Incident response (IR), by definition, happens after an incident occurs. By simple extension it is also fair to say the IR Team shows up on site (or convenes if it is an internal response) behind the power curve. The event that precipitates the incident response is the catalyst and in the first few hours (or longer) that may be all that is known until boots hit the ground and more investigative activity happens. In a typical IR situation, the team immediately works to profile the incident – its breadth and extent – to answer the “how bad is it” question. This investigative activity fans out as the search continues, usually broadening as elements of the compromise are uncovered and could include deploying new sensors to gather data, isolating areas of the network, reverse engineering, guided forensic sleuthing and plenty more processes. It can be a timely process – looking at the SANS 2016 Incident Response Survey , 29% of respondents noted remediation happened within 2 – 7 days. Another 38% indicated a significantly longer time-period. The time to detection, the length the intruder was present (dwell time) and breadth of the incident were all key factors that lengthened the response times. From the same survey was a repeated, critical point: the use of intelligence, specifically threat intelligence (TI) could drive down response and remediation times.
In fact, respondents in the SANS Survey were keen to note how they tackled their use of threat intelligence. Commercial and open feeds played the major note with a minor note complimenting about internal information. The response, sadly, still shows the continued primitive state of affairs. This woeful outlook is in part why we crafted an Intelligence-Driven Incident Response course. Intelligence gained from TI, physical security, travel program and dozens of other sources should provide the ability to wield incident response like a scalpel, just like the tools that make a surgeon successful give equivalent insight and direction. To play that role, intelligence must be integrated with IR and not called on as an afterthought.
As a case example, a large body of intelligence exists that can be collected before landing on location to begin the response. Table 1 provides some examples. With this amount of refined information in hand, response takes a more insightful turn.
Table 1: Examples of Intelligence to collect prior to landing
- Business line relationships
- Recent media interactions or announcements
- Positive or negative social sentiment
- Public exposure of information
- Physical security events
- Travel activity and events
- Loss or acquisition of assets
- Threat intelligence on adversaries, black marketers, and services/software
- Publicly exposed infrastructure
It’s worth a note that if an internal TI team exists it should be collecting most, if not all, of this information and piping it to the security operations center (SOC) or maintaining intelligence in a threat repository.
Let’s take one of these examples to go spelunking. Given a situation where an incident occurs, taking a sample of a two-week or even 30-day evaluation of media interactions prior could contain investigative weight. Unpopular public statements might be key elements to understanding why a DDoS incident or intrusion occurred. A business partner that was recently victimized by malware or who has published information about an incident in their POS machines could contain insight as to why the same event occurred. The same might apply for a company publicizing a merger – simple recon by the adversary might have led them to exploiting a particular avenue of entry, e.g. acquisition of domains decommissioned by the newly merged company used to gain a foothold for malware. The advantage of this intelligence should be obvious – it can fast track the IR Team to the right path to identify, isolate and then mitigate the incident.
Even when on site and the incident response begins intelligence continues to demonstrate its value. Beyond the broad, high level tiers lie the focused ones, especially those tied to adversaries. TI can provide details on observed ongoing or historical activity by tracked adversaries. Matching or related patterns might reveal links or signal a change in behavior by a threat actor. A dive on phishing activity might open the pathway of infection and shrink the time necessary to discover how and what the adversary used to gain entrance. Table 2 shows more examples of additional information threat intelligence can bring to bear on the incident.
Table 2: Examples of intelligence TI can provide to speed IR
- Phishing campaigns, failed and successful
- Adversary employed malware (vs or against market vector)
- Observed recon or impersonation activity
- Public or private reporting of related activity
- Adversary TTPs
- Public exposure of people, processes or intellectual property
- Malicious or suspicious travel-related activity
- Extortion or threats by activists
The staples of threat intelligence are still available to focus the IR investigation. TI has a range of analytics and a storehouse of correlated information that can be focused on data discovered by the IR team A revealed command and control (C2) IP is a pivot that could expose linked DNS infrastructure and ultimately determine the extent of the attack. An understanding of commands executed on client systems can fingerprint known adversaries or link previously unidentified ones. It can also speak to the sophistication of the adversary team or what they were targeting. The data exfiltrated can be a hint to the adversary’s goals and provide TI avenues to investigate for trafficking in or sale of that information. Equally, the threat of black marketers should never be underestimated. These middle men are a special type of adversary, who routinely solicit, sell and setup backdoors into networks; services to gain entry or shut down networks (DDoS); records of data; and more. Leveraged properly, TI can play a powerful function in determining the incident and its mitigation.
Incident response can (and does) happen without intelligence playing a part. The differentiator with intelligence, especially TI, is the ability to enhance the IR process, shortening response and mitigation times, while answering questions more fully and accurately. When the incident ends, the mitigation occurs, the answers to the questions of “why me”, “what’s the fall out” and “who did this” are still required. TI can usually provide some answers to these questions, even if only in part, as they have a handle on the pulse of events beyond the single incident. That insight can unquestionably play a powerful part in intelligence-driven IR activity.