To help security leaders strategically manage their defensive posture, we have created a framework that spans relevant security layers from the start of an attack to its resolution. When applied, this framework helps organizations:
- Align security layers from end-to-end,
- Assess which security layers are working and which are not,
- Focus on performance metrics that matter,
- Drive resource allocation and investment in the areas that yield the highest risk reduction,
- Reduce the frequency of security incidents and prevent major data breaches.
The framework consists of four critical phases supported by robust intelligence flows.
In this post, we recommend defenses and key performance indicators for Phase 4: Mitigate.
Phase 4: Mitigate
Armed with IOCs and context, appropriate steps should be taken to eradicate the threat. The objective of the Mitigate phase is to disrupt the attack progress and completely remove the adversary’s presence within the environment.
Further steps should also be taken to investigate and disrupt the adversary’s infrastructure outside of your environment, such as command and control systems. This infrastructure is most often located on legitimate systems that have been compromised by the adversary for use in attack campaigns. As such, they can often be shut down to further impact attack capabilities. Also, the infrastructure can be examined and monitored to source high value intelligence.
In addition to intelligence from the Analyze phase, effective mitigation requires an incident response plan, incident responders, and the application of appropriate forensics tools. Organizations should have an incident response plan in place that has specific steps to address incidents that involve spear phishing, such as immediately working to identify all users exposed to the email as part of the initial scoping of the incident. Organizations should also ensure that they have adequate access to incident responders, either on staff or under a retainer agreement with an incident response firm.
Intelligence from analyzing the tradecraft and associated threat context should be incorporated into network and host forensics tools to find all IOCs present within the environment. Many experienced incident responders prefer a “close all doors at once” tactic for removal instead of remediating systems as they are found. With this tactic, responders wait until all instances of adversary presence are discovered, and then remove all tradecraft and remediate all vulnerabilities in a single effort.
Sample Key Performance Indicators
To manage the Analyze phase and assess effectiveness, consider the following key performance indicators.
Collecting these KPIs from real-world data is ideal; however, capturing KPI data during simulated testing is a viable option.
Note: Incident response is a mature security discipline with a wide range of KPIs recommended by standards organizations such as NIST, ISO/IEC, and others. The suggestions below reflect those frequently used in practice.
How long does it take to contain the threat and therefore prevent further compromise? A low time-to-containment time limits the cost and overall impact of a security incident.
How long does it take to remove all instances of an adversary’s presence in the environment? With persistent adversaries, this can be difficult as they always seek to maintain a discrete foothold from which they can resume their attack once conditions return to normal.
Cost per incident
What does the average cost to the organization of experiencing and responding to this security incident? The cost of an incident is often a function of the scope, duration, and sophistication of the adversary. A lower cost per incident indicates improvement in containing and removing threats. There are many models available for assessing various hard and soft costs associated with a security incident. See CERT for examples: https://www.cert.org/incident-management/csirt-development/resources-incident-handling-cost-models.cfm.
Up next in this blog series is “Spear Phishing Attack Intelligence”
The full framework with recommended defenses and example KPIs can be downloaded at http://info.phishlabs.com/the-cisos-guide-to-spear-phishing-defense. A 1-page reference card is also available at http://info.phishlabs.com/hubfs/White_Papers/Spear_Phishing_Defense_Framework.pdf