One Article Review
| Source |  AlienVault Lab Blog |
|---|---|
| Identifiant | 8318005 |
| Date de publication | 2023-03-13 10:00:00 (vue: 2023-03-13 10:06:24) |
| Titre | Insights from an external incident response team: Strategies to reduce the impact of cybersecurity attacks |
| Texte | The content of this post is solely the responsibility of the author. AT&T does not adopt or endorse any of the views, positions, or information provided by the author in this article. "Why are you here if you cannot decrypt our data?" This is how people sometimes react to the arrival of the external incident response team. In this article, I will try to answer this question, but at the same time, I am going to describe the stages of incident response, list the main mistakes that play into the hands of hackers, and give basic advice on how to respond. Let's start by defining what a security incident is. Although the concept is straightforward, various companies may interpret it differently. For instance, some companies may consider incidents to include situations such as a power supply failure or a hard drive malfunction, while others may only classify malicious actions as incidents. In theory, an incident is a moment when some kind of undesirable event occurs. In practice, the definition of an "undesirable event" is determined by each company's own interpretation and perspective. For one organization, the discovery of a phishing email is what requires investigation. Other companies may not see the point in worrying about such incidents. For instance, they may not be concerned about a phishing email being opened on an employee device in a remote location not connected to the main infrastructure since it poses no immediate threat. There are also interesting cases here. For example, online traders consider a drop in the speed of interaction with the online exchange by 1% to be a serious incident. In many industries, proper incident response steps and cybersecurity in general, cannot be overestimated. But if we are talking about serious incidents, then most often, these are events related to the penetration of an attacker into the corporate network. This annoys the vast majority of business leaders. Incident response stages While the interpretation of certain events as security incidents may vary depending on various factors such as context and threat model, the response steps are often the same. These response steps are primarily based on the old SANS standard, which is widely used by many security professionals. SANS identifies six stages of incident response: Preparation Identification Containment Eradication Recovery Lessons learned It is important to note that the external response team is not immediately involved in this process. Preparation Preparation involves properly aligning organizational and technical processes. These are universal measures that should be implemented effectively across all areas: Inventory networks Build subnets correctly Use correct security controls and tools Hire the right people All this is not directly related to the external response team and, at the same time, affects its work significantly. The response is based on preparatory steps. For example, it relies heavily on the log retention policy. Each attack has its own dwell time - the time from an attacker entering the network until their activity is detected. If the attack has an extended dwell time (three-four months) and the logs are kept for seven days, it will be much more difficult for the investigation team to fin |
| Envoyé | Oui |
| Condensat | 100 about abrupt absence acceptable access accurate achieve achieving across act action actions activity actually addressing adequate adjust administrative adopt advance advice advised affected affects after akin alas aligning all allows almost along already also alternatives although always analysis analytics annoys anomalies answer answers any approach are areas: arises arrival arrives article at&t att&ck attack attacker attackers attacks attention authentication author available aware awareness back backups banal based basic becomes bedrock been before being best better between blame bookmarks build building business but bypassing call can cannot capable careful carried case cases cause caused center certain chain: chance chances changing chart check classify close closely come comes common community companies company complete compromise computers concept concerned conclusions conduct connected connection consequences consider consistent contacting contain containment content context controls cool cooperation cope copies corporate correct correctly corrupts could course covered criteria critical crucial customer customers cyber cybersecurity damage data days decrypt decryptor defining definition depending deprives describe desktop destroyed detailed detect detected detecting detection determine determined develop device devices did different differently difficult digital directly disc disconnect discover discovering discovery disrupt does domain done dozen draw drive drop due dwell each early easy effective effectively efficient efforts elegant email employ employee employees enable encrypted encryption endorse engaging enhance entering entire entirely entry eradication essential establish established etc even event events every everything evidence exact example example: exchange expected experts exploitation extended external fact factor factors fail failure fairly fall files filters final financial find first follow followed formulaic found four from future gain gambling general generally get give goes going good greatly grow guarantee guaranteed hackers hand hands hard harm has have heavily help here hire how however hygiene ideally identification identified identifies idr ids immediate immediately impact implement implemented implementing implies important impossible improve impulsively incident incidents include including increase indicators industries industry infected information infrastructure initiated insights instance interaction interesting interferes interpret interpretation interrupted intrusion inventive inventory investigation invited involved involves issues its joint just kept kind know knowledge lateral lead leaders learned leave legitimate lessons let life likelihood list little location log logging logical logs longer lot machines main maintaining majority make makes malfunction malicious malware management many matrix may measures mechanisms method minimizing mistake mistakes mitigated mitigation mitre mobile model moment monitoring months more most movement much multi nature need network networks news non not note nothing number numerous occurred occurrence occurs off often old one ones online only opened operations organization organizational organizations other others out outcome overestimated own panic particular party patch pay penetration people performed persistence personnel perspective phishing play please point policy poses positions possible post potential potentially power practice practices preparation preparatory preserve prevent prevention previous primarily primitive prioritized prioritizing privileges probably problem procedures process processes professionals progress progressed promptly proper properly protect protection protections protocol provide provided provider providing purpose question quite ransom rare rarely rash rdp react reactivation real reasons reboot recommendations recommended recovering recovery reduce reduced related relatively relevant relies relying remain remote removal repeated reports required requires respond response response: responsibility res |
| Tags | Spam Malware Vulnerability Threat Guideline |
| Stories | |
| Notes | ★★★ |
| Move | 
|
L'article ne semble pas avoir été repris aprés sa publication.
L'article ne semble pas avoir été repris sur un précédent.