If you are a security practitioner and haven’t heard about the 80 million personal records lifted from Anthem’s database yesterday you missed some exciting news, both good and bad. Clearly the loss of so many records is bad news and very troubling. However, the good new was that Anthem identified the breach themselves. Even though they caught the breach at the end of the kill chain (see below), they still did catch the breach before the records were exploited or showed up on a cyber underground sale site.

 

Targeted breaches such as Anthem are notoriously difficult to identify and contain, in part because the trade craft for such attacks is specifically designed to avoid traditional detection solutions such as anti-virus and intrusion detection. So as the FBI tries to determine who hijacked these records, the rest of us are trying to figure out why. Although motive, like attribution, is difficult to nail down, motive is a useful data point if you are trying to predict whether your organization is at risk.

 

In the absence of your own security analyst or FBI task force to determine motive or attribution, what can ordinary practitioner do to lower organizational risk?

 

First – Determine if your organization is a possible target

 

Don’t think because you are a smaller or less well know that you are not a target.  Cyber thieves not only desire data they can sell, they need compute power to launch their attacks from, and then need identities they can use to trick their ultimate target into allowing a malicious link or payload into their environment.

 

Who has not recently noticed a strange email from a colleague or friend that upon further inspection is not their legitimate email address? 

 

Second – Learn the kill chain and use it to validate your security strategy

 

Do you collect information from available sources across the kill chain into your SIEM?  The earlier in the kill chain you identify a potential attack, the lower the risk, and the simpler the mitigation. For example:

 

Collecting and reporting on unusual email activity may allow you to catch a recon attempt. An identification of such behavior might lead you to increase logging on high value targets such as privileged accounts, domain controllers, or database servers.

 

Another useful indicator is spikes in network traffic on sensitive segments, or increases in authorized traffic exiting the organization.

 

In the worst case, by evaluating all log sources and ensuring you are collecting across the kill chain – you will empower your IT or security team to conduct forensics or a post incident analysis effectively.

 

Finally – Have an incident response plan

 

It does not need to be elaborate, but executives, marketing, and IT should all know who is going to be the team coordinator, who is going to be the communicator, and who is going to be the decision maker.

 

By following these guidelines you are doing your part to leverage the value in your security investment, and reduce organizational risk.

 

About the kill chain.

The kill chain was originally conceptualized and codified by Lockheed Martin. Today it is used by cyber security professionals in many roles to communicate, plan and strategize how to effectively protect their organization.

 

kill-chain.jpg