Cloud Security Incident Readiness and Response: Mitiga’s Methodologies
Since the post on our investment in Mitiga, the COVID-19 pandemic has accelerated cloud adoption significantly as enterprises grapple with lockdowns, remote workers, and budget constraints. While the “annus horribilis” that was 2020 is over, it’s clear that these circumstances will extend well into 2021 as the pandemic drags on. It’s equally clear that the pandemic is accelerating permanent change in business operations across the board. More organizations will adopt cloud architectures, perhaps sooner than anticipated and before their security teams are fully prepared. Thus, a more in-depth discussion of Mitiga’s approach to cloud-native breach readiness and response is in order.
Securing cloud-native systems requires a consistent modus operandi that starts with readiness and extends consistently through response. Having the right information and tools – and a clear action plan for using them –is essential when breaches occur. Feedback loops that improve readiness based on lessons learned from assessments, testing, actual incidents, and each response’s efficacy are baseline requirements.
While such things may seem like a keen grasp of the obvious, many enterprises lack the staff, experience, and methods necessary to achieve these goals. Organizations without cloud security experience find it difficult to provide the rapid response and remediation efforts necessary to contain security breaches in the cloud, losing valuable time and making avoidable mistakes. More critically, many organizations don’t fully comprehend what readiness means, how to achieve it, or how incident responses can improve it.
The founders of Mitiga, a managed security services firm, saw these problems and set out to improve readiness and reinvent incident response for cloud systems. Armed with deep experience in both traditional data center and cloud security, Mitiga provides incident response services built for cloud infrastructure. Its methodologies are based on the notion that readiness is essential, and both improves and is improved by incident responses.
More specifically, Mitiga built its methodologies from the ground up based on these core concepts:
Readiness: A concept often associated with the military, readiness measures an organizational unit’s ability to accomplish its mission. In the case of cybersecurity incident response, a variety of factors contribute to readiness. These include proven forensic methods, effective processes, and good data, along with an understanding of the threat landscape and deep knowledge of the enterprise’s assets. The right tools and training are also requirements. In a proper state of readiness, an organization can understand and proactively prepare for likely attacks, improving its ability to respond, thus mitigating risk.
Operational follow-through: In most organizations, incident response teams are separate units, and don’t have much influence on teams tasked with improving security posture. This lack of feedback from incident response into on-going protection and risk management efforts isn’t just a missed opportunity. It deprecates readiness. Mitiga works to unite readiness and response in a service continuum to improve an organization’s security posture and resiliency.
Effective assessment: The cloud changed computing infrastructure in fundamental ways, so it stands to reason that security assessments must follow suit. Mitiga approaches assessments from a readiness perspective, using its deep understanding of cloud infrastructure to assess security posture and resilience. For example, at a recent engagement with a financial institution, Mitiga discovered an active crypto-miner in a community Amazon Machine Instance (AMI). The company issued a security advisory, saying organizations should verify or terminate community AMIs or replace them with AMIs from trusted sources.
Cloud Challenges
Enterprises moving to the cloud from legacy data centers face many security challenges in making that transition. They include:
Lack of architectural, organizational alignment: In the cloud, applications operate as rapidly changing distributed systems, and workloads become much more ephemeral than on-premises. Security controls, governance models, and org charts must adapt to provide the agility, scale, and speed cloud environments require. Organizational models must change as well, breaking down the insular nature of most security enterprise security organizations.
Lack of cloud expertise: In the cloud, security assessments and incident response are very different from their counterparts in traditional data center environments. Organizations must also work out the specific responsibilities between the cloud provider and the organization. And inexperience often leads to fundamental misconfiguration problems that can create serious security issues. If security teams apply traditional security controls and techniques to the cloud, avoidable failures are inevitable.
Speed of change: One of the primary business benefits of cloud services is the ease with which new features (including security settings) can roll out. But that benefit can put the security team behind the curve if it doesn’t have enough people to keep up with rapidly changing systems.
Higher and new levels of complexity: Cloud vendors typically provide deep logging capabilities. But security teams face significant challenges getting up to speed on those logs and understanding how to monitor them in near real-time across multiple vendors. The need to define the right queries and metrics based on the organization’s specific business lines, threat models, and risk profiles is even more challenging. Integrating these functions with legacy infrastructure and an existing SOC are obstacles to a successful transition to the cloud, compromising readiness and response.
Mitiga’s Mindset
As we discussed in our previous post on the company, Mitiga grounds its services in what the founders call “offensive readiness.” The founders bring an intentional mix of enterprise consulting experience, military background, and technological expertise.
