Anatomy of an Intrusion Highlights Importance of Incident Response Planning

By Mary Beth Hamilton | Tuesday, January 8th, 2019

Cybersecurity experts are universally quoted as saying “not if but when” with respect to cyber security attacks and breaches. A 2018 Data Threat Report¹ found that 73% of US global enterprises have been breached and the rate continues to increase. Additionally, another study found that hacker attacks of computers with Internet access occur every 39 seconds on average².

These statistics reinforce the reality that every firm is a target and ever target has a potential weakness. That is why preparedness and response on top of security layers are so important.

Let’s walk through a potential cyber incident to demonstrate how a well-crafted security strategy works in the face of an attack.

The Situation:

A user’s password credentials are compromised allowing an attacker to access a legacy remote access application without multi-factor authentication enabled. The compromised account is a basic user who does not have advanced, executive or privileged credentials.

The Incident Response:

The organization is alerted to the credential compromise based on suspicious activity, which is immediately reported to the IT department, who disables the user’s account and all computing sessions associated with the user account. It is also escalated to the organization’s Computer Security Response Team.

The Computer Security Response Team immediately jumps into action, taking the following remediation steps.

A full anti-malware sweep of the organization’s corporate infrastructure is completed.
All logs associated with the compromised account are retrieved using a Security Information and Event Management (SIEM) tool. SIEM provides real-time analysis of security alerts generated by applications and network hardware.
By analyzing the SIEM logs, the Response Team gains detailed records on every command and/or program launched by the intruder. This allows for immediate lock-down of any potentially vulnerable areas. Also by retracing the intruder’s steps and analyzing the logs further the Response Team is able to confirm there was no exfiltration of files or data.

The Outcome:

The organization required complex passwords and had multi-factor authentication rolled out across 90% of its applications, however, the attacker found the weakest link -- a legacy remote access application without MFA. Because of the rapid response of the Computer Security Response Team, this organization was able to stop the intruder, retrace his/her steps via the SEIM and ensure no data was compromised.

Key Takeaways:

Following are important key takeaways for all firms.
Practice cyber response. Being prepared is absolutely critical to damage mitigation.
Use Multifactor Authentication (MFA) everywhere.
Your cybersecurity is only as strong as your weakest link.
A SIEM is invaluable to cyber response. Having all your system logs correlated and in one place enables rapid response. Eze Castle Integration's Eze Managed SIEM is a fully managed SIEM as a Service solution that efficiently analyzes data by filtering all data through a Security Operations Center (SOC) to eliminate the noise, leaving behind succinct reports and recommendations to help clients stay cybersecure. By combining real-time security analysis with machine learning technology, Eze Managed SIEM is able to proactively identify potential security risks.
Defense in depth. There are many cost-effective layers of defense that can be deployed. During an attack, some may get bypassed, but others will block or slow down would-be attackers.

Checkout these Cybersecurity Articles

Here at Eze Castle Integration we love sharing educational content almost as much as we love technology. Cybersecurity is an important topic so be sure to read these additional articles for guidance to help keep your firm protected.

[1] 2018 Thales Data Threat Report - Global Edition
[2] Statistic from study by Clark School at the University of Maryland