• Trend Micro
  • About TrendLabs Security Intelligence Blog
Search:
  • Home
  • Categories
    • Ransomware
    • Vulnerabilities
    • Exploits
    • Targeted Attacks
    • Deep Web
    • Mobile
    • Internet of Things
    • Malware
    • Bad Sites
    • Spam
    • Botnets
    • Social
    • Open source
Home   »   Targeted Attacks   »   Four Steps To An Effective Targeted Attack Response

Four Steps To An Effective Targeted Attack Response

  • Posted on:November 19, 2014 at 9:11 pm
  • Posted in:Targeted Attacks
  • Author:
    Trend Micro
0

For many organizations today, the question is no longer if they will fall victim to a targeted attack, but when. In such an event, how an organization responds will determine whether it becomes a serious event or if it stays a mere annoyance.

This requires something of a change of mindset for information security professionals. Previous techniques and many best practices are under the premise that an attacker can be kept out.

However, that’s no longer the case today. The malware used in targeted attacks is frequently not detected (because it’s been custom-made for specific organizations). A well-crafted social engineering attack can look like a normal business email or engaging click bait.

In short, an attacker with sufficient resources will be able to find their way inside their target, regardless of what the defender does. The defender can raise the price of getting in, but not prevent it entirely.

The SANS Institute provides some guidelines to organizations on how they should react to incidents. Broadly speaking, however, the response can be divided into four steps:

Prepare.

This involves responding to a targeted attack even before the attack actually takes place. Security professionals need to plan for a response to a targeted attack on their network. System administrators will routinely have plans, for example, for downtime-related events such as a data center going offline.

Similarly, it’s important to be aware of the normal, day-to-day threats that an organization faces. Information security professionals must not only deal with these attacks as they happen, but should understand what their “normal” problems are so that abnormal threats like targeted attacks can be quickly spotted. Threat intelligence and analysis is valuable in this step, in order to guide security professionals into understanding what the current situation is.

Security professionals must also plan to acquire the right skills to effectively deal with targeted attacks. One of the most important skills to learn is digital forensic techniques, which allow for the proper acquisition and analysis of information from compromise devices.

Many of these techniques are quite foreign to normal IT day-to-day work, but learning these techniques will help organizations gain information and be better prepared to deal with any attack in progress.

Respond.

Upon identifying targeted attack in progress, the next step is to respond decisively. Responding to a targeted attacks has several components: containing the threat, removing it, and determining the scope of damage. The first step is to immediately isolate or contain the scope of any threat. Steps that can be performed here include isolating infected machines or taking compromised services offline. Ultimately, the goal is to prevent an attack from gaining further ground.

To determine any threats in place, working hand in hand with a security vendor that has knowledge of commonly used targeted attack tools and grayware is useful in order to locate the threats within an organization. Similarly, continuous monitoring of existing network activity can help determine the scale and scope of any existing attack.

Restore.

Just as important as responding to an attack is restoring an organization to normal operations. While some disruption is a necessary part of responding to a targeted attack, in the long run an organization has to “return to normal” and go back to normal operations.

“Restoring” an organization to normal is not only about technical considerations. If necessary, an organization needs to reach out to partners, stakeholders, and customers to clearly communicate the scope of a targeted attack’s damage, and any steps being taken to reduce the damage. In many cases, goodwill and trust are big casualties of a targeted attack, and these must be addressed as well.

Learn.

Once an attack is over, organizations need to figure out what can be learned from it. Every attack offers lessons for defenders – what worked? What could we have done better? It may turn out that the some of the assumptions and information that went into planning for security incidents was not correct or incomplete.

However, it is also important to not overreact to any single incident. Overreacting can be just as bad as under-reaction: it can impose burdens on the organization that have marginal gains in security, if any. Decisions must be made based on sound logic in order for organizations to overcome the immediate aftermath of an incident.

Summary

In today’s world of frequent targeted attacks – when breaches are a matter of when and not if – a carefully crafted strategy to respond to targeted attacks must be part and parcel of the larger defense strategy. This can be the difference between a minor nuisance and a major breach that could spell the demise of an organization.

Learn how to protect Enterprises, Small Businesses, and Home Users from ransomware:
ENTERPRISE »
SMALL BUSINESS»
HOME»
Tags: APTincident responseTargeted Attack Techniquestargeted attacks

Security Predictions for 2020

  • Cybersecurity in 2020 will be viewed through many lenses — from differing attacker motivations and cybercriminal arsenal to technological developments and global threat intelligence — only so defenders can keep up with the broad range of threats.
    Read our security predictions for 2020.

Business Process Compromise

  • Attackers are starting to invest in long-term operations that target specific processes enterprises rely on. They scout for vulnerable practices, susceptible systems and operational loopholes that they can leverage or abuse. To learn more, read our Security 101: Business Process Compromise.

Recent Posts

  • Our New Blog
  • How Unsecure gRPC Implementations Can Compromise APIs, Applications
  • XCSSET Mac Malware: Infects Xcode Projects, Performs UXSS Attack on Safari, Other Browsers, Leverages Zero-day Exploits
  • August Patch Tuesday Fixes Critical IE, Important Windows Vulnerabilities Exploited in the Wild
  • Water Nue Phishing Campaign Targets C-Suite’s Office 365 Accounts

Popular Posts

Sorry. No data so far.

Stay Updated

  • Home and Home Office
  • |
  • For Business
  • |
  • Security Intelligence
  • |
  • About Trend Micro
  • Asia Pacific Region (APAC): Australia / New Zealand, 中国, 日本, 대한민국, 台灣
  • Latin America Region (LAR): Brasil, México
  • North America Region (NABU): United States, Canada
  • Europe, Middle East, & Africa Region (EMEA): France, Deutschland / Österreich / Schweiz, Italia, Россия, España, United Kingdom / Ireland
  • Privacy Statement
  • Legal Policies
  • Copyright © Trend Micro Incorporated. All rights reserved.