Most security teams work under the belief that quickly remediating an incident equals effective response. After all, in IT departments, where information security has its roots and where many security workers honed their technical skills, this is how success is measured: the faster technology issues are resolved, the sooner people can return to work. In theory, shorter remediation times should mean better security.
In reality, being too fast to remediate leads to rushed decisions and can actually make an organization less safe since this approach doesn’t factor in the enemy’s mindset. When an IT department investigates a technical issue, the starting assumption is that an accident is behind the incident. For instance, the IT department may attribute multiple failed log-in attempts to a corporate email account to a user who forget his credentials after a vacation. But to someone who works in information security, this could indicate a brute-force attack.
Attackers know that security professionals want to resolve incidents as quickly as possible and factor this knowledge into their overall attack by including decoy operations that are easy to catch and divert attention from the real campaign. In fact, many hacking operations have full teams dedicated to just developing and executing the decoy attack.
So while the security team is re-imaging infected machines and feeling a sense of achievement for rapidly stopping an attack, a larger, more damaging operation continues on their company’s network unknown to them. This could explain why some organizations always seem to be in the news for experiencing a data breach. In actuality, each individual hack could be part of one large breach that was never fully remediated.
A better approach to handling incidents is to let the malicious activity run its course for awhile and compare its activities to normal network behavior. Of course, this perspective goes against how security situations are normally handled. But this method will point out abnormal network activity and potentially additional components of the attack. For example, unknown malware that’s infected another part of the network could be discovered or communication to an unknown server.
Hacking is a business, complete with budgets and management structures. Your adversaries have the capital and personnel to research a company and form an attack plan that includes methods to trick a security team. Approach security incidents with the mindset that everything was done with a purpose and all evidence could lead to discovering a larger attack. Take the time to look beyond what’s immediately detected and ask if there’s something greater going on that’s not obvious to see. Adopt an adversarial mindset and ask why would the enemy use certain tactics. This will reveal the attacker’s ultimate motive.