Once discovered, over 65% of Global 2000 organizations take one or more days to respond to a trust-based attack that has infiltrated the enterprise network. When it comes to remediation of any attack on the enterprise, the longer it takes to remediate the breach, the more damage that is caused—cybercriminals have longer to implement backdoors and are able to steal more data.
There is a 3-step cycle that should be followed after a breach until full remediation has been achieved:
1. Reducing the time required to identify all systems impacted by a breach is paramount
2. Rapid remediation of a breach requires swift action
3. Remediation includes validation that the adversary does not still have access to the network
Even when detected, it is often very difficult to remove an adversary’s access from the network. They prey on the knowledge that most Global 2000 organizations do not have a clear grasp of security related to keys and certificates. Heartbleed is a good example of this. Months after the vulnerability was discovered, the majority of Global 2000 organizations still had only partially remediated Heartbleed because they did not comprehend the gravity of failing to replace all keys and certificates, as recommended by industry experts. And there were catastrophic consequences. Organizations need to be able to quickly and completely respond to all breaches that impact keys and certificates to keep their business secure.
Swift action is required when remediating any attack. Trust-based attacks are among the worst because the adversary has trusted status on the network and can implement backdoors for consistent access. Next Generation Trust Protection aids organizations in addressing trust-based attacks more swiftly than other techniques, thereby reducing the overall impact to the organization.
Identify the Impact
When remediating a breach it is vital to understand which systems are impacted by the breach. For example, if the breach is confirmed to be exploiting SSH, any system that is accessible via SSH and all SSH keys need to be accounted for in the network. By establishing a comprehensible understanding of SSH usage in the enterprise, the process of identifying the impact is dramatically enhanced. This is true for all types of key and certificate compromises, including those used for SSL, SSH, mobile, and authentication.
Take Swift Action
Once a breach is confirmed, the clock starts ticking. Adversaries work under the assumption that they will be discovered and continuously take countermeasures to avoid denial of access to the environment once they are discovered. With a trust-based attack, this would involve insertion of rogue keys and certificates that would allow future access. As with user password rotation, so too should keys and certificates be replaced and rogue ones deleted in an expedited manner—and this must be done faster than an adversary can add new ones.
Once remediation of a breach has been completed and credentials like keys and certificates have been replaced, it is critical to validate that the remediation process was completed successfully. One compromised credential may result in a continued breach as the adversary still has access. By cross referencing the breach report with the remediation report, organizations can be confident that their remediation process was successful.