CEO Tal Mozes and William Beer, GM of the Americas, both have extensive experience with “big four” consulting firms, including Ernst and Young. Ariel Parnes was a colonel in the Israeli Defense Force’s 8200 elite cyber unit and commander of the Cyber Special Ops department. Ofer Maor, co-founder and chief technology officer, co-founded Hacktics and Seeker and developed the Interactive Application Security Testing (IAST) technique.
The company draws on its deep network to hire people with extensive hacking skills. And by applying lessons learned in the Israeli military to the business environment, Mitiga brings a unique approach to the market, helping enterprises anticipate threats and ensure they’re equipped to counter them.
Understanding Readiness
Combining the essential elements of both the NIST and SANS frameworks, we can say that a typical incident response effort involves four primary phases:
Preparation: The first phase involves understanding the organization, what assets are available, and getting access to logs, configurations, and other relevant forensics data.
Investigation: In the second phase, the response team goes through the forensic evidence, figuring out what the attackers did, where they came from, what assets they compromised, and so on.
Containment/Eradication/Recovery: Here, the organization's IT, legal, publication relations, and other teams work to recover from the attack and manage its consequences.
Lessons Learned: Post-incident, the team uses what it has learned from the incident to improve security posture. In DevOps environments where security has already moved “to the left,” this comes more naturally, resulting in new or modified controls, modifications to logging practices, new or altered policies, and so on.
Mitiga’s focus on readiness changes how organizations work in each of these four phases, saving valuable time and shortening response times. Put simply, Mitiga based its services on the principle that a significant percentage of what traditional incident investigators do after an attack can – and should be – done before an attack.
Preparation
In a typical incident response, preparation usually takes a minimum of three days. During that time, little or no investigation or containment work occurs, lengthening the response time. In the cloud, for example, an incident will likely involve a large number of services. Some applications involve as many as 12 services, all of which have different kinds -- and levels -- of log data. In the preparation phase, the team must establish the right connections, acquire the data, and ensure they have the correct data.
Mitiga’s methods and tools allow organizations to get this preparation work done upfront, before an attack. As part of its assessment work, Mitiga uses its tools and cloud capabilities to automate data acquisition, allowing it to run continuously. When an incident occurs, obtaining the necessary forensics data requires the click of a button, not days of work under less than ideal circumstances.
Investigation
Even after meaningful investigation efforts start, additional preparation work often continues in parallel for some time, stealing resources and often delaying an effective response. If the right logs weren’t in place or deep enough, investigators spend time reconstructing the forensic data they need. Or if the logs are stored on tape, recovering those data could take days. Investigators typically have difficulty getting the enterprise -- which is overwhelmed with the incident -- to respond to detailed inquiries regarding likely threat actors and other important information.
Mitiga performs an investigation simulation to improve readiness, revealing the problems that will slow an incident response down before an incident occurs. Consequently, the Mitiga can work with the organization to revamp and prepare the organization to perform efficiently. Missing forensics data will become apparent quickly, for example, and the organization can address such shortcomings. Mitiga can help the team bake organizational knowledge into the investigation tool kit, allowing the team to quickly remove known good behaviors from suspected leads. The team can prepare the relevant set of queries for each cloud service in advance, allowing investigators to focus on forensics analysis. And because these tools and processes are cloud-based, security teams can automate them.
Containment/Eradication/Recovery
In short, the response team must know what happened to determine what to do first to contain, then eradicate the threat so that recovery can begin. Preparing in advance ensures the investigation phase can get underway quickly with the resources the team needs, thus improving readiness. These efforts can reduce the time an incident response team spends in the preparation phase by more than 90 percent and in the investigation phase by 50 to 75 percent. Additional response planning and exercises ensure the organization has the processes necessary to conduct an effective recovery. Thus, the organization gets to initial containment and, ultimately, full recovery much more quickly, reducing response times from weeks to days.
Lessons Learned
As we said earlier, most enterprises fail to implement this fourth phase in any meaningful way due largely to organizational issues. An incident response team may recommend significant changes for improving posture, but such reports often take months to traverse the org chart and reach someone who has the authority to make those changes. Such reports can go unheeded until another incident occurs and the organization looks to assign blame.
As we’ve discussed before, aligning the security organization with the cloud infrastructure it must protect is essential. Call it “moving security to the left,” “DevSecOps,” or whatever you like. But integrating security teams and functions with operations breaks down barriers and creates effective feedback loops. Lessons learned from actual incidents drive further preparation, thus improving readiness.
As existing organizations transition to the cloud, achieving these goals can be difficult. That’s why Mitiga made it a core part of its incident response services. Mitiga helps the organization capture any additional problems, lessons learned, and changes in tools and processes to improve response plans and security posture.
In summary, this is what Mitiga means by readiness. Instead of merely waiting for an attack, the organization should understand its adversaries and how they work, anticipating threats and preparing to counter them. This approach doesn’t just improve protection posture. It increases readiness, preparing the organization to respond to attacks more effectively and efficiently, mitigating their impact.
