Responding in the 'golden hour' of a cyber attack

Aug. 13, 2015
Improving time to detection can help minimize damage inflicted by hackers

In medical emergencies, responding as quickly as possible to a stroke or heart attack can mean the difference between a swift and speedy recovery and permanent damage or death. In cybersecurity emergencies – for example, identifying a data breach – the same can be said.

The fact that attackers with a valid set of credentials can remain undetected inside an organization for long periods of time isn’t in dispute. Most reports from Mandiant, Verizon, and other consulting organizations put this period of time at around two hundred days. But what happens after the organization is notified of the breach? A security “tiger-team” will be formed to investigate the breach to see if they can determine its initial scope. If the team is unable to determine the scope, then security consultants are brought in.

There is not a lot of information about the amount of time the analysis phase can take. It’s varied on a number of factors including how long the attacker has been in in the environment, whether the data needed to complete the investigation can be accessed, the size of the organization, etc. The data breach at the U.S. Office of Personnel Management is still ongoing. However, there are several numbers I’ve seen that we could plug in to use as an average. A recent study of federal agencies by Meritalk tells us on average it takes more than 30 hours to complete the analysis. Additionally, Mandiant’s incident response initial minimum retainer for analysis work is a 40-hour period. These numbers suggest that six to 10 days, while likely on the low side, is a practical number used to estimate the length of time of the analysis phase.

When looking at the current security process of Detection-Analysis-Containment-Remediation, we know that if we cannot detect the attacker, the processes cannot begin.

If we are informed (usually by a third party) of a data breach, the manual analysis that ensues must be perfect and complete. If it isn’t, containment won’t happen. Manually building the analysis that allows the security team to see the timeline and intersection of compromised accounts, infected systems, and security alerts leaves much room for error and the possibility that infected servers are missed. A single mistake means the remediation phase isn’t complete. Attackers often leave behind backdoors in case they are discovered. The 2013 Verizon data breach report told us that organizations had a complete and accurate count of compromised records in only 15 percent of breach incidents. This means they could not determine the full scope of a breach in 85 percent of breach incidents.

User behavior analytics (UBA or UEBA) can help with detection. By using custom algorithms, the divergence in behaviors between a normal user using her credentials and an attacker using the same credentials can be determined. Through a combination of historical behavior analysis and peer group behavior comparison, it is almost impossible for the attacker to hide. Many organizations have started to add user behavior analytics to augment their security incident and event management (SIEM) system.

While faster detection is a big step forward, many organizations see this as only one part of a bigger problem. As a recent article in SC Magazine tells us, “the cookie crumbs left behind” point to three factors — “security solutions that generate large volumes of data that overwhelm security teams; solutions that operate independently with no stitching of information between systems; and any stitching that does go on between haystacks of data is typically a manual process.”

A 2014 survey by Damballa noted, “large, globally-dispersed enterprises average 97 active infected devices each day.” Additionally, a 2014 Ponemon survey of 630 IT security practitioners in the United States notes the average number of hours spent per week investigating, capturing intelligence and evaluating the intelligence gathered for malware involved in targeted attacks was more than 325 hours. Attackers embedded in a victim organization know when they are detected. The long manual creation of analysis gives attackers time to shift tactics, create backdoors and stay ahead of the security team.

An important part of a user behavior analytics solution must be to piece together the use of compromised accounts by attackers, traditional security alerts, and asset access characteristics and behaviors, and place all of these on a timeline. This makes the security process much more efficient by collapsing the detection and analysis phases of an attack into a single real-time automated solution.

There have been numerous articles suggesting that detection and analysis for response needs to be moved into what some call the “golden hour” of the attack. Some of the new user behavior analytics systems only tell us that an employee is exhibiting risky behavior.  Security teams are glad to have this additional visibility. However, if the security team still has to manually create the relationships between identities, access, assets and security alerts and manually put all this on a timeline, analysis often can’t be completed and containment and remediation will continue be slow and error prone.

About the Author: Nir Polak is the CEO and co-founder of Exabeam, a provider of user behavior analytics software.