Four major obstacles preventing effective incident response

The threat posed by modern cyber attacks is well documented. These days, all but the most naïve organisations understand the importance of robust cyber defences. However, despite a sharp rise in the number of solutions available to aid the discovery of imminent or ongoing attacks, there’s still a surprising lack of options when it comes to helping security professionals respond effectively to the attacks they find.

At present, even after discovery it still takes an average of 50 to 60 days for a security incident to be fully contained. This leaves ample time for attackers to move around the network at will, stealing data and even creating new backdoors to use at a future date. So why does it take so long to contain a threat? The answer almost always lies in an organisation’s data analytics capabilities. The first stage of any Incident Response (IR) is to gather all pertinent data together, which can usually be done quite quickly. The real challenge, however, comes in putting that data together in a meaningful way. Until you can make sense of all the available information, you can’t shut down the attack. This remains the Achilles Heel for many organisations today.

When examined more closely, there tend to be four established areas that the majority of organisations’ IR teams struggle in, preventing them from responding more efficiently to threats:

1. Skills shortage

The global shortage of skilled security experts isn’t new, but it continues to affect organisations on a daily basis. Many simply cannot recruit the brains and bodies required to investigate and analyse security incidents properly. Worryingly, recent estimates by industry association (ISC)2 suggest that the problem is going to get dramatically worse, with the global shortfall of cyber security experts expected to increase 20 per cent to 1.8 million by 2022. Many organisations attempt to get around this by employing consultants as and when necessary, but consultancies aren’t immune to the global personnel shortage either. As a result, they are not only extremely expensive to hire, but they may not be able to properly staff projects on short notice, causing further problems.

The answer to this ongoing issue lies in automation, which can be used to amplify and guide existing security analysts within an organisation. Automating tasks such as data gathering, timeline creation, reputation and context can significantly cut workloads and reduce response times dramatically. It also can make employees more efficient, by eliminating some of the most tedious, repetitive parts of an incident investigation.

2. Poor log keeping

It’s impossible to properly analyse forensic information if it doesn’t exist. Despite this, it’s amazing how many organisations fail to accurately log the critical information needed to carry out an effective incident response. For example, if only failed logon attempts are recorded, there would be no way of tracking attackers who enter the network using compromised, but legitimate, credentials.

At the bare minimum, organisations should log both successful and unsuccessful logons at every endpoint, changes or additions to user or group accounts, process creation and termination, and PowerShell logs. From a network perspective, proxy logs, DNS queries and NetFlow information should also be recorded, as these all represent important historical data sources in any IR process.

3. Ineffective teamwork 

Most IR teams traditionally track notes and data in a shared document, then use instant messenger tools to discuss their findings. But the problem with using this approach for many of today’s incidents is that the sheer scale of the IR means there are often many experts working across different locations and time zones, making effective, real-time collaboration very difficult. When the day-time IR analysts go home and the night shift arrives, they need to be able to quickly see what their colleagues have been working on. When this information resides solely in a spreadsheet, it makes it harder to hand over to the next team. A laborious handover process can significantly slow down the whole IR process and increase the likelihood of something critical being missed.

Fortunately, dedicated tools are now available to help IR teams collaborate, share information and respond much more effectively. These tools provide a notebook function to share and update information in real time, as well as the ability to time stamping important data to create a forensics time line and ensure smooth, efficient handovers.

4. Inability to access important information at scale

Some information that’s useful in an IR scenario can be difficult to access at scale. For example, in smaller investigations, access to a full disk image of a single user's workstation can be very helpful when looking for indicators of compromise or identifying malware. However, in larger investigations involving hundreds, or even thousands of endpoints, getting a disk image from every single one is close to impossible. Even if it could be done, the amount of information collected could take weeks, months or even years to analyse effectively, making it extremely inefficient.

This challenge can often by overcome using centralised logging, making the whole process much easier to scale. Additional endpoint technologies such as Carbon Black and Mozilla InvestiGator can also be used to help gather information needed for IR across a large number of endpoints.

Despite the growing market for security solutions that help organisations to identify ongoing or potential cyber attacks, there is still a significant lack of assistance out there when it comes to actually dealing with them. The four challenges above are some of the biggest current hurdles that need to be overcome and unfortunately, they are likely to remain that way for some time. This is because it’s hard to find good people and even harder to coordinate them effectively. Changing security processes and strategically implementing new technologies can go a long way to mitigating them but the bottom line is that the security industry needs to get better at making the most of the resources it has available. Cutting down on time spent doing laborious tasks and giving security personnel the tools they require to do IR as efficiently as possible are big steps in the right direction.  

Ryan Benson, Senior Threat Researcher, Exabeam
Image source: Shutterstock/GlebStock