October is Cyber Security Awareness Month, which is a great opportunity for companies and individuals to review and improve their cyber security processes and knowledge. At Nettitude, we will be releasing a new blog post every week of Cyber Security Awareness Month on our latest cyber security research, as well as our insights on the latest industry news and trends. We hope you’ll find them helpful, and as always please contact us with any questions.
The words ‘cyber security incident’ bring up visceral memories such as the CapitalOne breach of 2019 and the Equifax breach of 2017. The Equifax breach in 2017 went unnoticed for well over a month and potentially longer. CapitalOne’s breach occurred in March 2019 and was not announced until July 2019.
According to the Ponemon Institute’s 2018 Cost of a Data Breach Study, the average detection time for a breach is 197 days. It left many people asking, “how could this happen?” and “how did they not notice for so long?” How can such giants of their industries not notice the compromise of their systems for months at a time? What can the rest of us do that they couldn’t?
The answer: a lot more than you believe.
The anatomy of a cyber security incident
Incidents happen all the time, whether intentional or incidental (or whether you believe them to be happening or not). Recognizing them as cybersecurity incidents as opposed to another sort of incident is just as key as responding and recovering from them.
Cyber security incidents don’t just encompass breaches by external threat actors. They can also be accidental or malicious actions by insiders, leading to the weakening or undermining of existing security controls. According to the FBI, a cyber [security] incident is defined as “an event that could jeopardize the confidentiality, integrity, or availability of digital information or information systems.”
With such a broad definition, the scope of what is classified as a cyber security incident is wide. Today, we’ll be focusing on four specific activities that, regardless of infrastructure or industry, can happen and should be looked out for as a starting point for identifying cyber security incidents:
- Attempts to gain unauthorized access to a system and/or to data.
- The unauthorized use of systems for the processing or storing of data.
- Changes to a system's firmware, software or hardware without the system owner's consent.
- Malicious disruption and/or denial of service.
For each of these activities, here are 5 different ways to detect an incident that’s underway.
1) Network Logging and Monitoring
The use of a SIEM to monitor your network and aggregate all of your logs and information into a single pane of glass will give you insight into your environment. Establishing a baseline of events in your environment and investigating abnormalities in those events can help you identify potential incidents and help you to identify and act on them quickly.
- By knowing what’s normal in your environment, you can begin to look for specific queries for abnormal events like new services being started up or a single login attempt from every account in your environment in a single minute.
- If logs suddenly stop for an endpoint or device, it may indicate that someone has interfered with the logging or the device itself; it’s time to investigate.
- Conversely, excessive activity from any endpoint can indicate attempts at compromise.
- If you don’t have a SIEM, log readers and aggregators exist which will allow administrators to read computer logs and know if there’s some mishap.
2) Cyber Security Alerts
Easy to automate and configure, but difficult to perfect, alerts are the preferred way for many security professionals to be notified of abnormalities on the network, especially when threat hunting is not always an option.
- Create alerts for new administrator account creations and various types of privilege escalation.
- Establish appropriate thresholds for your environment and create alerts for issues such as excessive failed login attempts, excessive data exfiltration, or attempts to log into a secure data source by an unauthorized user.
- Further refinement of existing alerts can cut out white noise and let your team focus on the actual threats, reducing alert fatigue and sharpening focus.
3) Network Audits
This word often sends a chill up the spine of a system administrator, but audits have their place in securing your environment. The intention behind audits is to ensure controls and processes are functioning as expected. This means ensuring that your organization is adhering to concepts like least privilege, change control, and proper asset management.
- Conduct an annual user access rights review, check for users with unneeded elevated privileges, delete (or disable) obsolete accounts so they can’t be compromised or leveraged.
- Review firewall rules and remove unneeded rules.
- Check activities of all administrators for unauthorized changes to systems, programs, or other accounts, especially if your security stack has been modified in any way.
- Review configuration logs or change management reports, ensure that they were completed properly and match the expected outputs.
4) Publicly available information
Not all incidents are visible or have glaring red flags. Cyber criminals generally aim to stay unnoticed so they can stay in your environment longer to conduct reconnaissance or steal information. Sometimes it is not enough to just know your environment or set up alerts; experienced cyber criminals will try to study your techniques and work to hide themselves from you. As they say: you don’t know what you don’t know. So the next step is to find information from external resources.
Professional threat hunters and analysts will publish articles and findings of new vulnerabilities that will give you insight into your own environment, especially if you didn’t realize these vulnerabilities were being exploited. Keeping up to date with the newest exploits and vulnerabilities will allow you to plug holes you didn’t know existed, cutting off criminals from their resources and allowing your team to notice abnormalities as a result.
- Regularly check for system updates and apply them after testing.
- Subscribe to a trusted source for vulnerability notifications.
- Participate in information-sharing forums like ISACA.
The final, and probably most important but volatile resource, is your users.
Users are often known as the weakest link in cyber security, but they can be your strongest assets in identifying and addressing cyber security incidents immediately. Algorithms and alerts can be fooled or misconfigured, malware can adapt to signature based anti-malware, attackers can disable tools; the list goes on. Training users to report events out of the norm; to recognize and to report incidents as they happen, is a long and arduous process, but one which yields great rewards.
Often, the fear of getting into trouble with management or being accused as the perpetrator or simply not knowing who to report these events to prevents users from alerting you to things they have noticed as out of the ordinary. Proper education turns this weak link into a powerful fence against attacks. You should:
- Educate users on their part in mitigating cyber security incidents and reporting suspicious or unexpected activity.
- Follow up on user concerns and take them seriously; minor inconveniences that seem benign (e.g. slower access to a well-used system; an unexpected lockout, etc.) may actually be the symptom of a more complicated attack.
- Encourage the reporting of events by users either through gamification, rewards, or acknowledgement.
These are just some of the basic methods for identifying cyber security incidents. Of course, resources are required to build out these practices, and even more is required to refine them. However, leaving an environment unsecured and unchecked is not an option for many organizations, especially for those that house sensitive data, have compliance requirements, etc. Leveraging an existing service such as Nettitude’s SOC and IR will provide the protections required to ensure that in the case of a cyber security incident, you’ll be notified and take action in far less than the average 197 days.
Contact us to learn more about how Nettitude’s SOC and IR services can protect you from and prepare you for any cyber security incidents.