weilIn the following guest post, Paul A. Ferrillo and Christophe Veltsos take a look at the next-level concepts companies should adopt to improve their data breach detection and response time, perhaps allowing them to kick attackers off their networks before bad things happen. Paul Ferrillo is a member of the Cybersecurity, Data Privacy & Information Management practice at Weil, Gotshal & Manges LLP, and a featured speaker at the upcoming Incident Response Forum on March 31, 2016, in Washington, D.C. Christophe Veltsos, PhD, CISSP, CISA, CIPP, GCFA, regularly teaches Information Security and Information Warfare classes at Minnesota State University. I would like to thank Paul and Christophe for their willingness to publish their article on this site. I welcome guest post submissions from responsible authors on topics of interest to this site’s readers. Please contact me directly if you would like to submit a guest post. Here is Paul and Christophe’s guest post.




From a cybersecurity perspective, 2016 is off to a rather turbulent start. High-profile Distributed Denial of Service (DDoS) attacks have disrupted large financial institutions. Significant ransomware attacks have paralyzed healthcare organizations. Major malvertising campaigns have been orchestrated against ostensibly “trusted” websites, spreading malware to unsuspecting visitors’ computers. One saving grace, perhaps, is that critical infrastructure, such as electrical grids or water supplies, has not yet been hit in 2016, though obviously it is imperative to proactively monitor and protect those systems.

Encouragingly, however, U.S. companies have taken some actions to improve their cybersecurity posture. As noted in the most recent FireEye M-Trends 2016[i] report (covering calendar year 2015), there has been an overall improvement in the time it takes for an organization to determine it has been breached. In 2015, this period was 146 days – a drop of 59 days from calendar year 2014, and a drop of 83 days from calendar year 2013. Just as importantly, companies are detecting a larger volume of breaches through internal monitoring efforts, which accounted for 50% of breaches in calendar year 2015. By contrast, in calendar year 2014, in almost 66% of breaches, companies were first notified externally (e.g., by law enforcement agencies such as the FBI or U.S. Secret Service) that they were breached.

Despite this marked improvement in detection time, it still leaves more than enough for a skilled attacker, who might need only three days, upon penetrating a network, to gain administrative credentials. Such credentials would allow the attacker to move laterally around a network and cause significant financial, structural, and reputational damage. Taken to the extreme, as we saw from the Hollywood Presbyterian Medical Center case, a sophisticated ransomware attack can actually have life or death consequences.

This bleak picture in no way implies that companies should give up the ghost. As we noted in our book, “Navigating the Cybersecurity Storm: A Guide for Directors and Officers,” [ii] companies should adopt some next-level concepts to improve breach detection/response time to the point that companies might be able to kick attackers off their network before bad things happen.

The Importance of Process – the NIST Cybersecurity Framework

The National Institute of Standards and Technology’s Cybersecurity Framework (the “Framework”)[iii] helps address an issue many companies face:  a lack of communication, or at the very least a disconnect in the flow of communication between the company’s IT professionals and the company’s directors and officers. The Framework distills complex cybersecurity terms into a common, understandable language that enables and encourages executives to participate in cybersecurity discussions. For the organization just beginning to grapple with cybersecurity concepts, the Framework is a starting point. For a more advanced organization, use of the Framework serves to demonstrate that the organization adheres to best practices and “has its act together,” and continuously reviews and seeks to improve its response to new cyber-threats.

The Framework centers upon five core principles, “Identify, Protect, Detect, Respond, and Recover.” In this piece, we will focus on the “Protect” and “Detect” elements, easily summed up in two questions:

  • what are organizations doing to protect their most critical IP or customer data? and
  • what mechanisms are in place to detect a network incursion seeking to steal such data?

It is important to note that there are no “silver bullets” when it comes to protection, other than perhaps encryption, which is not widely used today. Protection via network segmentation and micro-segmentation is more widely used, for example, through next generation firewalls. However, this is not enough.

Most recently, many corporations have turned to non-signature based intrusion detection and prevention hardware. This hardware attempts to detect malware based on network anomalies (e.g., spikes in network activity or abnormal access attempts), which might signal that something other than “standard operations” are occurring. An alert would then pop up for the company’s incident response team (IRT) to investigate. Whether or not the IRT can intervene in time, disrupt the attack, and prevent the attacker from gaining a foothold in the network, is then the million dollar question.

