Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Top 20 CIS Critical Security Controls (CSC) Through the Eyes of a Hacker – CSC 19
In this blog series, members of Optiv’s attack and penetration team are covering the top 20 Center for Internet Security (CIS) Critical Security Controls (CSC), showing an attack example and explaining how the control could have prevented the attack from being successful. Please read previous posts covering:
CSC 19: Incident Response and Management
Protect the organization’s information, as well as its reputation, by developing and implementing an incident response infrastructure (e.g. plans, defined roles, training, communications, management oversight) for quickly discovering an attack and then effectively containing the damage, eradicating the attacker’s presence and restoring the integrity of the network and systems.
Unlike the previous posts that depicted fairly specific attack types, let’s instead approach this by inspecting the kill chain affiliated with typical attack patterns. The following image, taken from National Institute of Standards and Technology (NIST), manages to reduce the complexity of the kill chain to a consumable visual aid.
Note a few important details about this graphic:
For this blog post we’re primarily concerning ourselves with the reactive response. Specifically, handling the stages of kill chain related to exploitation, installation, command and control (C2), and action objectives. After all, incident response is purely aimed at restoring system, data and network integrity by eradicating attacker access.
Within the steps of the kill chain there are further defined actions that you can break up into categories such as lateral network movement, privilege escalation, etc. Each of these stages often have specific indicators of compromise (IOCs) that can be useful for tracing an attacker’s methods and path throughout your network. For example, a common kill chain may follow this pattern:
Consider that 80 percent of organizations breached in 2016, according the Verizon Data Breach Report, took weeks or longer to discover the breach. In 7 percent of those cases, the breach went unnoticed for more than a year. This is staggering. The longer an attacker persists in the network the greater the potential damage, cost and difficulty to eradicate. Detection is the lynchpin event that begins the execution of an incident response plan.
Although technical controls can be effective at identifying the initial breach and the attack kill chain, this information is only valuable to an organization if properly collected, analyzed and acted upon. For this reason, technical controls operating in tandem to support clearly defined incident response procedures are paramount to minimizing the impact of a compromise. It’s the difference between an effective incident response program and ineffective one. Certainly, incident response depends on tools and active response techniques, but much of its effectiveness is rooted in procedure and policy.
So let’s look at the components necessary to create an effective incident response program.
As a member of Optiv’s attack and penetration practice performing offensive engagements, I can’t stress enough the importance of that final bullet point. Organizations rarely perform live-fire tests to evaluate their incident response capabilities, getting the opportunity to assess their program only after an actual breach occurs. That’s putting a lot of hope on an untested, unrefined and often complicated process that’s being executed under pressure. We’ve performed assessments that have tested organization’s processes for the first time, only to have the organization learn that they are grossly understaffed or incapable of eradicating the breach prior to the exfiltration of millions of sensitive database records. You don’t know whether it works until there’s a breach – you’re better off letting it be a controlled exercise.
This discussion segues nicely into our 20th and final CSC series post: CSC 20 – Penetration Tests and Red Team Exercises.
Let us know what you need, and we will have an Optiv professional contact you shortly.