Tag Archives: incident response

A Sweet Addition in Your Arsenal of Protections

Perimeter security has made leaps and bounds for detecting and preventing attacks. However, rules and detection methods cannot catch everything. The big question is: What should you do once malware or an attacker is in an environment? Answer: Honeypots.

They work as an early-alerting system for complex attacks, and produce very few false positives, when tuned properly, compared to firewalls, IPS, and IDS. The sole purpose of a honeypot is to be probed, attacked, and compromised. This is accomplished by mimicking any resource, service, application, system, or network. All activity between the honeypot and malware/attacker is monitored, alerted on, and analyzed. Some examples of activity can be: scanning for activity of worms or bots, looking for internal threats, detecting compromised nodes, identifying new exploits and vulnerabilities, or capturing new malware.

Honeypots are one of the most underutilized ways to detect a threat once it has hopped the fence of perimeter security. However, the email security industry has relied heavily on the honeypot, or spamtrap, as one of their most widely used and effective ways to detect incoming phishing and spam. Perhaps this disparity exists because honeypots in a production environment are commonly viewed as an insecure holes that allows an attacker into the environment. This should not be the case. A honeypot can be deployed in a normal secured environment, or in an isolated DMZ. Obviously, once a threat has been detected by a honeypot the normal environment can no longer be referred to as secure. The moment that a honeypot has been compromised, a threat has found a way into your environment and all of your servers are exposed. It should be assumed that anything on the network with the honeypot is or will be compromised as well. In this scenario, you still get the benefit of early alerting regarding the compromise.

Deploying a properly isolated honeypot is also worth the effort. Based on the information that is produced through the alerting and reporting, we can gain insights into our operating systems and servers, host protections, and information protections. By monitoring a live infection or attack, we can learn how these areas of the security model are being comprised by threats.

With BYOD being more prevalent every day and attack vectors growing, a detection mechanism such as a honeypot could end up being invaluable.

Matt

Just as a precautionary note this approach must be implemented with the proper expert guidance and strategic planning otherwise it can introduce unwanted threats into an environment.

10 Easy Steps to Create a Data Breach Response

The sophistication and targeted nature of attacks continue to increase, the number of compromised records continues to rise, and organized crime is surfacing more often. With WikiLeaks and PlentyOfFish at the center of media attention as the latest in data breaches, security professionals have good reason to fear information security breaches, and in turn have a contingency data breach response plan.

Most breaches that occur can and could have been easily avoided or mitigated if the organization had a proper data breach response policy in place. A detailed data breach response plan not only decreases the likelihood of attack, but can also substantially reduce the amount of organizational chaos and valuable time wasted in mopping up the mess.

The following 10 high-level identifiers should help your organization build a robust data breach response plane in order to reduce the business impact of such occurrences. Continue reading