Your 5 Item Cyber Readiness Checklist – Chuck Leaver

Presented by Chuck Leaver, Chief Executive Officer Ziften Technologies, Written By Dr Al Hartmann

1. Security Operations Center (SOC).

You have a Security Operations Center established that has 24/7 coverage either in company or outsourced or both. You do not want any spaces in cover that could leave you open to infiltration. Handovers have to be formalized by watch supervisors, and suitable handover reports supplied. The manager will provide a summary each day, which provides information about any attack detections and defense countermeasures. If possible the cyber wrongdoers must be determined and separated by C2 infrastructure, attack methodology etc and codenames given to these. You are not attempting to attribute attacks here as this would be too challenging, but just keeping in mind any attack activity patterns that associate with different cyber lawbreakers. It is necessary that your SOC familiarizes themselves with these patterns and have the ability to differentiate hackers or perhaps spot new assailants.

2. Security Vendor Assistance Readiness.

It is not possible for your security staff members to know about all elements of cyber security, nor have visibility of attacks on other organizations in the same industry. You have to have external security support teams on standby which could consist of the following:.

( i) Emergency response team assistance: This is a short list of suppliers that will respond to the most severe of cyber attacks that are headline material. You need to ensure that one of these suppliers is ready for a major risk, and they should receive your cyber security reports on a regular basis. They should have legal forensic capabilities and have working relationships with law enforcement.

( ii) Cyber hazard intelligence support: This is a vendor that is gathering cyber hazard intelligence in your vertical, so that you can take the lead when it concerns hazards that are emerging in your sector. This group ought to be plugged into the dark net looking for any indications of you organizational IP being discussed or talks between hackers discussing your organization.

( iii) IoC and Blacklist assistance: Since this involves numerous areas you will need multiple suppliers. This consists of domain blacklists, SHA1 or MD5 blacklists, IP blacklists, and signs of compromise (suspect configuration settings, registry keys and file paths, etc). It is possible that a few of your implemented security services for network or endpoint security can offer these, or you can appoint a third party specialist.

( iv) Support for reverse engineering: A supplier that specializes in the analysis of binary samples and offers in-depth reports of content and any possible hazard and also the family of malware. Your current security suppliers may provide this service and concentrate on reverse engineering.

( v) Public relations and legal assistance: If you were to suffer a major breach then you have to make sure that public relations and legal assistance remain in place so that your CEO, CIO and CISO do not end up being a case study for students at Harvard Business School to discover how not to handle a major cyber attack.

3. Inventory of your assets, category and preparedness for defense.

You have to make sure that of your cyber assets go through an inventory, their relative worth classified, and implemented worth proper cyber defences have actually been enacted for each asset classification. Do not rely completely on the assets that are known by the IT team, employ a business unit sponsor for asset identification specifically those concealed in the public cloud. Also guarantee crucial management procedures are in place.

4. Attack detection and diversion readiness.

For each one of the major asset categories you can produce reproductions utilizing honeypot servers to lure cyber wrongdoers to infiltrate them and divulge their attack methods. When Sony was infiltrated the hackers found a domain server that had a file named ‘passwords.xlsx’ which contained cleartext passwords for the servers of the business. This was a great ruse and you should use these techniques in tempting places and alarm them so that when they are accessed alarms will sound immediately meaning that you have an immediate attack intelligence system in place. Modify these lures typically so that they appear active and it doesn’t appear like an apparent trap. As many servers are virtual, hackers will not be as prepared with sandbox evasion methods, as they would with client endpoints, so you may be lucky and in fact see the attack occurring.

5. Monitoring preparedness and constant visibilities.

Network and endpoint activity need to be monitored continuously and be made visible to the SOC group. Because a great deal of client endpoints are mobile and therefore beyond the organization firewall software, activity at these endpoints must also be monitored. The monitoring of endpoints is the only certain approach to perform process attribution for monitored network traffic, because protocol fingerprinting at the network level can not always be relied upon (it can be spoofed by cyber criminals). Data that has been monitored must be conserved and archived for future reference, as a variety of attacks can not be recognized in real time. There will be a need to rely upon metadata more often than on the capture of complete packets, because that enforces a substantial collection overhead. Nevertheless, a variety of dynamic risk based monitoring controls can afford a low collection overhead, as well as react to significant hazards with more granular observations.

 

~leaverchuck1


No Responses Yet to “Your 5 Item Cyber Readiness Checklist – Chuck Leaver”

Leave a Reply