Key Action Items It Happened. Now What? • “Fast cars can go faster if they have good When a successful attack against your organization brakes.” Approach security as a technology occurs, the required intervention must be both human enabler as opposed to a defensive require- and technological. The great irony of IT security is that, ment. despite your best efforts, some form of successful attack is likely to happen at some point, no matter what you • Decision-makers should be willing to an- do. After all, defenders have to be right every time, swer Trusted Advisor questions about how whereas attackers only need to be right once. To further they respond to specific threats. Doing so complicate matters, it might not be immediately clear will help them help you. when the actual penetration has taken place. • Place particular emphasis on the collec- This is especially true when an advanced persistent tion of supporting metrics, the identification threat is successfully launched. After the initial compro- of key areas in need of particular protection, mise, the attackers will be looking to extend their access areas in which necessary protection is not to other devices on the network, execute privilege provided, and an assessment of specific escalations in order to extract more data, and generally risks, attack surfaces, and attack vectors. move through your infrastructure until they find the specific targets that they seek. Once this is done, they • Don’t focus solely on protecting that sin- may cover their tracks and withdraw, or more likely they gle, most critical resource. Attackers merely will try to maintain a presence on your network that can need to access a vulnerable machine that facilitate future attacks. Bear in mind that data can be has access to that critical resource, some- intercepted while in transit or stolen while at rest. times via multiple hops. Take a detailed look at how systems are connected. While it makes sense to do everything possible to fend off these attacks and prevent them from happening, it is • Make proactive threat hunting part of your equally important to assure you have the infrastructure security posture. in place to detect the breach, notify the necessary peo- ple, and collect all the necessary information to track • Defend both your data center and your the breach, close the exposure, and prevent it from ever web-based services. happening again. Many experts suggest the best tactic is to delay the attacker long enough for the security teams to discover the incursion (or attempted incursion) and resolve the issue before damage is done, or until it can at least be minimized. This is essentially a team approach that transcends your technologists and engages business-level roles, as well. This team might also include your Trusted Advisor and a managed security services provider, if one has been commissioned. It may also include your communica- tions team. Copyright © 2020 AVANT Communications, Inc. 31