When malware passes through the perimeter and internal
network controls, it’s going to land on something. That something is most often
some sort of endpoint whether a server or user machine.
Malware that lands on an endpoint as a result of a broad blind
attack, the attacker most likely won’t know what machine it’s on, what
privileges it has, or where it can easily laterally move. For some destructive attacks,
this isn’t important but for many attackers, establishing basic information is.
You’ll never know how long you’ll have before an attacker
goes to work or the actions that they’ll take. But, there are some actions that
they’ll need to take to exploit their position. Many of these are noisy and
easily alerted upon….if you are looking for them.
The blue team should not believe in luck and certainly
shouldn’t rely on luck as a planning factor in incident response. That said, if
the speed of a organized and focused response to these alerts is confused with luck
and that’s what the team, the business, or our attacker wants to call it, your
blue team should be fine with that. If the attacker doesn’t avail themselves of
a potentially open opportunity before those doors are closed as part of the
response, we should be fine with that too.
Ok, upon rethinking the scenario of an attacker not availing
themselves of an open opportunity, perhaps there is a bit of luck in incident
response.
It happens.
Follow me on Twitter
for discussion and the latest blog updates: @Opinionatedsec1. Or, start your
own discussion using #crazygoodcyberteams on twitter or Linkedin and I'll read
it.
SEE ALSO
No comments:
Post a Comment