This is already the third and final article of our Endpoint Detection & Response (EDR) blog series. This time we will tell you how organizations can quickly and effectively remediate security incidents to return their businesses to normal operations.
The resolution of security incidents is a key piece in cyber defence. This requires the right tools to quickly and effectively contain a threat and remove it from your infrastructure.
The primary goal of any incident remediation plan is to restore operations as quickly as possible so the business can get back to revenue-creating activities. Sure, your team would prefer to investigate the incident immediately and accurately - but that's secondary. Because the core business always has priority. But of course, a precise analysis is indispensable. In the long term, it is an important component in strengthening cyber security in the long term. That's why it's essential to use a suitable tool on the one hand to meet the requirements of your core business and on the other hand to cover the needs of threat analysis.
Only those who know the details of a cyber attack can react correctly
When resolving an incident, you need to guarantee fast access to event information, user activity details, or a set of unique system artefacts. This is the only way to determine which systems, endpoints are affected by a cyber attack, or to which the attacker had access.
If an organization fails to fully scope an incident, the remediation effort may fail to eradicate an attacker’s foothold in the environment - or allow them to easily regain access if underlying vulnerabilities have not been resolved. This makes a comprehensive, detailed investigation even more important.
Do you remember our first articles on Endpoint Detection & Response? Parts one and two describe the phases of incident detection and analysis. We also showed you why a fast, adaptable toolset is needed to fully capture an incident. But what information is relevant to recovery? Below are the key points:
- Systems infected with malware or tools
- Systems accessed during the incident
- Location and other metadata related to malware or tools
- Compromised accounts (used to move laterally, responsible for malware execution, potentially stolen credentials)
- Application vulnerabilities that led to the incident
- Other system artefacts that need to be cleaned or removed
After you have completed the initial scoping phase of the incident, the details collected in your investigation will help you determine what needs to be remediated or removed from your environment so you can develop your remediation plan. Once this is clear and you have the necessary tools, you are ready to go. Important: The plan should consider both the short- and long-term aspects of eliminating a threat.
In the short term, it is critical to stop the threat and prevent it from spreading. The long-term challenge is to ensure that the same threat does not recur in the future or if it cannot be completely ruled out, cannot have any negative impact. Only in this way can cyber security be sustainably optimized!
Short-term: Eliminate the vulnerabilities!
There are many steps you need to take immediately after a threat occurs. These include quarantining a component (e.g. a computer) from the system, collecting key system artefacts for analysis, or temporarily suspending a user account until longer-term controls can be implemented.
Of course, these tasks are not part of normal day-to-day business. Your security team should nevertheless be able to practice the following activities on a regular basis, for example in a simulated emergency:
- Execute a system quarantine
- Kill a running malicious process
- Eliminate malware persistence mechanisms (such as in the registry)
- Distribute out-of-band patches in critical scenarios
Of course, you could continue the list as you like. The examples are only intended to encourage you to think about which activities you need to carry out in a critical situation and which therefore need to be practised periodically.
Long-term: Increase your defence!
In parallel with executing these short-term remediation tasks, it is also essential to develop and initiate long-term changes to mitigate the risk of the same incident recurring in the future. These can range from shorter patching cycles of risky systems to the development of a comprehensive approach to detection, investigation and response.
For all long-term measures, it is central that they are monitored and verified not only at the beginning but also in the future. For example, if you apply a new patch, you should be able to check later whether the patch is actually applied. You should also be able to continuously monitor accounts that have been deactivated, for example. This will allow you to ensure that they are no longer being used, for example by an attacker.
Be proactive and measure progress
The reaction process is critical when security measures have not worked in an attack, but there is much more to do before a cyber attack even occurs. For example, you should check your patch policies regularly. Consider the following metrics:
- Time required from the start of an investigation to its resolution
- Time required to implement a remediation strategy across all endpoints
- Measures that are the most time-consuming and cause the greatest difficulties
- Rate of new exposure due to incomplete or failed remedial actions
- Number of endpoints or technology stacks required to resolve the issue
You see - there is a lot of work even without a security incident. The simple question is: Does your current EDR solution provide you with a fast enough response to detected threats? Or even better, does it go beyond that and give you the investigative visibility you need to assess threats? Is it flexible enough to respond differently when needed?
EDR - detect security incidents early and respond quickly and effectively
You notice: In order to be able to protect yourself against today's cyber attacks, you need specialized tools in addition to processes and know-how. Because if your cyber security analysts are overloaded with alerts and cannot identify which alarms have priority, effective cyber defence is hardly possible. Tanium has created a solution to this problem that closes the gap between detection and response. In this way, a continuous security process can be ensured as well as reacting efficiently and effectively.
The best? InfoGuard offer you this technology exclusively as a service! Our EDR-as-a-Service is provided from the ISO 27001 certified Cyber Defence Center by experienced experts. Interested? Find out more here!
*in cooperation with Tanium