As a seasoned incident response practitioner, I am always looking for better ways to manage serious security breaches. Over the last decade, the cyber-security community has refined many strategies and best-practices to help organizations identify, investigate, contain, and remediate advanced threat attacks. This has been enormously helpful.
I have also found it useful to look beyond our own realm in cyber-space and observe how other industries manage large security incidents. A few years ago, I spent some time researching and interviewing public safety, fire, and military professionals. My goal was to determine if there are patterns of behavior in their response tactics that might apply to our IR space.
Establish a Perimeter
It did not take long to realize that the foundation of most public safety incident handling practices is to, “Establish and secure a perimeter.” This may seem obvious to you, but it is important to realize the safety of human lives is often at stake if this is not done right. When you think about it, almost all public safety, search-and-rescue, and military operations begin with this strategy.
The most obvious example is the fighting of a wildfire. A large percentage of the effort is spent on surrounding the fire and creating a “Dozer line” free of debris to starve the fire. Granted, the firefighters are usually at the mercy of temperature, wind, and humidity. Regardless of the weather, the containment strategy is to surround the fire and work inward to contain it.
You see the same behavior when law enforcement agencies are faced with an act of terrorism. From the Boston Marathon attack to the bombing of the Brussels airport, the response was identical. Establish and secure a perimeter and work inward to determine the scope of the incident and look for suspects.
Sometimes this is really difficult. Consider the disappearance of Malaysia Air Flight MH370 on March 8, 2014. Lacking any reliable telemetry to determine where to search for the aircraft, a primary search area (perimeter) of 23,000 square miles was established. Folks, that is a big perimeter. Regardless, the same rule applied: establish a perimeter and search inward.
I immediately realized the value of this strategy in cyber-attack incident response investigations. In a cyber-attack response, the “perimeter” is almost always network boundaries. Why? If the source of the attack is not an insider, and the attacker(s) do not have physical access to your computing resources, the source of their attack will be an external network. This dynamic is obvious and compelling.
This makes it easy for incident responders to determine where to ‘establish’ a perimeter. It will always be where any external network has a route to your internal network. The first place to look is where your Internet points-of-presence (POP) are located.
Once you know the “scope” of your perimeter, you have to make some quick decisions on whether or not you “secure” it.
In the case of PCI, HIPAA, or other regulated data loss, you really have no choice but to secure the perimeter by shutting down the network segment. In other cases you need to make a hard decision. Do you lock out the intruders by securing the perimeter, or do you monitor it to learn more about the attacker TTP’s?
If you secure the perimeter you tip off the attackers you know of their presence, and you lose the ability to collect additional, often critical, evidence. If you monitor the perimeter you run the risk of watching your precious data head to the Far East.
Here at PacketSled, we are all believers in the “Establish/Secure the perimeter and work inward” strategy when dealing with advanced threat actors. In fact, many of our customers rely on PacketSled network sensors to monitor their network perimeters during high-profile incidents.
Network Visibility is the Key to Establishing a Perimeter
Deploying a PacketSled sensor to establish a perimeter is painless. We have an IR deployment package that can have you up and running in minutes. Provide a SPAN/TAP feed to our sensor(s) and you have perimeter network visibility when you need it most.
Let us show you the value of PacketSled network visibility tools. To arrange a product demonstration or talk IR strategies give us a call.