Don’t throw the first punch against an adversary unless you have a plan to win.
Security is often top of the agenda when it comes to IT. Keep adversaries out; keep data safe; keep information private; these are key goals for businesses. It is the commonly known and widely accepted best practice. However what happens once a breach is discovered? What should a business do immediately following this discovery? Of course there are many options, but the immediate action to engage an adversary may not yield the output you hope. The best course of action is often to take no action immediately after a breach is discovered because you’re not in a position to fight and win.
You’re breached, so what’s next?
If an adversary is spotted, or unusual behaviour is detected, businesses need to understand the extent of the breach. Taking action prematurely to engage the hacker and try to kick them out will often make things worse. This leads to the question – what do you do? Imagine the physical equivalent: a thief has walked into an office lobby. The office is vast – 20+ floors and thousands of desks. What can the thief access? Nothing – he’s merely looking at the security guards, examining the type of secure entry system and considering how to get further into the building.
If this was the cyber world – it’s possible to see why panicking, acting rashly and throwing the thief out wouldn’t provide any information on who they were and why they were there. The better course of action would be to watch them and learn exactly how are they getting in? What level of access do they have? What are they looking for? How are they moving around? Is there only one of them? Do they have a backup entry plan? It’s by monitoring these behaviours that a business can gain a fuller understanding of who the adversary is and why they’re attacking you in order to gain intelligence not only for this battle but for the imminent one to follow.
What was the access vector?
The physical equivalent here would be the front door, fire escapes and loading bay, but what about the cyber world? Once an adversary has been spotted, it’s important to know how they got to where they are. Was is a spear phishing email with a malicious attachment? Scan and exploit? Strategic web compromise? Credential abuse? If a security events triggers on your domain controller, the intrusion didn’t start there. It’s vital during an incident response engagement to conduct a root cause analysis and understand how the adversary breached the network. Otherwise, what’s stopping them from coming in again using the same mechanism and doubling the cost of the response effort? Don’t forget that the way an adversary is caught entering a network is often not the way they first broke in. All security holes need to be shut simultaneously to prevent re-entry.
The waiting game is counter intuitive and isn’t well known outside of seasoned security professionals. It’s important to recognise where an adversary is caught you’re only looking at the tip of the iceberg. You don’t want to make the same mistake as the Titanic and underestimate the size and power of the threat you’re taking on. This means waiting and watching to learn about the hackers so you can build and execute a custom containment and eradication plan. Learning not just what and how the adversary operates, but who they are and why they are coming after the business better prepares you for the next attack. Yes, there will be a next attack and if it’s not seen, it’s been missed.
When to stop an adversary
This answer depends the businesses willingness to apply a long-term strategy against an adversary who is already applying one. The breached organisation is playing a chess match and need to be thinking multiple moves ahead just like the opponent. Adversaries are willing to sacrifice malware, command and control servers, and stolen credential as long as they’re able to seek their objective in the end. Defenders must be willing to do the same. As long as the adversary is far enough away from the organization’s crown jewels security professionals should continue to watch and learn. It is only when they get too close and there is no choice but to engage that this should be done. Be prepared for the hand to hand combat that may pursue if the company is not prepared to ensure a successful eviction.
Is the advice really do nothing?
Quite the contrary. Feverish work will be taking place in the background to scope the intrusion and identify how many threats are in scope, how they got in, and how they are operating. Take advantage of the case where the intruder is in the lobby to learn as much as possible about who they are and what task they seek to complete. Keep in mind that the adversary will want to know what is known about them so don’t communicate where they can hear or see exploratory defensive activity. The better prepared an organisation is ahead of time the faster and cheaper it will be to contain and eradicate the intruders. So again, it’s not that nothing is being done. The activity is waiting and watching sin order to answer key questions that will allow a successful eviction, prevent re-entry, and be prepared for the next breach.