With the constantly evolving nature of most threats, it can be difficult to address every incident and alert that occurs in your environment. Effective incident response requires effective methods of prioritization, that is, one must decide which alerts to focus on and in which order. In general, we’ve relied on a few standard methods of prioritization. However, each of these methods has their flaws. The primary methods (and their drawbacks) include the following:
– Time – In time-based prioritization, we address the most recent incidents first, letting older ones fall to the bottom of the stack – similar to how emails pile up in your inbox. But the reality is that things happening now aren’t always more important than things that happened a week ago. Missing last week’s incident because you were focusing on today’s alert could result in a compromised system.
– Target – At first glance, this one seems to make the most sense – focus on the assets that are most valuable to the organization. In reality, the assets that are most important to you are not necessarily the ones that are most important to an attacker. In general, attackers value your assets in the context of an attack – not in the context of your business. An asset that you may deem “low value” can be the stepping-stone in the path of an attack. So while you’re busy guarding the vault, the attacker could be walking in through the side gate, preparing for a breach. In one well-publicized attack, the intruder used a vulnerability in the organization’s vacation scheduler to gain access to sensitive client financial data – the seemingly “low value” program providing the gate to the attacker’s goal.
– Data source – We are routinely making one of two opposing errors when we prioritize based on the credibility of the data source. The first error is to treat all alerts equal regardless of the source. But this generally leads to never-ending context switching and wild goose chases – trying to track down every event reported by every source. The second, a more common, but equally problematic approach is to assign static levels of priority to your data sources, regardless of context. This approach fails because in most implementations, each data source lacks the context another might provide – and all of them lack business context.
Why effective prioritization is your best friend
If prioritization based on time, target, or data source contains potentially fatal flaws, then how do you build an effective prioritization approach? As any chess expert knows, the best defense is always based on understanding your attacker’s strategy. When we start mapping our efforts to the attacker’s infiltration steps (known as the cyber kill chain), we can determine where to focus our time. In this case, keeping our attention on the activities towards the end of the cyber kill chain can be a better use of time.
Overview of the cyber kill chain
The “cyber kill chain” is a sequence of stages required for an attacker to successfully infiltrate a network and exfiltrate data from it. Each stage demonstrates a specific goal along the attacker’s path. Designing your monitoring and response plan around the cyber kill chain model is an effective method because it focuses on how actual attacks happen. Considered in the context of network intrusions, the kill chain process is as follows:
The cyber kill chain defense method allows you to create a prioritization strategy that avoids the pitfalls of a time-, asset-, or data source-based approach. By thinking like an attacker, you can target assets that are truly at risk (whether or not they are considered “valuable” from a business perspective). Vulnerability-based models fall apart in comparison because they focus on the perceived weakness in the infrastructure without any proof that those weaknesses are of value to an attacker.
Mapping security controls and procedures to each stage of the kill chain will allow you to develop very detailed, result-oriented security procedures. By explicitly breaking down attacks based on their intended goals, the cyber kill chain method moves away from the “one signature/one attack” mentality that plagues other security monitoring models. More importantly, this moves us away from the redundant perimeter model (that has collapsed in the modern threat landscape) and into a more organic threat lifecycle that operates throughout the infrastructure.
Which category of alarms should you look at first?
AlienVault has 1700+ event correlation rules in our threat intelligence subscription – each alarm is triggered by an event correlation rule. In terms of security exposure, the most critical events will be in the System Compromise category. Once a system has been compromised, an attacker may have gained a foothold into your network. This may be a contained incident and only apply to one system. However, in most cases, this is just the tip of the iceberg.
So when viewing all of your alarms, you may want to begin with those that are the most critical; typically, this would be signaled by the System Compromised intent.
In general, keep these tips in mind:
– For each incident, ask yourself these questions: “How close to a successful breach is this?” and “How close are the attackers to their goal?”
– Move away from “a first-in-first-out” pipe model. Look at each event in the context of other events as well as the context of what an attacker’s goal or intent might be.
– Use the context of your environment and business model to surmise what the intent of the attacker is, and use the reporting source of the event to further refine prioritization efforts.
– Establish the reliability of the data source based on the full context of what it is reporting.
Aligning Security and Business Processes
Attacks are typically based on the structure and process of your business, thus your response should be based on that same structure and process. Knowing that someone from accounting has been logging into a source code server every weekend can be more useful than a single alert for an individual exploit. The intuitive alarm taxonomy in AlienVault provides you with the necessary context for each alarm and helps you effectively prioritize for incident response.
By Lauren Barraco, Product Manager, AlienVault
AlienVault is the champion of mid-size organisations that lack sufficient staff, security expertise, technology or budget to defend against modern threats. Its Unified Security Management (USM) platform provides all of the essential security controls required for complete security visibility and is designed to enable any IT or security practitioner to benefit from results on day one. Powered by the latest AlienVault Labs Threat Intelligence and the Open Threat Exchange—the world’s largest crowd-sourced threat intelligence exchange—AlienVault USM delivers a unified, simple and affordable solution for threat detection and compliance management. AlienVault is a privately held company headquartered in Silicon Valley and backed by Trident Capital, Kleiner Perkins Caufield & Byers, GGV Capital, Intel Capital, Sigma West, Adara Venture Partners, Top Tier Capital and Correlation Ventures.