As the fallout from the fire at the Notre Dame Cathedral continues, it’s important to remember that this is a teachable moment—even for IT professionals. Or maybe especially for IT professionals.
Just recently, for example, The New York Times headlined a story about how the blaze released tons of toxic lead into the air in Paris, scattering dangerous dust into the streets and parks of one of the world’s most beautiful cities.
In the wake of events like this—whether a toppled church or an incapacitated information technology network—questions naturally arise. Fingers may be pointed. But assessing blame is only useful if it brings answers, stops the damage and helps prevent similar incidents. To begin, there’s the obvious: Old, brittle infrastructure can be vulnerable. But what else? Let’s look at a few things
In the case of the cathedral fire, the recent revelation about the toxic lead release can continue to inform our thinking about cybersecurity: Even when the root cause of an IT attack is contained—when the fire appears to be out—work may still remain. Paris must remediate the lead, and security professionals must root out and remedy all the damage caused by attacks, which may extend into IoT devices and the systems of customers and partners.
How and when cybersecurity first responders save the day
Like first responders everywhere, when incident response (IR) teams are called to an incident, they must follow a process that has been vetted and practiced. A process that exists merely on paper won’t do much good.
Let’s explore some of the steps.
Discovery: Establish situational awareness
The IR team must familiarize itself with the environment and stakeholders, then determine the extent of the damage. At the same time it works to preserve evidence, seeks to contain and prevent access by adversaries, and ensures that any regulatory obligations for notifying clients of a breach are met.
While a company may want to shut down systems to prevent the spread of a compromise, it’s important at this early point to think twice before hitting that "off" button. When machines are shut down instead of isolated or quarantined, they can lose valuable forensic data needed to help determine root cause and data exposure. Similarly, if a command and control server is found to be an indicator of compromise and it’s the only lead to go on, it may be best not to block that IP immediately because it could cause the attacker to go dark.
Investigation: Uncover and understand the adversary’s tactics, techniques and procedures
The team now works to try to identify lateral movement and any tools an adversary may have used. It looks for evidence of data exfiltration and answers to questions like: What other account credentials were compromised? Was it a full domain compromise? Did the adversary get into any sensitive databases on a separate part of the network?
While an investigation may begin only as a means to determine the root cause of an incident to help avoid it from happening again, it can often expose poor user hygiene, lack of regular system patching, no separation of duties and incomplete or inaccurate log data.
In cases where a company does not have adequate network or host visibility, the IR team can also help by deploying endpoint detection and response and network monitoring solutions, and feeding information about the attack into them. This can uncover areas in the environment that may have been missed and strengthen future alerting. Or, if the team discovers a vulnerable, Internet-facing server with default credentials, the company could incorporate multi-factor authentication.
Eradication: A tactical recovery
The IR team also works to develop a comprehensive tactical recovery or eradication plan, which could include trying to eliminate the adversary’s command and control capability, expel the adversary, regain control of critical accounts, enhance visibility into credential usage and improve account control via best practices. Thereafter, the team can continue to monitor the environment for possible re-intrusion attempts. The team can also leverage the investigation findings to recommend strategies for rebuilding to prevent future incidents and help drive the overall transformation of a security program.
Investigating the attic
French authorities knew how fragile Notre Dame was, but the building’s fire-safety controls didn’t include much beyond fire alarms and an attic walk-through every half-hour. They feared that implementing fire compartments, sprinklers or anything electrical would do more harm than good. This is how some companies feel about legacy environments, especially ones cobbled together over the years. They know they may be vulnerable but aren’t sure where to begin with updating security controls and don’t want to do any harm to systems that are working well enough.
If a company doesn’t have the means to audit its technology investments on its own, it can engage an IR team to determine if the right visibility and detection mechanisms are in place, if they are configured to see and alert on the right things, if there are vulnerabilities or nesting varmints and if the company is paying for and trying to administer too many tools, which is fairly common. But the overriding idea is simple: Don’t set up your systems so you’re waiting for the smell of smoke. Become more proactive.
Not everyone knows or remembers what’s in their attic. That’s why it’s important to regularly pull down the ladder and head up to look. Make sure the wiring is still safe and no intruders like birds or mice have set up house in Great Grandma’s hope chest.