Too Fast To Remediate: Why The IT Mindset Is Risky When Applied To Security

In his recent article at Forbes, Lior Div, CEO and Co-Founder of Cybereason discuss the risk of applying IT metrics and work processes to security.

"While intuitively one would think a short remediation time equals better security; on the contrary, integrating the traditional IT mindset into security increases a corporation’s risk of being victimized by complex hacking operations."

For decades, it has been commonplace to measure IT’s productivity by how fast they solve problems. In fact, this method is intuitive: When a problem gets resolved quickly by the IT help desk, the organization is satisfied because employees are able to work more efficiently. As the field of IT security originated from general IT and many infosec employees have IT backgrounds, “time to remediate” — i.e., the time it takes security to remediate a security incident — has become a common measurement of security effectiveness.

While intuitively one would think a short remediation time equals better security; on the contrary, integrating the traditional IT mindset into security increases a corporation’s risk of being victimized by complex hacking operations.

Never Assume Benign, Always Attribute to Malice

Coupled with the tendency to work fast, it is human nature to accept the most obvious and easy explanation rather than suspecting that something is the result of malice. This mindset is relevant to IT where most incidents are caused by error or accident; however, it is not applicable to security, where malicious intent must always be considered.

In order to effectively battle complex hacking operations, security teams must adopt an adversarial mindset and question everything they see, while always suspecting malicious intent. For example, a locked up endpoint is likely to look benign to a security person with an IT mindset: a regular bug in the system that causes a lock down. However, hackers will intentionally manipulate a machine in order to gain privileged credentials. The hacker knows that this incident is likely to appear ‘normal’ and that the employee will quickly call the help desk who will type in the admin credentials to unlock the device.

Accept That You Don’t Know It All

A “know-it-all” mindset is common in IT, and rightfully so. IT built the organization’s environment and knows it’s architecture inside and out. When IT properly handles an issue, they can, in most cases, be sure that it is resolved and that it will not persist. On the other hand, security teams are working half-blind. Because security cannot know all adversarial activities, security must always assume they have no control and that they are seeing only part of the situation.

For example, attackers will often deploy many different kinds of malware as part of their attack. They may use a combination of well-known hacking tools downloaded from the Internet as well as tailor-made code to achieve their specific goals. In many cases, the known malware will be detected by security while other more unique malware will go unnoticed by signature-based detection tools.

Assuming that “what you see is what you get” is extremely risky when it comes to security. When identifying an isolated incident, such as a piece of malware, security must always assume that it is only one piece of something larger. In addition, it is crucial for security to leverage identified malicious activities in order to reveal the associated undetected pieces of the puzzle.

If security continues to carry the IT mindset and remediate issues as fast as possible, hacking operations will continue to persist, as organizations will only partially remediate them.

Don’t Expose Your Limitations: Mask Your Capabilities

As mentioned before, the hacker deploys many tools in a particular environment, assuming that some of them will be identified by security solutions while others will evade detection and prevail. Hackers will keep track of  which tools are identified as well as those that go unnoticed in order to evade detection and move closer to their end goal. Hackers will even use their detected tools to their advantage by intentionally deploying them to waste security’s time, give them a false sense of accomplishment and distract them from the hacker’s true target. In addition, the hacker will continue to use the tools that went undetected, gaining more control over the environment.

When you are too fast to remediate isolated malicious activity, you reveal your capabilities and also your weaknesses to the adversary, and they will easily exploit this intel.

Shifting the Thought Process: The Devil Is in the Details

When an issue is quickly remediated, security will be satisfied believing they stopped an attack. However, once a malware is removed and the incident is closed, it essentially disappears, hindering security’s ability to monitor how it functions or connects with other elements within the environment.
Instead of  immediately wiping a malware from the machine(s), a better approach would be to watch its activity while comparing it to other behaviors within the environment to reveal additional valuable information. By doing so, one may be able to spot other unknown malware deployed in different areas of the network by revealing communications to the detected malware or communications with the same external suspicious domain.

When building a defense strategy, it is important to understand that hacking is a business. The adversary has resources and tools and spends ample time researching an organization’s weaknesses to map out their attack plan and trick the defender. Carrying over the IT mindset into security is akin to assigning a traffic accident investigator to a murder investigation. While the first assumes negligence and errors, the latter will always assume malicious intent.

Even though it is obvious that security deals with malicious intentions, it is too often that security’s approaches and measurements are more relevant to IT. Security must always assume that every piece of evidence is part of something larger. Fast remediation is important, but the depth of investigation should never be compromised. Always take the time to look deeper and be cynical in order to reveal the true root cause and the adversarial motive.

Lior Div
About the Author

Lior Div

Lior Div, CEO and co-founder of Cybereason, began his career and later served as a Commander in the famed Unit 8200. His team conducted nation-state offensive operations with a 100% success rate for penetration of targets. He is a renowned expert in hacking operations, forensics, reverse engineering, malware analysis, cryptography and evasion. Lior has a very unique perspective on the most advanced attack techniques and how to leverage that knowledge to gain an advantage over the adversary. This perspective was key to developing an operation-centric approach to defending against the most advanced attacks and represents the direction security operations must take to ensure a future-ready defense posture.

All Posts by Lior Div