Published on October 23rd, 2014 | by admin
10 Steps to Take After You Detect a Breach in Your Company
Threat detection monitoring and post-breach procedures are necessities in any enterprise looking to adequately secure their network. And chances are you’ve already created one or more processes in the event of a breakdown on the front end. But when a breach actually occurs, what steps are you really taking to make it stop?
A powerful and effective defense strategy is a multi-layered one that detects threats, connects devious actors, and protects your company from similar attacks in the future through systematic actions that quickly stop the bleeding.
Having tools, systems, and processes are great when it comes to preventing attacks. What’s better, however, is having a solid list of steps to take after you detect a breach in your company to answer the whos, whats, and whys of the event. This data is tremendously important for any enterprise in protecting sensitive data and decreasing probable mitigation costs.
- Identify the IP address of the actor(s) and associate it with infected devices. Many companies have instituted a BYOD policy, which has its benefits. The drawback is that with so many devices not being issued by the company, you have far less control. So when a breach happens, it’ll be up to you to immediately determine if the infected device is company-issued or BYOD. You’ll have to figure out whose device it is by the application behaviors and identifiers. At the same time, it’ll be necessary to look at the IP addresses that this device had over the period of concern and determine any lateral movements and unexpected connections. Once you take this step, you can quickly figure out what networks this device had access to.
- If you can get access to the device… Immediately secure it and take it off the network! Sometimes, getting your hands on the actual device is just that easy. And now that you have it off the network, you can use desktop forensics tools to pull the hard drive image and fully analyze the device to understand what was communicated. But on the other hand…
- If you can’t get access to the device… Look at the traffic flow to the internet – and not just on the surface, but at the application level. You can immediately classify red flags for malware by finding things such as abnormal lengths of URL and User Agent strings or repeated or multiple requests to DNS entries with a low TTL.
- Look for all traffic flows that were sending data to locations that are synonymous with malware and attacks. Resolve any IP addresses outside of your network to geographies and reconcile them with blacklists to correlate any red flags, elevate the most serious concerns, and eliminate false positives.
- Use statistical visualizations. Statistical visualizations will allow you to notice system misuses and abnormal traffic flows in an intuitive and easily identifiable way. They will also allow you to identify systems that are consistently communicating over a new port, ascertain any scans or attempts to take advantage of vulnerabilities, and identify persistent flows spanning non-working hours. This should give you an invaluable snapshot of what’s happening on your network.
- Look for files transferred. It’ll be important to know what’s going in and out of your network. Search across emails, chats, file transfers and Internet file store services. Check what’s been downloaded and uploaded. Is it an executable or a DLL? Does it have an unusually large number of spaces in the filename? It could be a malware executable disguised as a harmless file type that is taking advantage of character display limitations in certain apps. It could be exfiltration.
- Identify protocols. Now that you’ve checked transfers of files, the next step is to look for non-compliant commands issued on a common protocol, such as an HTTP client issuing RUN. Or, the uses of a protocol above a non-standard port – like SMTP over port 80, for example. These may be innocent, but most likely they’re red flags for command and control.
- Isolate the flows that look suspicious. Identify all flows that are sending and receiving encrypted transmissions. Based on its origination or destination and port usage, you can determine whether or not to deem a session suspicious. For example, if an encrypted session over port 80 has a destination IP of a server residing in China, this should clearly indicate that something is wrong.
- Pinpoint the suspicious IP addresses. Plot the locations of the suspicious IP addresses on a map to identify anomalous flows. Go beyond statistics per flow, and look at them by packet count, byte count, and length in time. This additional step will go a long way in identifying the who and where of devious activities or events.
- Cover your bases. Once you know the behaviors of the infected systems, use those patterns to determine other systems that may have been compromised. If and when similar attacks do occur, you’ll be prepped and ready to act swiftly in securing your company’s network.
Download the Top 10 Steps to Take after You Detect a Breach in Your Company infographic here. For more information, visit go.ss8.com/top10
What is Communications Insight? SS8 offers software products that provide organizations with comprehensive communications visibility and awareness, enabling network security teams to more quickly, easily, and cost-effectively derive insights. Learn more about SS8 Enterprise at www.ss8.com.