To ensure you are ready for any cyber ring match follow these eight rules.
Your executive wants updates on the status of the advanced threat in your Network.
What NOT to do: Send an email as soon as possible with a summary to your management.
Get help in the ongoing fight against the adversary
2) You DO NOT talk about the fight…until it is over
You found the threat group. Your security team is proud and wants to spread the word.
What NOT to do: Share your findings publicly to enhance public perception through marketing buzz.
What to do: Don’t publicly share any information until the fight is completely over. Threat groups are monitoring the Internet for any information that will help them hone, tweak, and enhance their tactics to avoid detection.
No matter your weight class, you don’t have to brawl alone
3) Someone yells stop, goes limp, taps out, the fight is over
You evict the threat actors – things seem to be quiet and calm.
What NOT to do: Go back to normal business. The fight was won and all threats are no longer a risk to your business.
What to do: It is important to always monitor for re-entry attempts. Threat groups are often persistent . Many times they are willing to stay quiet, play dead and hope that you won’t suspect a revisit. But they will come back….with a vengeance.
Keep re-entry attempts on the ropes
4) Only 2 guys to a fight…
Your organization may be collateral damage. You are a victim of a security breach.
What NOT to do: Assume that the threat group’s intent was to steal your company’s sensitive data.
What to do: It is important to understand the intent of the threat group to better prepare for the appropriate steps to defend against them. Your company could be collateral damage from a threat group targeting someone or something different that is linked or adjacent to your organization.
The right intel will prepare you for the next punch
5) One fight at a time, fellas
You investigate and learn that there are multiple threat groups inside your network.
What NOT to do: Apply the same remediation tactics to all of the observed threat groups.
What to do: Tailoring your response with different operating procedures leads to a more effective eviction. A “one size fits all” approach to the eradication and eviction process doesn’t address the uniqueness of each threat group.
Don’t throw a haymaker and hope it lands. Hone your battle strategy
6) No shirt, No shoes, No RATs
You assume that an adversary will access your environment using a remote access tool.
What NOT to do: Rely on your existing technology to monitor for malware.
What to do: It is important to monitor for anomalous user activity. Many times threat actors leverage legitimate remote access solutions to gain access to the environment. This makes detecting malicious activity much more difficult because the adversary is masquerading as a legitimate user.
Knowing what punches to watch for is half the battle
7) The fight will go as long as it has to…
The threat actor was in and out without you even knowing it. The damage was done by the time you tried to respond. The fight is already over.
What NOT to do: Panic and assume the adversary is still operating in your environment.
What to do: It is important to scope the activity to understand at what point in the fight you are getting involved. Your response will change based on whether the fight just started, has ended, or is ongoing.
Avoid a sucker punch. Parry evolving strikes in real-time
8) If this is your first night at fight club, you have to fight
You are under attack by an advanced threat actor.
What NOT to do: Assume that your normal mitigation plan will be effective.
What to do: It is better to act with urgency and fight rather than assume traditional security controls will keep you safe. You may just be seeing the tip of the iceberg.
Knock out the adversary with these insights
originally published onhttps://www.secureworks.com/blog/8-rules-of-fight-club
