Based on the 8 Rules of Fight Club, to ensure you are ready for any cyber ring match follow these rules:
1) You DO NOT talk about the fight ...
Your executive wants updates on the status of the advanced threat in your Network.
What NOT to do: Send an email as soon as possible with a summary to your management.
What to do: Use out of band communication instead of relying on your compromised infrastructure. Threat actors are IN your environment….they can see what you say about them. They can screen shot what you are talking about….and will adjust their intrusion tactics.
Get help in the ongoing fight against the adversary
2) You DO NOT talk about the fight...until it is over
You found the threat group. Your security team is proud and wants to spread the word.
What NOT to do: Share your findings publicly to enhance public perception through marketing buzz.
What to do: Don't publicly share any information until the fight is completely over. Threat groups are monitoring the Internet for any information that will help them hone, tweak, and enhance their tactics to avoid detection.
No matter your weight class, you don't have to brawl alone
3) Someone yells stop, goes limp, taps out, the fight is over
You evict the threat actors - things seem to be quiet and calm.
What NOT to do: Go back to normal business. The fight was won and all threats are no longer a risk to your business.
What to do: It is important to always monitor for re-entry attempts. Threat groups are often persistent. Many times they are willing to stay quiet, play dead and hope that you won't suspect a revisit. But they will come back....with a vengeance.
Keep re-entry attempts on the ropes
4) Only 2 to a fight...
Your organization may be collateral damage. You are a victim of a security breach.
What NOT to do: Assume that the threat group's intent was to steal your company's sensitive data.
What to do: It is important to understand the intent of the threat group to better prepare for the appropriate steps to defend against them. Your company could be collateral damage from a threat group targeting someone or something different that is linked or adjacent to your organization.
The right intel will prepare you for the next punch
- Endpoint Security: Protecting Your Business Wherever It Goes
- Detect and Stop Advanced Threats Faster to Reduce Security Risk: ESG Report: Secureworks® crowdsources threat and tactics intelligence for fast and accurate behavioral threat detection.
5) One fight at a time...
You investigate and learn that there are multiple threat groups inside your network.
What NOT to do: Apply the same remediation tactics to all of the observed threat groups.
What to do: Tailoring your response with different operating procedures leads to a more effective eviction. A "one size fits all" approach to the eradication and eviction process doesn't address the uniqueness of each threat group.
Don't throw a haymaker and hope it lands. Hone your battle strategy
- From Defence-in-Depth to Defence-in-Concert: Defence-in-depth is no longer fit for purpose. A new approach of defence-in-concert is your best chance to stop threats.
- ESG Report: Secureworks® crowdsources threat and tactics intelligence for fast and accurate behavioral threat detection
6) No shirt, No shoes, No RATs
You assume that an adversary will access your environment using a remote access tool.
What NOT to do: Rely on your existing technology to monitor for malware.
What to do: It is important to monitor for anomalous user activity. Many times threat actors leverage legitimate remote access solutions to gain access to the environment. This makes detecting malicious activity much more difficult because the adversary is masquerading as a legitimate user.
Knowing what punches to watch for is half the battle
- Improve threat detection and response with Taegis ManagedXDR
- Taegis Adversary Software Coverage Tool: Detections and countermeasures for adversary tactics and techniques mapped to MITRE ATT&CK.
- Ransomware Readiness Assessment Services
7) The fight will go as long as it has to...
The threat actor was in and out without you even knowing it. The damage was done by the time you tried to respond. The fight is already over.
What NOT to do: Panic and assume the adversary is still operating in your environment.
What to do: It is important to scope the activity to understand at what point in the fight you are getting involved. Your response will change based on whether the fight just started, has ended, or is ongoing.
Avoid a sucker punch. Parry evolving strikes in real-time
- Threat Hunting Principles: Leveraging a consistent set of tested principles increases the effectiveness and value of threat hunts.
- Elevate the efficacy and efficiency of your security program with Taegis XDR
8) If this is your first night in this type of fight, you have to fight
You are under attack by an advanced threat actor.
What NOT to do: Assume that your normal mitigation plan will be effective.
What to do: It is better to act with urgency and fight rather than assume traditional security controls will keep you safe. You may just be seeing the tip of the iceberg.
Knock out the adversary with these insights