While the Framework itself isn’t an advanced technological solution, when used regularly and continuously (e.g., quarterly, as we advise clients to do) to stimulate thorough and engaging discussions on cyber-threats, it is “next level” in the truest sense of the term. Without involvement and guidance from all levels of a company, incident response feels more like “seat of the pants” cybersecurity:  a high-wire act performed without a safety net. We think the Framework is a great safety net for both large and small companies.

The Importance of Cybersecurity Assessments

Cybersecurity assessments are very much like your annual healthcare checkup. You might not like it. You might not like the 12-hour fast the night before you report for bloodwork. But ultimately you are glad you did it.

There are two general types of cybersecurity assessments:  vulnerability assessments and penetration testing. Vulnerability assessments are general assessments of a network designed to find flaws in the network, network applications, or the environment in which the network rests. Vulnerability assessments are useful, but they are not the end-all and be-all because they are most often aimed at “known” problems – such as missing software patches. If a problem is not yet known, it will never be detected by such an assessment. Yet, this as-yet-unknown vulnerability could be the major hole by which an attacker gains a foothold to disrupt, if not wipe out a network.

In a penetration test, the tester tries to take advantage of known vulnerabilities in a particular network system or application that can later be leveraged to accomplish something else. A penetration test might be aimed at employees (e.g., using social engineering) or aimed at a particular system or device. It can be difficult to distinguish between assessments. Think of the penetration test as a pre-planned test of a known problem to see if your network could potentially be hacked. It is like knowing the train is coming down the tracks, and you are waiting at the crossing gates for it to come.

Taking it to the Next Level – Red Teaming Your Incident Response Teams

Today, more sophisticated organizations are “red-teaming” their IRTs and their security operation centers. What is the difference between a penetration test and red-teaming? Unlike the penetration test, with red-teaming, you do not know whether the train is coming down the tracks. The red-team – a team of highly skilled cyber forensic consultants – attacks your network, using every trick in the book, for several days and possibly weeks.

The red-team drill is as realistic as possible, and is designed to test every skill of your IRT by mimicking the abilities of the most highly-skilled attacker. The red team is likely to win the first few rounds, but over time, the goal is for a company’s IRT to learn from its mistakes (or omissions) and ultimately detect and repel the attackers. While there is an expense involved to red-team drills, great value can be gained from them:  red-team drills allow a company to see how all aspects of its incident response plan (from hardware, technology employed, and people employed) work together; and most importantly, a well-trained IRT can hunt down potential lethal incursions before they do damage.

Very “Next Level” Stuff – Security Automation and Orchestration

Today, a major issue faced by even well-trained incident responders is the vast amounts of information and alerts they have to sift through, the result of technological solutions that are often not properly integrated with each other by different vendors. While large multi-national companies or investment banks may have the financial and HR means to hire enough responders, for other companies, that is not the case. For the average company, resources are finite, both in terms of hardware and people. And as the trickle-down theory of the cyber-crime economy continues to bring more cyber-attackers to the table, the result is likely even more chatter, more alerts, more incursions, and potentially more breaches generated by intruders.

Fortunately, here comes the cavalry:  Security Automation and Orchestration (SAO). SAO is a tool that brings all your other hardware information streams together (like your firewall, your intrusion detection systems, and threat intelligence feeds) and processes them at network speed, sifting through thousands of alerts to find the more actionable, threatening ones. SAO then responds to the more threatening ones in two different ways: (1) by taking corrective action itself (e.g., sealing off a port or diverting traffic), and (2) by directing incident response personnel to respond to the actionable alert. SAO does not replace the human responder. It helps the human responder deal with a large volume of alerts and hopefully provides more time to focus on the “higher impact” alerts. It gives the responder time to process what is going on, and hopefully react quickly enough so that the IRT can kick the attacker off the network before harm is done. SAO is now state-of-the-art, and there are several well-known companies offering this service.

In today’s cyber-ecosystem, it is important to be a student of history, and in cybersecurity, history is not measured in years, but in months. And in the many months since the Target breach, history has taught us that every second counts in incident response. Take advantage of the next-level trends we discussed above in order to gain back the seconds you need to successfully defend your network.

[i] See here.

[ii] See here.

[iii] See here.