In combating a targeted attack on your network, early detection and rapid response are both critical. Cyber security experts accept the strong possibility that criminals will be able to enter their network at some or other point, and in this context, the issue becomes less about being able to keep them out, and more about detecting them and taking remedial action as soon as their presence is discovered.
This is according to a recent report from global cybersecurity company RSA.
Anton Jacobsz, managing director at value-added distributor, Networks Unlimited, which distributes RSA products and solutions in Africa, comments, “The report from RSA Incident Response Services notes that, once detected, rapid response is needed to mitigate the potential damage and prevent them from achieving their objectives. RSA’s Advanced Cyber Defense (ACD) services for Incident Response enable organisations to prepare for security incidents without having to accept the inevitability of loss.”
The report outlines the comprehensive forensic analysis framework in the RSA approach to threat response and mitigation, noting that the response process ‘…takes into consideration data from multiple sources including in-house systems, open source research, “RSA Live” threat intelligence and the customer’s threat intelligence sources.’
The approach taken includes network analysis, using host forensics, harvesting threat intelligence and malware analysis, as follows:
- Network analysis: Data from packets and logs collected by RSA NetWitness is used to identify suspicious or risky communications.
- Host forensics: Executables, files and libraries are used to identify unauthorised services and processes deployed by the attacker and running on end points.
- Threat intelligence: Research is conducted to gain insights about the attack infrastructure, tools and techniques, which is particularly helpful in gaining insight about threat actors that are persistently targeting the organisation.
- Malware analysis: Malware tends to be relatively small in terms of file size, which helps the attackers to avoid detection. Malware analysis allows an incident response team to develop blocking techniques and make the organisation more resilient.
Jacobsz concludes, “Attackers do leave clues to their presence and analytic intelligence, as offered by RSA, is key in being able to offer early detection and rapid response. Ongoing analysis and threat intelligence further allows an organisation to bolster its defences into the future.”