To help security leaders strategically manage their defensive posture, we have created a framework that spans relevant security layers from the start of an attack to its resolution. When applied, this framework helps organizations:
- Align security layers from end-to-end,
- Assess which security layers are working and which are not,
- Focus on performance metrics that matter,
- Drive resource allocation and investment in the areas that yield the highest risk reduction,
- Reduce the frequency of security incidents and prevent major data breaches.
The framework consists of four critical phases supported by robust intelligence flows.
In this post, we recommend defenses and key performance indicators for Phase 3:Analyze.
Phase 3: Analyze
Once an attack is detected, it needs to be analyzed to determine the best mitigation strategy. The objective of the Analyze phase is to quickly establish sufficient threat context to drive the appropriate next action.
Detected attacks need to be triaged in near real-time to ensure that the threats that pose the most risk are prioritized for analysis. That analysis then needs to extract indicators of compromise (IOCs) and establish sufficient threat context rapidly to disrupt threats before critical systems and data are compromised
Analysis of spear phishing attacks and the tradecraft delivered requires a combination of human expertise, malware analysis tools, and threat intelligence systems. To rapidly triage spear phishing attacks, threat analysts need to be available 24/7. Malware analysis tools are required to dissect tradecraft delivered via phishing emails and extract indicators of compromise (IOCs) for attack mitigation. Threat analysts should also have access to threat intelligence systems with larger data collections of external attack events, campaigns, targets, and actors to establish more complete attack context and provide adequate situational awareness.
Sample Key Performance Indicators
To manage the Analyze phase and assess effectiveness, consider the following key performance indicators.
Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing is a viable option.
Once detected, how long does it take to triage attacks and prioritize threat analysis? This indicates how quickly you identify the high-risk threats that require in-depth analysis prior to successful mitigation. Organizations with a low time-to-assess are able to consistently mitigate threats earlier in the attack process, which reduces the impact and cost of the security incidents.
Once detected, how long does it take to develop sufficient threat context to effectively mitigate the attack? This is a measure of how long it takes to extract IOCs and provide intelligence on relevant techniques, tactics, and procedures (TTPs) to support complete mitigation of the threat. Lower time-to-context enables faster mitigation by incident responders and reduces the impact of security incidents.
Completeness of context
Does the analysis consistently include all of the information needed to effectively mitigate the threat? The analysis process should have a defined a set of information requirements for attacks that warrant in-depth analysis to ensure that threat analysts provide incident responders with the necessary information. Deliverables from threat analysts should be compared to these information requirements to determine a quality rating for completeness of context.
Up next in this blog series is “Rapid Mitigation of Spear Phishing Attacks”The full framework with recommended defenses and example KPIs can be downloaded at http://info.phishlabs.com/the-cisos-guide-to-spear-phishing-defense. A one-page reference card is also available at http://info.phishlabs.com/hubfs/White_Papers/Spear_Phishing_Defense_Framework.pdf