Why and how to bring connectivity analysis into incident response

Last week we blogged about an important gap in many organizations’ approaches to cyber incident response:  their understanding of the business context of the incident.  If, for example, a server is compromised, the business context information enables the security operations center (SOC) team to understand which specific business applications that server runs and affects.  This in turn means the SOC team is in a better position to make smarter, more strategic decisions about which security incidents need to be prioritized, which courses of action are most appropriate, and crucially, when it’s best to take those actions.

Here, we will look at another element of cyber response that further improves a team’s incident response capability:   connectivity analysis.  This gives the SOC team a deeper understanding of the potential impact of an incident, by highlighting the connectivity to and from the assets that have been compromised by the incident.  In other words, it shows staff the size of the security risk by indicating how far the attack could potentially spread.

Making connections

To show how this works in practice, let’s imagine that a particular server has been infected by malware.  What is that malware going to do next?  One typical action might be an attempt to spread to and infect other systems on the network.  Another might be to try to steal data from the infected server, and attempt to send that information out to an external controller. A third action might be to open the server to connections from external addresses to trigger a download of further malicious code (which is typical behaviour for ransomware).

The potential severity of these actions depends on the structure of the organization’s network, and where in that structure the compromised machine is placed.  Is that server able to make outbound connections to IP addresses on the internet?  If so, then malware on that machine is likely to be able to exfiltrate data – which makes resolving the infection a priority to avoid data breaches.  However, if traffic from the compromised server is blocked by a perimeter firewall, then the risk of a breach is reduced.

Similarly, it’s important to identify the possibility of lateral movement on the organization’s internal networks.  Is it possible for the compromised asset to access other internal systems that host sensitive data, such as customer databases, or payment card information?  Is the organization’s internal network segmentation strong enough?  If the malware cannot move laterally to infect other systems, then security staff are in a better position to prioritize their incident response.

Answering the ‘what if’ question

To help SOC teams to answer these critical questions, AlgoSec enables them to perform automated ‘what if?’ traffic simulations, so not only can they identify which assets have been compromised, but also which other systems and resources those assets can connect to, both inside and outside the organization.  This adds valuable, additional business context to help the teams pinpoint and judge the potential severity of each incident.

The traffic simulation may show, for example, that while an infected machine is secured against external connections, it may not be properly segmented from internal resources that host sensitive material.  As such, the infection on that machine should be prioritized for cleanup, before the infection can spread.

AlgoSec’s solution can perform these automated, network- and traffic-aware simulations across organizations’ networks to assist teams with their cyber incident response capabilities.

In combination with the business context information we discussed in our previous blog, connectivity analysis enables SOC teams to fine-tune and prioritize their responses to security incidents, by helping them to quickly zoom in on what really matters to the business.