, there are things you can do to make the attacker’s life more difficult and buy more time. Firstly, privilege escalation normally results in the attacker acquiring the admin password for the endpoint.
In many organisations, this is the same for every endpoint, facilitating lateral movement. Making passwords unique for each endpoint and allowing remote login only from designated management servers – possibly aided by password managers – will slow the attackers down. Also, there is no need in most systems for one host to connect to another.
This can easily be blocked using host firewalls to hamper lateral movement. These measures are largely a configuration of tools you will already have, and will have little or no impact on the operation of most networks, but will slow an attacker down and can generate alerts, buying more time and providing more evidence.