According to the Verizon Data Breach Investigation Report 2021, privilege misuse and system intrusion were the longest to discover breaches. In contrast, the breaches that are the fastest to discover appear to be those where it becomes readily apparent something is wrong. The graph shows, in certain cases, we seem to have gotten much better at detecting evidence of compromise.
However, in the other cases, the adversary is inside your systems for months before you even realize it. And, that brings a very pertinent concern – are we too fast when we perform incident response?
Mick Douglas, Managing Partner, InfoSec Innovations, Certified SANS Instructor delivered an eye-opening session on Rapid–er Incident Response and explains how shallow our initial incident response is and how fast you should go to make the most of your precious time.
Are we too FAST?
What makes us become too fast? Is it your SLAs?
Industry as a whole, we are so fast at responding to threats that we miss out on crucial analysis & storytelling and end up only optimizing for alerts without any real context.
“Our SLAs are garbage, completely arbitrary: we’ve bound ourselves to these numbers that don’t have any bearing in reality,” says Mick Douglas. And, he went on saying “if you are in the position, review these SLAs, challenge them”. And, remember the more you collapse the time frame, the shallower the story is.
Why so RUSH?
How we handle ransomware is important: usually, ransomware does not detonet immediately; rather they perform reconnaissance: a significant process such as understanding your network, looking for systems and other components to spread the attack over.
Research indicates that adversaries stay in your network for a significantly longer period of time before they get detected. In the meantime, there is ample time for defenders to pause, think and do things differently to make the most of your precious time.
He further touched upon notification timelines and why our processes and procedures are far too slow when the adversary is moving at a logarithmic pace, and what we can do about it to make it better.
Watch this 35 minute video for more insights.
(This article is an extract basis the expert session by Mick Douglas, Managing Partner, InfoSec Innovations | Certified SANS Instructor at the recently concluded dynamicCISO summit on 10 and 11 March ‘22)