040
ENTERPRISE SECURITY BLUEPRINT
MANAGEMENT LAYER
03
or matched indicators may be the tip of an iceberg. Investigators should explore the past
(i.e., the events preceding the start event) and the future (i.e., how the attack progressed
after the initially identified event).
As part of the investigative process, additional indicators and suspected hosts may be
identified. These indicators are fed down to the Control Layer to generate applicable
protections, as well as expand the scope of the investigation. This process relies on
historical event records, as well as on data enrichment using internal and external
information sources (e.g., the Internet):
What was the pre-infection part of the intrusion kill chain? In other words,
when and how did this host get infected? Logs capturing from-host and to-
host activity can be reviewed to identify the period of compromise and what
actions preceded it. Once it is determined how the host got infected, future
attacks with the same delivery mechanism can be blocked
Do the logs contain evidence of additional hosts that might have been hit
using the same attack? The investigative process should be expanded to include
these hosts
Post-infection – all outbound activity from the suspected host should be
reviewed. This might provide indications for additional hosts that may have
been compromised. Outbound connections from infected hosts may also be
connections to previously unknown C&C servers and drop zones. Unknown
destinations must be investigated to determine whether any of them are
malicious and to generate corresponding threat indicators
The Management Layer supports these investigations by providing incident responders
with information on baseline user behavior and threat indicators that might match event
attributes, using data visualization and analysis tools. The volume of event reports that
need to be reviewed by incident responders can be reduced by correlating different events
and matching events to known patterns of “normal” and “abnormal” behavior. Workflow
and decision support tools assist in the coordination of initial response. Honeypots and
honeynets may be used to simulate a target environment in order to draw out the attacker
and study his behavior.
Incident Response
The options for responding to an attack depend on the presumed kill chain phase for the
attack – i.e., whether pre-infection (reconnaissance, delivery or exploitation) or post-
infection (installation, C&C or actions on objectives). In general, disrupting an attack
involves any of the actions below:
Preventing or blocking the threat agent from interacting with its targets
Enforcing expected authorized interaction protocols and data contents
Constraining system state changes and data flows (e.g., enforcing resource
quotas or preventing sensitive data leakage outside of a defined perimeter)
