Ever fallen into the trap of the ‘streetlight effect’? Looking for the most obvious things, the factors based on known knowns, without looking past them into the darkness for the hidden or less obvious factors that someone is desperately hoping you won’t see.
Many organisations do exactly that when they analyse the indicators of compromise from a cyber security breach and take action based solely on them, rather than implementing and maintaining good security practices that prepare the organisation for anything, and could prevent or mitigate the impact of an attack in the first place.
That said, analysis of indicators of compromise does serve a purpose. Carrying out forensic analysis of any cyber security incident enables organisations to learn from the incident, and reduce the risk of it happening again.
What are indicators of compromise?
Simply put, indicators of compromise are evidence that a cyber attack took place. Indicators of compromise sit within an organisation’s network for example in system or network logs, and they may even provide information about the tactics, techniques, and procedures (TTPs) used in the attack, or who the perpetrators are.
Some of the most common forms of indicators of compromise include unusual inbound or outbound traffic, unknown files, applications, and processes in the system, anomalies in user account activity, frequent log-ins or log-outs from multiple accounts, increases in database read volumes, unusual DNS requests, unexpected changes to files or systems.
The benefits of analysing indicators of compromise
Monitoring networks for indicators of compromise gives the IT security team eyes on what is happening across the network, either in real time, or forensically. It adds another layer of security beyond firewalls and alerting systems, that could pay off for the organisation. If the network is being monitored in near real time, focussing on indicators of compromise may enable the IT security team to identify an attack close to as it is happening, and prevent it from getting worse.
Ongoing monitoring of indicators of compromise can also help organisations understand where there are weaknesses in their cyber security, especially if the same indicators of compromise are identified again and again. Using this information smartly will enable the organisation to strengthen their defences before an attack occurs.
Indicators of compromise can also contribute to the forensic analysis of a cyber incident. Analysis of the indicators of compromise can add to the overall picture of what happened, provide understanding of weak spots, and identify whether their current monitoring is focussing on the right areas of the network.
Indicators of compromise analysis can also provide actionable threat intelligence both about a particular malware’s behaviours and techniques, and in general, to improve the organisation’s incident response and remediation strategies.
The alternative: A comprehensive cyber security prevention strategy
To borrow yet another old saying, prevention is better than cure, and that is most definitely true when it comes to cyber security.
While analysing indicators of compromise after an attack is a good way to avoid being attacked again, a cyber security prevention strategy that implements and maintains good ongoing security practices will protect an organisation from cyber attack before it happens, saving them the time, money, and reputation points that any cyber attack costs.
Cyber attacks are expensive. The direct costs of a cyber incident include payments to external consultants to discover the extent of the damage, and to work on remediation efforts, costs of buying new, or upgrading software and systems, legal fees, insurance excesses, fines, compensation, and even PR costs.
In addition, there are indirect costs such as loss of revenue while systems are non-operational, or loss of customers who choose to take their business elsewhere due to a breach.
Forensic activity can cost an organisation thousands if not millions of pounds, days, weeks, or even months to get back to normal, and serious reputation points among customers and the market. Some businesses simply never recover from a cyber attack. Isn’t it worth spending the time and money to create a plan that will cost a fraction of that if it will save money in the long run, and possibly even save the business?
Elements of a cyber security prevention strategy
There isn’t a one-size-fits-all solution to an effective cyber security prevention strategy. Every organisation has their own unique circumstances which in turn leads to a unique set of threats and risks. The best cyber security prevention strategies take a layered approach to security, offering defense in depth to the organisation.
However every strategy should consider the following elements:
Risk identification and analysis
The starting point of any cyber security prevention strategy is an understanding of the threats that the organisation faces, and the implications for the organisation if these threats turned into an event. The resulting risk assessment will inform that activity undertaken by the organisation to manage those risks.
Infrastructure protection strategy
Protecting the organisation’s network and infrastructure is integral to a cyber security prevention strategy. Technical solutions such as firewalls, anti-virus programs, additional filters, threat management systems, and more will prevent many attacks from getting a foothold inside the network to launch an attack. Perimeter alerting systems will also give IT security teams early warning in case of a breach.
Internal IT security policies such as segregated networks by area of operation, installing patches in a timely manner, using up to date versions of software, and supported versions of hardware will also reduce the vulnerability of the organisation to attack.
Implement a security culture
Employees are still often the weakest link for any organisation, and social engineering tactics are still a successful entry point for many forms of cyber attack. Educating and supporting employees in the best cyber secure practices, and turning them into security champions will reduce the chance of a breach originating from an employee.
In addition, make sure that cyber security policies are relevant, up-to-date, and understood by all employees to help them safeguard the organisation. A Bring Your Own Device Policy for example sets out how employees should use their phones in the office, or a Password Policy helps them understand how to protect their data.
Backup and disaster recovery strategy
While not entirely about prevention, backup and disaster recovery strategies are also crucial for an effective, ongoing cyber security prevention strategy. Regular backups that are easily accessible in a cyber event, and a functionable, tested disaster recovery plan will enable the organisation to get back on their feet as soon as possible, and will save time, money, and reputation in the event that an attack penetrates other defences.