But how quickly and how well an organization responds and recovers is determined by what has been done before the incident. “Those are the big questions that any cybersecurity leader or chief information security officer should be able to answer on behalf of their organization-because if they can’t, they’re in trouble."Īs with many other crimes, the first 48 hours following a breach are the most critical. “Then understand whether you’ve been compromised and where you’re vulnerable." Finally, the biggest issue: “Do you know exactly what you’re going to do when the phone rings in the event of a breach?” Kawalec asks. Who is going to try and get those major assets? That gives you a view of risk,” he says. "Understand what is valuable in your organization. Knowing which assets are most critical, and thus must be vigilantly protected, is a significant offensive advantage against cyberthreats. Kawalec encourages enterprise executives to become acquainted with their company’s threat landscapes. You must also recognize and detect anomalous behavior in your organization. In Heilman’s view, the best approach to defeating attackers is adopting their mindsets-not responding to their next moves, but anticipating them. Tips for Targets: Think Like the Bad Guys When they’ve completed their mission, attackers retain access where possible, in case they want to return.
"Then they’re going to try to accomplish whatever they came to do, which is often stealing information-intellectual property, financial data, merger and acquisition details or personally identifiable information, for example,” Heilman says. Perpetrators often maintain presence, or “persistence,” by installing multiple back doors throughout the environment. They undertake reconnaissance, moving laterally throughout the company's computer systems, taking stock of what they’re seeing, noting the roles and responsibilities of key individuals and the location of information they want. Once the attackers have obtained administrative rights, they’ve reached APT status. Next comes “privilege escalation,” Heilman explains: “They take the rights they’ve gained from the systems that they’ve compromised and escalate them to a local administrator or a main administrator, to root access, or to whatever they may need for greater access to systems and data." That's often accomplished by stealing credentials, cracking passwords, or exploiting vulnerable software. Organizations of all sizes are vulnerable to breaches year-round. They compromise organizations at those times because that’s when they expect the defenses to be down.”īut as Heilman knows all too well, hackers don’t need to wait until the holidays to catch their targets off guard.
Team members also have plenty of stories about, for instance, being so busy on holidays that employees were working “while trying to baste a turkey at the same time,” Heilman says: “Hackers are strategic about the holidays. I had to go in to help a company that had been hit by an advanced attacker, and it was serious,” Heilman recalls, adding that his team battled another breach on Christmas Eve in 2015. “In 2014, I got a call just before Thanksgiving. “I’ve received calls at the most inopportune times,” says Marshall Heilman, vice president and executive director, incident response and red-team operations at the cybersecurity firm Mandiant, a FireEye company. There’s an emergency at work-a network breach. In the middle of the night, the phone rings.
0 kommentar(er)
