Why a rapid response is essential and how to achieve it
Advanced persistent threats continue at youest organizations‘ strength by exploiting new vulnerabilities, organizing a massive supply chain incidents and specific targeting Industries. According , 84% of companies worldwide recognize it isyou cyber attacks have become more sophisticated, cause trouble on vulnerabilities, attack surfaces, threat tactics, malware, mobile device security and the use of mainstream cloud services by employees.
Fortunately, there are many tools, sources of information and guidelines this to help refine answers to sophisticated attacks allowing a clear understand how hunt threats and remedy Informatic Systems. Since the medium computer scienceoffensive hard a day and a halfSecurity crews need at react quickly. However, a youtimely answer doareNT necessarily mean malicious actions should be immediately blocked. It is important to understand the right time to start the containment, eradication and recovery phases response as youinappropriate reaction can report at attackers that their actions are not longer go unnoticed.
For example, If the incident response team blocks infected software, malicious IP addresses Where url like soon as the first signs of a threat are detected, theAnd the attackers can simply hide in the network or change their tacticals. This could potentially require the survey cycle for To start over. Additionally, aattackers canot sometimes to hide so well and for so long that discovery would be next to impossible until their next malicious activity is revealed.
Advanced Persistent Threats (APTs)s) use lateral movement techniques at go unnoticed for days, months Where same years as they look for out crucial assets of the victimit is environment. For instance, in Attack of Lazarusthe actor managed to overcome network segmentation and achieve the restricted network thanks to the lateral compromise of the administration machine that connectsed both the corporate and restricted segments. by TunnelSnakeit is APT Operation revealed a Case in South Asia where the threat actor had a anchoring within the network from 2018.
Aanother problem with early reaction Iis that he can create a situation in which some attack artifacts are went unnoticed during the eradication phase because the IT security team did not detect their or not to relate their at the attack at the investigation stage.
Otherwise, the entry point could stay not clear. It could to understand a vulnerability, an unprotected endpoint or any other vector. In this case, even If the attack were stopped and all malicious items were wiped out, the risk of intruders TO DOing another attempt through the same doors but with new tactics, techniques and procedures would remain.
With the increasing volume and sophistication of APTs, however, there are response measures that can be taken to avoid detrimental outcomes.
Find the attack chain
As soon as a computer security team discover that their organization is compromise and here a human on the other side (not just malware), they have to follow the attack and find like many tracks as possible. The attacker’s actions should be tracked across the entire network, not just immediate perimeter. Further away the attack goes, the more traces it leaves; threatens hunters box assign them to an APT group – or at least guess its target – then hunt this down in the most efficient way. It is extremely important to find the entry point of the attack to avoid the repetition of this type of incident.
The end objective incident response is acccarried out through two activities: Investigateion and remediationion. The investigation phase is to determine the attack vector, tools, affected systems, damage, intrusion time frames and so on. In other words, complete analysis is needed before movementing to remediation.