After a serious IT security incident is discovered, the priority is to shut it down and recover quickly in a cost-effective manner. However, management will want to find the root of the problem so that they have a place to point the finger, but this is often easier said than done.
Security incidents require a time and labor-intensive investigation to uncover cybercrime techniques and sift through massive amounts of data. Incidents that involve a privileged account prove to be even more challenging as authorized insiders or external hackers who have hijacked credentials can modify or delete logs to cover their tracks.
Sophisticated and well-funded cyber criminals often target privileged accounts because they hold the keys to the kingdom, allowing criminals to steal data on a massive scale, disrupt critical infrastructure and install malware. Under the guise of privileged users, attackers can lurk within systems for months, gaining more and more information and escalating their privileges before they are even discovered.
In addition to deliberate attacks, human error is also a factor to consider during an investigation. For example, an inexperienced administrator may have accidentally misconfigured a core firewall, turning a quick resolution into an overwhelming investigation. IT staff members often use shared accounts such as “administrator” or “root”, making it extremely difficult to determine exactly who did what. With this degree of uncertainty, it is easy to start the blame game between parties.
One way to simultaneously combat the threat of external hackers and human error is to collect relevant and reliable data on privileged user sessions. This allows investigators to easily reconstruct user sessions and can reduce both the time and cost of investigations.
In addition to user session monitoring and management, having an incident management process in place will be critical to ensure quick and effective identification of a threat source.
The Incident Management Process
To identify an incident and respond quickly, organizations need to develop a multi-step management process that they can consistently rely on. For starters, the NIST and the CERT/CC has outlined a step by step process for incident management by ISO 27002. These encourage a consistent approach, especially for those organizations under strict compliance regulations. Businesses are expected to regularly define, and in the case of a security event, execute an incident response procedure. They must establish that they are capable of taking action when critical assets are endangered.
The CERT/CC concept has four components. First, an incident is reported or otherwise detected (detection component). Second, the incident is assessed, categorized, prioritized and is queued for action (triage component). Thirdly, they must conduct research on the incident to determine what has occurred and who is affected (analysis component). Finally, specific actions are taken to resolve the incident (incident response component). Essentially, organizations need to find a process like this that they can implement and reference in the case of a security breach.
Identifying and Acquiring Data Sources
Deep investigations require organizations to first identify and then collect the data in question. This is the first step in any forensic process. Data sources may include security logs, operations logs and remote access logs that have been created on servers. They can also span client machines, operating systems, databases, and network and security devices. Investigations that involve privileged accounts could also include session recordings, or playable audit trails that can be critical in uncovering what has happened.
Once the data is in sight, the analyst must then acquire it. Some log management tools will centrally collect, filter, normalize and store log data from a wide range of sources to simplify the process. For cases involving privilege misuse, data must also be collected from privileged session recordings.
With all the data in hand, it must then be verified to ensure its integrity. This might include protecting against tampering through the use of encrypted, time-stamped and digitally signed data.
Examination and Analysis
During an investigation, each piece of data must be closely examined in order to extract relevant information. By combining log data with session recording metadata, the examination of privileged account incidents can be expedited dramatically.
Once the most critical information has been extracted, the analysis process begins. Through machine learning, organizations can analyze privileged user behavior and detect when behavior falls outside their normal operating parameters. When combined with replayable audit trails showing logins, commands, windows or text entered from any session, this can provide a full picture of the suspicious activity. With all of these elements, analysts can create a full timeline of events for the reporting phase.
Reporting and Resolution
Once all of the data is analyzed, the laborious reporting process can begin. Rapid investigations and the ability to make quick, informed decisions can be challenging and require real-time data about the context of a suspicious event. In these scenarios, access to risk-based scoring of alerts, quick search and easily interpreted evidence can expedite the process.
In today’s fast-moving threat landscape, organizations must have capabilities in place to secure critical assets by managing and monitoring privileged accounts and access. Alongside a robust incident management process, businesses can be prepared for when an incident occurs, and with access to the right data, along with the ability to easily sort through it, they will be empowered to quickly uncover the source of the incident and future-proof systems.