The traditional response to IT incidents does not work anywhere in the world because each incident is approached as a fire to be extinguished, rather than as a criminal investigation.

The result of this approach, Jason Jordaan, principal forensic analyst, DFIR Labs, told delegates at the ITWeb Security Summit 2019 was that dealing with security breaches had turned into a game of `Whack a Mole’ – a game the player never won.

“We need to start looking at security incidents differently and take cognisance of the fact that there are three competing stakeholders involved in each event: management, the IT team, and the one most often overlooked – the attackers. Each has a different agenda,” he said.

Management, whose main concern is to keep the company operating and profitable, usually just wants the pain to go away and the incident to be dealt with as quickly as possible; the IT team wants to secure the organisation; and the attackers want to get their hands on the organisation’s data (and sometimes to destroy it), and they are not going to go anywhere until they have achieved their goal.

According to Jordaan, while there is a great deal of technology available to enable the detection of security breaches and incidents, this is seldom used to get to the root of the problem.

Research has shown that the average length of time attackers stay on breached networks before being detected is 93 days. There is little point, therefore, in treating the incident as a fire that has to be put out as quickly as possible.

“After 93 days, they are also likely to have invaded far more parts of the network than the one or two locations that have been identified. Simply pulling the plug on one infected server will do nothing more than alert the attacker to the fact that we know they are there – and they will be able to find another way to get what they want,” he said.

What to do when under attack

“Increase surveillance through enhanced logging,” Jordaan advised.

“Log everything on that machine, monitor everything on that machine. You want to know who that machine is talking to. You want to know what other machines on your network that machine is communicating with, because you need to identify the whole infection.

“Once you start this enhanced logging, you start to see the extent of the rot you are left with. You can see where they are, what they are after and what they are doing. And once you have all this data, you can start getting ready to take them down.

“Don’t pull the plug until you are sure that every infected device has been identified. And then pull the plug on everything, at the same time. Use the intelligence gained through logging to lock them out of your system.

“If you don’t do it right the first time, you will simply be prolonging your pain. The attack might seem to have been stamped out, but like a smouldering fire, it will simply flare up again elsewhere. You have to persuade management to be patient while you do your job – and your job is not to fight fires, but to secure the entire organisation,” Jordaan concluded.