No, a large enterprise cannot prepare for every possible attack on every possible component. But it is possible to understand who the likely attackers are, what they are likely to target, and how they will probably target it, allowing enterprises to prepare for the scenarios that constitute the most significant risk.
Mitiga’s Methodologies
As a cloud-centric security services company, Mitiga first improves an organization’s readiness by augmenting its security team with people dedicated to tracking the ever-changing feature sets and configuration settings on today’s products. Mitiga tracks these changes and adjusts its recommendations and solutions accordingly.
Mitiga has also developed a variety of methodologies, technologies, and tools to address different enterprise needs. But they are all based on the fundamental principle of readiness, improving an organization’s ability to respond, all while ensuring the feedback loop from incident response back to readiness not only exists but works.
Compromise Assessment
Mitiga’s readiness methodologies involve a combination of a threat hunt and a security assessment. Mitiga does extensive threat profiling, working to understand the business and its risk profile, benchmarking within industry segments, accounting for geographical span, and other factors. It identifies likely attackers, including their capabilities, goals, and methods. Based on that information, Mitiga defines specific attack scenarios using its version of the Mitre ATT&CK Framework. It then assesses an organization’s readiness based on those scenarios.
During an assessment, Mitiga will look for indications of compromise related to those scenarios. As Mitiga works through the scenarios, it understands the business, its people (and how to work with them), its assets, its networks, and so on. The team builds queries, writes scripts, and customizes the Mitiga toolset related to each attack scenario—much of the work traditional investigatory teams do after an attack.
The team saves everything it does and learns in what Mitiga calls an “action book.” The action book details specific actions an organization can take to increase its readiness and improve its security posture. Mitiga can help the organization implement the plan or provide regular check-ins to ensure that internal teams are correctly executing the plan. These attack scenarios accelerate the assessment process, and organizations can use them as the foundation for other security tests, such as red team exercises.
And when there is an incident, the team can use the action book to react more quickly. Mitiga isn’t showing up for the first time and learning the organization and its systems. The security team saves valuable time because it can invoke scripted operations, and the information it needs readily is available. It’s up and running, starting the investigation immediately, with the right data, instead of starting from scratch.
Critical Paths
Mitiga is also challenging the conventional wisdom around a common approach to security planning, the Crown Jewels Analysis. While it is essential to identify and protect the most critical assets to an organization’s mission, Mitiga’s point is that an over-focus on those assets may lead companies to overlook ingress points that will attract attackers.
A typical example is a system admin’s computer. A successful attack on that computer would yield troves of valuable information for anyone looking to infiltrate the network. But the sys admin’s computer would not make the crown jewels list. It and other critical access points create an opportunity for lateral movement and, ultimately, access to the crown jewels. If organizations fail to monitor and protect them, the Crown Jewel Analysis may be moot.
To address such oversights, Mitiga provides a Centers of Gravity assessment. It’s a gap analysis that focuses on both critical assets and the paths to those assets. Using the scenarios we described earlier, the assessment identifies the access points that attackers will focus on in their attempts to reach the crown jewels. Iterating through the scenarios reveals the critical access points that are common to multiple attack scenarios. This assessment clarifies where an organization can make effective risk management investments, increasing visibility and improving posture. It also allows an organization to reduce the probability that an attacker can succeed.
Remote Incident Response Readiness
As a cloud-based services company, Mitiga can perform assessments and other services remotely. As the business world grapples with geographical, travel, and other limitations caused by the COVID-19 pandemic, that remote capability is even more valuable.
For proper incident response, companies need secure communication channels and adequate remote access. They also have to manage and coordinate teams across the organization. With employees suddenly forced to work from home, an organization’s readiness can degrade quickly.
To help enterprises deal with these sudden changes, Mitiga offers a lightweight Remote Incident Response Readiness Exercise. The exercise simulates the first eight hours of an incident, typically the time window for setting up initial access and communications, developing an initial containment strategy, and starting an investigation. As part of the exercise, Mitiga will work with internal teams to attempt an actual investigation and communicate simulated findings to decision-makers.
Mitiga will evaluate security visibility and information flows, containment strategy development, and situational awareness. Mitiga will issue a report, identifying pitfalls that could delay an investigation or impede the containment and recovery phases. It will also compare industry response averages and best practices, and specific recommendations for improving the organization’s remote incident response capabilities.
Conclusion
The transition to the cloud challenges traditional information security teams, skill sets, and models in fundamental ways, compromising readiness and response. Mitiga was founded to enable more effective enterprise cloud security, improving both readiness and response through a set of highly focused managed services. Rain invested in the business because both the team and its approach are in full alignment with our mission to work with companies that push the security envelope, creating cloud-native security for the cloud-native world.