Incident response (IR), by definition, happens after an incident occurs. By simple extension it is also fair to say the IR Team shows up on site (or convenes if it’s an internal response) behind the power curve. The event that precipitates the incident response is the catalyst and in the first few hours (or longer) that may be all that is known, until boots hit the ground and more investigative activity happens. In a typical IR situation, the team immediately works to profile the incident – its breadth and extent – to answer the “how bad is it” question. This investigative activity fans out as the search continues, usually broadening as elements of the compromise are uncovered and could include deploying new sensors to gather data, isolating areas of the network, reverse engineering, guided forensic sleuthing and many more processes. It can be a timely process; looking at the SANS 2016 Incident Response Survey, 29% of respondents noted remediation happened within 2 – 7 days. Another 38% indicated a significantly longer time period. The time to detection, the length the intruder was present (dwell time) and breadth of the incident were all key factors that lengthened the response times. From the same 2016 survey was a critical point: use of intelligence, specifically threat intelligence (TI) could drive down response and remediation times. That means building an intelligence-driven response strategy works.
Respondents in the SANS Survey1 were keen to note how they tackled their use of threat intelligence. Commercial and open feeds played the major note with a minor, complimenting note about internal information. The response shows the continued primitive state of affairs. This woeful outlook is in part why we crafted an Intelligence-Driven Incident Response course. Intelligence should provide the ability to wield incident response like a scalpel and, like the tools that make a surgeon successful, give equivalent insight and direction. To play that role, it has to be integrated with IR and not called on as an afterthought. A large body of intelligence exists that can be collected before landing on site to begin the response. Table 1 provides some examples of that intelligence. With this amount of information in hand, response takes a more insightful turn.
Table 1: Examples of Intelligence to collect prior to landing
- Business line relationships
- Recent media interactions or announcements
- Positive or negative social sentiment
- Public exposure of information
- Physical security events
- Travel activity and events
- Loss or acquisition of assets
- Threat intelligence on adversaries, black marketers, and services/software
- Publicly exposed infrastructure
It’s worth a note that if an internal TI team exists it should be collecting most, if not all of this information and piping it to the security operations center (SOC) or maintaining intelligence in a threat repository.
Take a two-week or even 30-day evaluation of media interactions. Unpopular public statements might be key elements to understanding why a DDoS incident or intrusion occurred. A business partner that was recently victimized by malware or who has published information about an incident in their POS machines could be insightful to why the same event occurred. The same might apply for a company publicizing a merger – simple recon by the adversary might have led them to exploiting a particular avenue of entry, e.g. acquisition of domains decommissioned by the newly merged company used to gain a foothold for malware. The advantage of this intelligence should be obvious – it can fast track the IR Team to the right path to identify, isolate and then mitigate the incident.
Even when on site and the incident response begins, intelligence continues to demonstrate its value. Beyond the broad, high level tiers lay the focused ones, especially those tied to adversaries. TI can provide details on observed ongoing or historical activity by tracked adversaries. Matching or related patterns might reveal links or signal a change in behavior by a threat actor. A dive on phishing activity might open up the pathway of infection and shrink the time necessary to discover how and what the adversary used to gain entrance. Table 2 shows more examples of additional information threat intelligence can bring to bear.
Table 2: Examples of intelligence TI can provide to speed IR
- Phishing campaigns, failed and successful
- Adversary employed malware (vs or against market vector)
- Observed recon or impersonation activity
- Public or private reporting of related activity
- Adversary TTPs
- Public exposure of people, processes or intellectual property
- Malicious or suspicious travel-related activity
- Extortion or threats by activists
The staples of threat intelligence are still available to focus the IR investigation. TI has a broad range of analytics and correlated information that can be focused on discovered data. A revealed command and control (C2) IP is a pivot that could reveal linked DNS infrastructure and ultimately determine the extent of the attack. An understanding of commands executed on client systems can fingerprint known adversaries or link previously unidentified ones. It can also speak to the sophistication of the adversary team or what they were targeting. The data ex-filtrated can be a hint to the adversary’s goals and also provide TI avenues to investigate for trafficking in or sale of that information. The threat of black marketers should never be underestimated. These adversaries routinely solicit, sell and setup backdoors into networks, services to gain entry or shut down networks (DDoS), records of data, and more. Leveraged properly, TI can play a powerful function in determining the incident and its mitigation.
Incident response can (and does) happen without intelligence playing a part. The differentiator with intelligence, especially TI, is the ability to enhance the IR process, shortening response and mitigation times, while answering questions more fully and accurately. When the incident ends and the mitigation occurs, the answers to the questions of “why me”, “what’s the fall out” and “who did this” are still required. TI can usually provide some answers to these questions, even if only in part, as they have a handle on the pulse of events beyond the single incident. That insight can unquestionably play a powerful part in intelligence-driven IR activity.