Recently I
was having a discussion about the importance of ensuring proper context,
relevance and intelligence is provided when performing analysis of cyber
related activities. Fortunately for me, a few days after, this article was published. While the article
makes for very interesting read, the quote I like the most is “Network defenders who rely solely on
lists of assets to protect are running a fool’s errand.”
As cyber security
professionals or responsibilities start with first identifying the business’s
critical assets not identifying the next new shiny technology and or tool.
Once, we identify and understand our critical assets then we identify the
technologies which may help the business protect and or secure those assets.
Once we have cleared the two previous hurdles making the best use of the
technology and securing the business and its assets goes beyond just the
technology.
Most of the tools you
will use, will generate some type of events which may result in an alert. The
question is when you get that alert what do you next. Do you simply accept that
alert and decide whether to act or not?! What is the context of the alert? What
about relevance? Is the message which is generated relevant to your
environment? Is the alert seen across one or more of your tools? Do you have
full packet capture to look into the payload to ensure clarity? What additional
intelligence do you have to support your conclusion? The point here is to
ensure that you have as much data/intelligence from as much possible sources. It
is very important that we understand that the sources of intelligence can be
from one or more blacklist of bad IPs, domains and or URLs. It can be from end
users who detected something of concern. It could be from a business partner.
It can be from vulnerability data. It can be from … well you get the message.
It can come from anywhere. However, no matter where it comes from, make sure it
is relevant to your environment and identify the context within which it
relates to your environment
Ultimately as a
result of the alerts received from your tools, you should have only one of two
end result. You should either be tuning out the alert if it is a false positive
or act on it (take the host off the network, take a memory dump for later analysis, wipe, run antivirus, perform live analysis, etc) if it is
a true positive. There should be no instance in which you simply ignore the
message, it will do neither you nor the business any good.
No comments:
Post a Comment