How To Find A Security Threat, Kill It And Move On

All organisations suffer from business interruptions relating to IT from time to time. This can range from equipment breakdown affecting one user through to power outages affecting entire corporate sites. Sometimes it’s something more pernicious, like malware or hacktivists targeting entire companies.

In recent years, there has been an increase in zero-day vulnerabilities being exploited. Meanwhile, more and more ‘hacking collectives’ have started up, targeting specific systems and data either for “the lulz” or financial gain. How does an organisation respond to this changing landscape?

The controls are in place to handle ‘normal’ events and are embedded in business as everyday activities, but how would you cope with an incident which was ‘abnormal’?

Business as unusual

Maybe it’s time to review current processes. Maybe it’s time to buy that shiny new appliance you heard so much about at the latest event. Maybe it’s time to revisit those business continuity plans. Or maybe it’s time to have a complete rethink.

Rather than a series of “if this happens, do this” processes, it may be better to expand to a frame of mind where you say “we need to ensure ‘System X’ runs continuously, let’s look for anything trying to stop it”.

Imagine the following scenario: an anomaly exists on your organisation’s network. Anti-virus software is deployed yet there are no reports on the console of infections. A robust patch management regime is in place and users are well educated and no excessive access is allowed.

Some would see this as a network administrator’s nirvana. So why is there this strange activity on the network? We can’t see anything unusual, so is it just a case of users worrying or complaining, or is there something we have missed? Let’s see what we can find out using a staged methodology…

Step 1 – Identification

Let’s use those logs from all those devices we have bought to try to point to the source of this anomaly. After all, we bought these systems and configured them to log events for a reason, right?

Step 2 – Isolation

OK, so we have discovered where the activity is, it’s time to isolate this area or areas from the rest of the network. If we can stop this activity spreading we have a better chance of resolving the issue.

Step 3 – Investigation

Now we need some technical expertise to establish just what is going on. If this is new to you, you’re  going to need help from specialists and the likelihood is they have seen similar symptoms before.

Step 4 – Confirmation

Seek advice if needed from reputable sources to verify your findings and conclusions. There is nothing more embarrassing than spending time and resource resolving an issue which is not the root cause of your problem.

Step 5 – Resolution

Once confirmed, the necessary remedial actions can be carried out. These will most likely involve some network changes to ensure whatever route this anomaly took to get into your organisation is closed. Try to think bigger than repairing individual machines and returning service. You’ll only be red-faced if an apparently resolved issue re-occurs just minutes later.

Step 6 – Continuous improvement

Can we gain any lessons from this incident? Well, fine tuning of existing monitoring can help in various ways. Having processes to identify unusual patterns of behaviour within your internal network means you can be alerted to a problem early, allowing you to activate those processes you took so long to create and test. If you are relying on spotting a pre-defined pattern, it might be too late when it finally appears.

Try replaying the above scenario without any network monitoring or logging. At what point would you get to Step 1? Perhaps when everyone and everything has finally ground to a complete halt? Perhaps when the CEO rings with a problem? Or worse, perhaps when the data you try so desperately to protect is released to the internet for all to see.

Sometimes it’s best to think about business as unusual, rather than concentrating on business as usual.

Are you a security guru? Try our quiz!

Thomas Brewster

Tom Brewster is TechWeek Europe's Security Correspondent. He has also been named BT Information Security Journalist of the Year in 2012 and 2013.

Recent Posts

Tech Firms Now Face Fines Under Online Safety Act

Ofcom now has power to issue fines and other penalties for failure to remove illegal…

3 hours ago

OpenAI Argues Case For AI-Friendly US Rules

OpenAI document proposes exemption from state regulations, access to copyrighted materials, promotion of US AI…

13 hours ago

Foxconn Misses Profit Expectations After iPhone Sales Drop

Taiwan's Foxconn misses profit expectations for fourth quarter after iPhone sales decline, but predicts rosy…

14 hours ago

Tesla Developing Cheaper Model Y To Stem China Losses

Tesla reportedly developing cheaper version of popular Model Y EV to stem market-share losses in…

15 hours ago

Global Smartwatch Sales Fall For First Time

Worldwide smartwatch sales see first-ever decline as market leader Apple records 19 percent year-over-year drop

15 hours ago