IT department productivity is often measured by how quickly problems are solved. This approach makes sense in the business world: workers can’t use malfunctioning machines so when a computer is down, employee productivity and, by extension, a company’s productivity suffer. And since IT security emerged from general IT support and many security staff have IT backgrounds, they apply this mentality to handling attacks. To them, effective security means immediately resolving incidents and IT security personnel are often measured by how quickly they take care of an event.
But applying the IT mindset to security can prove risky. Organizations that are too quick to remediate incidents suffer from what we like to call the “2F2R (too fast to remediate) Syndrome”. In the rush to remove malware or fix a security incident, security teams often miss the bigger picture and overlook critical attack details that could expose an entire hacking operation. In many cases, the detected incident is only a small portion of a more complex campaign.
Attackers are increasingly using sophisticated attacks with multiple components to hack organizations. By using various elements in their attacks, hackers manager to achieve several goals and reduce the risk of getting caught. Hackers assume that while some elements of the attack will get discovered and shut down, others will not, enabling them to linger for months in an organization’s IT environment.
The most obvious solution may not fully resolve a threat
IT security professionals haven’t been trained to think of the greater attack picture and consider that malicious activities could be connected. So, for instance, they immediately re-image a computer that’s been infected by malware. While this action may prevent a decrease in worker productivity, since the machine is clean and ready to be used, it also keeps companies from discovering other malicious behavior that is related to the detected malware.
Another problem with looking at security through an IT perspective is that IT personnel often accept the most obvious and benign answer to explain why a machine has stopped working. Instead, they should wonder if they missed additional suspicious activity. This doesn’t mean workers are failing at their jobs. The IT security mindset teaches them that any damage done to a computer was accidental. The hacker mentality is completely opposite, however. They intentionally damage computers to help them carry out the attack.
Being a victim of the deception game
Detecting well-known malware is easy, especially when using standard signature-based detection software, a point not lost on attackers. But finding customized tools that were made specifically for an attack is much harder. So adversaries use malware that’s easy for IT personnel to spot, leading them to falsely believe that the threat has been eradicated. Meanwhile, the hack continues through a backdoor that was installed on a webmail server.
Don’t be too fast to remediate
Instead of immediately wiping malware from infected machines, a better approach would be to watch the program’s activity while comparing it to other behaviors within the environment to reveal additional valuable information. This may allow security staff to spot other unknown malware deployed in different areas of the network by revealing communications to the detected malware or communications with an external suspicious domain.
When building a defense strategy, remember that hacking is a business. The adversary has resources and tools and spends ample time researching an organization’s weaknesses to map out an attack plan and trick the defender. Carrying over the IT mindset into security is akin to assigning a traffic accident investigator to a murder investigation. While the first assumes negligence and errors, the latter will always assume malicious intent.
If security continues to carry the IT mindset and remediate issues as fast as possible, hacking operations will continue to persist, as organizations will only partially remediate them.
To learn more about the dangers of remediating attack too quickly and how companies can solve this problem, read our latest Quick Read.
Lital Asher-Dotan is Cybereason's Marketing Director.
![How Netflix Learned Cloud Security [ML B-Side]](https://www.cybereason.com/hubfs/Malicious-Life-episode%20%281%29-1.png)
