How To Find A Security Threat, Kill It And Move On

All organisations suffer from business interruptions relating to IT from time to time. This can range from equipment breakdown affecting one user through to power outages affecting entire corporate sites. Sometimes it’s something more pernicious, like malware or hacktivists targeting entire companies.

In recent years, there has been an increase in zero-day vulnerabilities being exploited. Meanwhile, more and more ‘hacking collectives’ have started up, targeting specific systems and data either for “the lulz” or financial gain. How does an organisation respond to this changing landscape?

The controls are in place to handle ‘normal’ events and are embedded in business as everyday activities, but how would you cope with an incident which was ‘abnormal’?

Business as unusual

Maybe it’s time to review current processes. Maybe it’s time to buy that shiny new appliance you heard so much about at the latest event. Maybe it’s time to revisit those business continuity plans. Or maybe it’s time to have a complete rethink.

Rather than a series of “if this happens, do this” processes, it may be better to expand to a frame of mind where you say “we need to ensure ‘System X’ runs continuously, let’s look for anything trying to stop it”.

Imagine the following scenario: an anomaly exists on your organisation’s network. Anti-virus software is deployed yet there are no reports on the console of infections. A robust patch management regime is in place and users are well educated and no excessive access is allowed.

Some would see this as a network administrator’s nirvana. So why is there this strange activity on the network? We can’t see anything unusual, so is it just a case of users worrying or complaining, or is there something we have missed? Let’s see what we can find out using a staged methodology…

Step 1 – Identification

Let’s use those logs from all those devices we have bought to try to point to the source of this anomaly. After all, we bought these systems and configured them to log events for a reason, right?

Step 2 – Isolation

OK, so we have discovered where the activity is, it’s time to isolate this area or areas from the rest of the network. If we can stop this activity spreading we have a better chance of resolving the issue.

Step 3 – Investigation

Now we need some technical expertise to establish just what is going on. If this is new to you, you’re  going to need help from specialists and the likelihood is they have seen similar symptoms before.

Step 4 – Confirmation

Seek advice if needed from reputable sources to verify your findings and conclusions. There is nothing more embarrassing than spending time and resource resolving an issue which is not the root cause of your problem.

Step 5 – Resolution

Once confirmed, the necessary remedial actions can be carried out. These will most likely involve some network changes to ensure whatever route this anomaly took to get into your organisation is closed. Try to think bigger than repairing individual machines and returning service. You’ll only be red-faced if an apparently resolved issue re-occurs just minutes later.

Step 6 – Continuous improvement

Can we gain any lessons from this incident? Well, fine tuning of existing monitoring can help in various ways. Having processes to identify unusual patterns of behaviour within your internal network means you can be alerted to a problem early, allowing you to activate those processes you took so long to create and test. If you are relying on spotting a pre-defined pattern, it might be too late when it finally appears.

Try replaying the above scenario without any network monitoring or logging. At what point would you get to Step 1? Perhaps when everyone and everything has finally ground to a complete halt? Perhaps when the CEO rings with a problem? Or worse, perhaps when the data you try so desperately to protect is released to the internet for all to see.

Sometimes it’s best to think about business as unusual, rather than concentrating on business as usual.

Are you a security guru? Try our quiz!