Anyone who has ever experienced a cyber crisis agrees: during the incident response phase, every second counts. Visualizing the attack in real time, sharing the available data with all the players involved, defining a remediation strategy and prioritizing the actions to be taken... These are all operations to be carried out within a (very) tight timeframe.
The balance of power between defenders and attackers is asymmetrical, and clearly in favor of the latter. Cyber crisis management remains a delicate moment, but with the right preparation (including IS mapping), it is fortunately possible to anticipate an incident, and then react quickly and effectively when it occurs. Let's take a closer look.
Mapping your information system to prevent incidents
Knowing your IS: the cornerstone of a sound defense strategy
How can we sum up the benefits of information systems mapping for cybersecurity in a single sentence?
Response: "You can't properly defend what you don't know."
How can you properly protect your IS if you don't know what digital assets it contains? How can you properly protect your most critical assets if they have not been defined upstream? How can you prevent an attack from (re)occurring if you don't know your own vulnerabilities?
Implementing a good defense strategy requires gathering, correlating and visualizing all the data in your IS in order to be able to answer all these questions precisely:
- What would a cybercriminal see if he gained access to my IS?
- Are all IS entry points identified and secured?
- Where would I be potentially affected by a cyber attack?
- What are the possible attack scenarios in my IS?
- What are the vulnerabilities in my IS and which ones can I correct?
This is a preventive approach. For ANSSI, information system mapping contributes to IS resilience, and is an essential tool for crisis management. It's not just a question of "saving time" when responding to an incident, but of not wasting time at all, by avoiding the incident in the first place. Spend an hour patching a vulnerability or waste several weeks rebuilding your IS following a ransomware attack? The choice is quickly made.
Identify the most critical assets to better protect them
"Can you give me an up-to-date network architecture diagram? This is one of the first questions asked by a service provider charged with supporting you in your incident response process. And not being able to answer this question instantly is already a waste of time, which is why it's so important to have an exhaustive, up-to-date mapping of your IS.
This is particularly true (but not only) in the case of ransomware, which can spread across a large part of an IS in just a few hours.
Conversely, having mapped your IS, listed all the entry points and identified the interconnections between the various digital assets (networks, applications, physical equipment, users and administrators with their different levels of privilege, etc.) means you can react much more quickly and effectively in the event of an incident. It only takes a few minutes to pinpoint the attack. This makes it possible, for example, to cut off flows at the right point, or to isolate the machines concerned to prevent the attack spreading further.
And what do you do once you've taken a complete inventory? All that's left is to keep it constantly up to date, identify the assets most critical to your business (e-commerce site, customer data, supply chain, etc.) and integrate them into your business continuity plan.
The fundamentals of incident response
Save time by identifying and blocking the attack
As the ANSSI describes in its "Panorama de la cybermenace 2022", attackers are becoming increasingly stealthy. They can sometimes remain in an information system for several days (or weeks) without being detected. On the other hand, once an incident has been triggered, the stages follow one another very quickly: identifying and understanding the attack, containing it, implementing remediation actions, setting up a degraded operating mode for the businesses affected... and finally restoring the IS.
The average response time to a security incident by SecOps teams is 20.9 hours (source: "Voice of SecOps" report, DeepInstinct, 2021).
Attempting to contain an incident requires a clear understanding of the attacker's modus operandi: what Tactics, Techniques and Procedures did he use(or "TTP" in the MITRE ATT&CK® matrix)? This raises a whole series of questions:
- When did the attack begin?
- What are the vulnerabilities and/or entry points used by cybercriminals?
- What are they trying to do?
- What are their targets?
- Which machines should be isolated from the network to prevent the attack from spreading?
- What should be protected first?
Improving decision-making
The effectiveness of an incident response process depends to a large extent on the ability of teams to make the right decisions at the right time, and to prioritize the actions to be taken. And to do this, it is essential to be able to rely on data that is updated in real time.
This brings together all those involved in the incident response process, from technical teams to senior management. Communication between the various stakeholders is a key element of the incident response process. Everyone must have access to the same information, and be able to follow the progress of the attack in real time, and the progress of remediation measures.
Sharing information about the current attack is certainly essential, but communicating raw data is not enough - it must also be disseminated in a readable way. This is where having a 3D map of your information system comes into its own. Teams involved in the incident response process can visualize (with shapes, colors, etc.) what is happening, with the (sometimes complex) relationships between the various elements in front of them.
The result is effective decision-making on which elements to isolate and which flows to block first (to limit the amount of data exfiltrated, for example).
What happens next? Once the actual incident response stage is over, it's time to ask questions:
- If one of my business units has been attacked, are the other units in my company vulnerable to the same attack?
- If one of my competitors in my sector has been attacked in a specific way, am I vulnerable too?
The mapping system makes it possible to check other parts of the IS for known vulnerabilities, and patch them if necessary.
Would you like to map your attack surface to save time during an incident response phase? Contact the OverSOC teams.