Embedding is the term used for focusing on the first piece of information presented and forming an opinion around this. Much like in the IR (Incident Response) process, we tend to embed on the first piece of information – the original source IP of the attacker.
Unless you have a matured Information Security Team, you often are at the mercy of the first logs of an attack framework – we see a port scan, followed by brute-forcing, and lastly an attempt to drop a file (as an example). If you immediately respond by triaging the event while only focused on the originating IP (most likely a hopping botnet), you will be perpetually behind in the IR process as you are laser-focused on the wrong detail.
The focus needs to be on the dropper and C&C (command & control) server that is being contacted from your internal network. If you are fixed on the “roadrunner” you will find yourself falling off a proverbial cliff and missing the key information that will be essential in catching the perpetrators.
A working IR framework is critical to maintaining a BCP in the event of a security incident. Just having one isn’t the ‘check-in-the-box’ solution, it needs to be tested and reviewed on a quarterly basis. This will outline any variants in the industry vs. what is being done internally to combat those risks.
A comprehensive security overview assessment will outline any gaps in your incident response framework, and build to improve the process so it can withstand the inevitable attack.
We must be vigilant, we must be ready, and most of all, we must be educated!
Adam Zimmerman, Security Solutions Architect
With over six years of experience in the technology industry, Adam’s experience covers information security operations, cyber security advisory, penetration testing, and advanced exploitation. Adam’s primary focus is helping organizations build strong security practices and prepare for potential attacks.
Adam holds a Masters in IT Security from the University of Ontario Institute of Technology, where he successfully developed a malware classification tool with a security firm based in Ottawa. Additionally, he has worked on several cyber consulting engagements as a lead security researcher and was able to develop an exploit for the FAA’s NextGen Air Traffic Control Management System.
Adam currently serves in the Canadian Armed Forces as a Second Lieutenant where he holds a command position as a Troop Commander for 32 Combat Engineer Regiment of Toronto; specializing in mobility denial and facilitation, tactical breaching, controlled munitions disposal, and various humanitarian support operations.