Containing an incident often means disconnecting whole environments, but technology is giving IR teams more optimal choices.
A recent survey found 63% of Australians had been caught up in a cyber attack or data breach in the past year, with half finding themselves in more than one.
With ransomware and other types of attacks playing out so often in Australia and around the world, the cyber incident response playbook of victim organisations is becoming well known.
When an incident occurs, the first step by the victim organisation is often to call upon an incident responder who is trained in the art of shutting down an attack.
Step one in the incident response playbook for many organisations is to hit the โkillswitchโ in effect to take the service off the internet, or to completely shut down the website, application or environment being impacted. Although drastic, everyone knows the most secure system is the one thatโs unplugged
The reasons to do it when a cyber incident is suspected vary but include to prevent further contagion or spread of malware, to stop the threat actors from getting back in and covering their tracks, or to prevent something more destructive from being triggered by the attackers directly or via their command and control (C2) infrastructure.
Users of breached services would no doubt be familiar with this pattern. Particularly, if a ransomware infection is either suspected or confirmed, they understand the service will be pulled offline and may take weeks to fully recover and return. However, this choice is one CISOs and security teams would prefer not to make as it can be costly to have services shut down, in addition to handling the cyber incident at play.
A key effort in recent times has been to remove this false dichotomy, and not to force security leaders or their organisations to shut down or cut off services as the first stage of incident response.
This is no mean feat. When organisations find themselves in a bind with respect to a potential cyber incident, the standard reaction is to stick to the existing certified incident response processes and protocols, accepting that a shutdown is likely to be part of that. Certainly, when an incident happens is not the time to experiment or deviate from the playbook. However, over time, we anticipate that incident responders will adjust their playbooks as technology that can aid in the prevention of shutdowns becomes standardised in more organisations that they get called in to assist.
Such technology leverages stream processing and machine learning technology to allow organisations to mine insights about their security and operations from all the data in motion within the IT environment. It observes north-south (external-internal) and east-west (internal only) network traffic, and performs passive analysis on it, avoiding any packet disruption.
This passive, out-of-band deployment model serves to make the technologyโs operation undetectable, such that any threat actor that has managed to get inside of the network performing activities such as reconnaissance or escalation is unaware of the technologyโs presence. Ideally, that means the technology can determine whether or not an incident has occurred, and then characterise the blast radius – including where it is today and where it is moving to.
By surreptitiously identifying where the breach boundaries are, the affected systems can be quarantined while all other systems can stay running. With containment of only the systems that are directly impacted by attackers, the security team is able to narrow its recovery focus and prevent the rest of the environment becoming collateral damage in an organisation-wide shutdown of IT systems.
The emergence and widespread adoption of this technology is likely to become particularly prevalent in critical infrastructure sectors such as hospitals and healthcare. The health sector is a consistent target of ransomware groups and other threat actors, and incidents can and have been debilitating to service provision and serving patients.
In these environments, a full system shutdown and reversion to manual methods tends to be well-practised, yet itโs a trigger that operators would likely prefer not to have to pull. Their ability to change this situation, and to more effectively observe and isolate security incidents, depends on their ability to embrace emerging technology. Doing so promises to allow security teams to get in front of security threats, to detect incidents faster, and to contain them to ever-smaller subsets of their infrastructure.
