Recently, five InfoSec leaders joined Hack, No! for a panel discussion titled “Accelerating Incident Response: What Can Automated Visibility and Threat Context Do For You?”. The discussion covered the role of DDI and DNS security in incident response. The highly experienced panelists included Matt Bromley from the SANS Institute, Jonathan Couch, SVP Strategy from ThreatQuotient, Chris Burch, CISO and Director Cybersecurity from EagleView and Srikrupa Srivatsan, Director of Product Marketing from Infoblox. Cricket Liu, Chief DNS Officer at Infoblox moderated the discussion.
Setting the context for the discussion, Matt began the event by laying out SANS’s 6-step incident response process; Preparation, Identification, Containment, Eradication, Recovery and Lessons learned. He noted that organizations are most likely to spend significant time resources at certain steps of the process, repeating each step in a closed loop, but getting better with each response. The challenge for organizations is understanding which factors help them to successfully implement this incident response process.
Cricket and Jonathan highlighted the foundational role that DNS plays in this process since it lies at the center of identification and containment. As Jonathan noted, 95% of malware attacks can be traced using DNS logging and monitoring of DNS traffic, making DNS the source of truth when it comes to understanding the nature of threats.
DHCP and IPAM also allow InfoSec professionals to dig deeper into attacks and gather intel on compromised assets and the extent of damage. As Srikrupa explained, “DHCP fingerprint gives information on the type of device that is compromised. Whereas IPAM metadata delivers additional network information, and can tell you which part of the network the compromised end host is. This means that when we combine the intel from DNS, DHCP and IPAM (collectively known as DDI) – we can get crucial forensic information from the “crime scene” that tells us the extent of damage, which assets are compromised and how the attack was orchestrated, all of which is crucial for SecOps teams to be able to prioritize incident response.”
A robust incident response process heavily depends on threat intelligence acquired by the organization, which cannot be done in absence of comprehensive integrations with internal and external platforms. Jonathan explained how this works: “ The threat intelligence platform consolidates the external threat intelligence, internal threat intelligence record and daily network data and stores it in a centralized location to leverage these as needed. Here integrations with case management systems, SIEMs, hunting tools, vulnerability management system and DDI is crucial for free flow of data. The end goal is for everybody connecting to this ecosystem to have the same situational awareness as well as incident knowledge, whether or not they were directly targeted. So while a threat intelligence platform consolidates threat intelligence from different organizations and sources, it also helps scope the extent of threat damage and identify the attack correctly.“
The panel also discussed how this process plays out in supply chain attacks, like the SolarWinds attack, which wiped out $3 billion worth of corporate assets. Supply chain attacks are specifically designed to leverage an active entry vector via third party vendors and attack the system. Today, the real question for organizations is to quickly determine whether or not they have also been compromised.
The recent supply chain attacks were also focused on a particular user group or business type, meaning that not all who downloaded the malware were impacted. Organizations increasingly adopting to SaaS platforms and third parties and need to understand the risk of exposures to the external platforms that they are leveraging.
Infoblox customer and EagleView CISO Chris Burch discussed some best practice measures such as vetting their vendors’ security measures and risk management , implementing Know Your Vendor policies, diversifying the tech stack, checking security scores with third party audits and paying attention to good security hygiene. He also elaborated on how his company deployed BloxOneTM Threat Defense to modernize their remote network security posture and mitigate cybersecurity threats.
When an adversary is as sophisticated as the one that conducted the SolarWind supply chain attacks, the only layer of security that organizations can count on is a solid incident response process. This is where listening to the DNS data and IPAM metadata can help organizations quickly get back on their feet and identify vulnerabilities that need to be patched to prevent future attacks.
Ultimately, however, the panel agreed that if an organization finds itself under attack, a six-step incident response plan backed by DDI is the best way to trigger immediate responses, share threat intelligence, automate incident response and keep damage to a minimum.
Interested in listening to the complete discussion? You can tune in here.