Securing the Digital World

Breach Response: Mitigating an Outbreak

Jun 27, 2017 | by RSA Research |

By Azeem Aleem, Gareth Pritchard and David Gray, RSA Advanced Cyber Defense

It's mid-2017 and the news is alight with yet another alarming cybersecurity attack. A new strain of a malware variant, which on first analysis looks very similar to a previously reported malware strain called "Petya" (ransomware armed with the EternalBlue exploit amongst other methods including MS17-010, PSEXEC and auth-reuse to achieve lateral movement). EternalBlue is an exploit leaked by a team of hackers known as the 'shadow brokers'.

This latest attack is not unlike the previously reported WannaCry (also known as WanaCrypt0r 2.0), which also used the EternalBlue exploit to infect machines over the network. This latest attack is much more impactful at a technical level as this malware uses low-level encryption, in which the hard drive itself is encrypted. In this scenario, recovery efforts are more difficult and time consuming as the disks themselves will need to be formatted or replaced before the operating system is reinstalled and the files replaced.

The previous WannaCry malware used high-level encryption, in which the actual files were replaced with encrypted versions, meaning the hard drive itself was unaffected and the files could be restored from a backup with relative simplicity assuming backups were available.

In the previous WannaCry attack emergency services and public safety were severely impacted due to hospitals closing and ambulances being re-routed due to the malware outbreak.

The full extent of this latest Ransomware attack is yet to be fully realized, however, published reports are indicating a mass infection across multiple organizations, including but not limited to, the Russian Central bank and the Ukrainian International Airport.

As the investigation around "Petya/NotPetya" continues, from a security perspective this attack could have been much smaller in scope, if not avoided entirely, using a combination of security strategies and defenses. Let's take a closer look.


At the core of breach mitigation is strategic patch management, compliance and policy enforcement. Due to organizational requirements to test patches prior to implementation on business critical systems, it is important to assign internal criticality ratings to vulnerabilities and assess the likelihood of exploitation in order to ensure high priority and immediately vulnerable systems are patched quickly, helping to prevent imminent threats from adversely impacting the organization.

Patching without due care and attention could be just as damaging as not patching at all as rolling out untested patches has crippled organizations before. Always ensure the product being patched has full support from the product vendor. In cases where out-of-band patches for end-of-life operating systems are released for a critical vulnerability, the vendor may not fully support it following the emergency patch release. In these cases the vendor should be contacted to ensure full support will be provided during and after the initial patching of the system. A back-out plan to reverse the patch implementation in case the deployed patch affects system performance/security is also required during patching and maintenance activities.

Organizations must employ a stable upgrade and maintenance cycle to help combat this age of cyber threats. Failure to patch, update and upgrade (away from unsupported operating systems) can - at the very least - irreparably damage an organization's reputation, or - in the worst case, as seen in the recent WannaCry ransomware attack - put public safety at risk.

Patch management should include, but not be limited to, operating system upgrades. Continuing to use operating systems no longer supported by the vendor are of the utmost risk as they provide a foothold for attackers to gain access to the wider network.

Many vulnerabilities pre-exist for unsupported systems, meaning older well-known exploits and malware become more publicly available to novice hackers (commonly known as Script Kiddies) greatly extending the threat landscape.

The last line of defense in a breach mitigation strategy is the end users. Many organizations operate under the mistaken belief that it's the end users that should be protected from threats; however, to effectively protect the network, end users are need to be trained and empowered to identify potential threats and help protecting company assets from attacks.

Phishing and social engineering attacks are extremely simple to conduct, difficult to detect at a technology level and the most likely to succeed. An attacker can fail multiple times before gaining access with one single success. That single success may be a company's user failing to recognize an attack resulting in a breach of the network. End user education is often overlooked in network protection, but is a critical and often last line of defense. This type of awareness spills over into the lives of the employees, their children, and friends - ultimately raising public awareness. This leads to an inherent responsibility to protect ourselves against cyber threats much more effectively now and even more so in the future.

The risk mitigation strategy must be built on the following actions:
  • Regular compliance and policy audits
    • Deploy an Identity and Access Management (IAM) solution to automate and manage user access rights
    • Audit and update user access permissions

Ransomware can only affect files it has access to; typical ransomware has access to the same data as the currently logged in end user. Maintaining end user access permissions can help limit the damage a ransomware infection may cause as not all end users need access to all critical systems.

    • Monitor for non-compliant applications, software and hardware
      • Non-compliant applications, especially through shadow IT, increases the attack surface

As stated above the most effective way to reduce an organizations threat landscape is by conducting a Patch Management program.

  • Extended Patching Program
    • Standard Patching Process for Enterprise with agreed SLA's for Critical Patches
    • Patching is extended to include patching of third party applications as well as operating systems.
    • Patching status is checked regularly via vulnerability scanners and penetration tests

Applications, software and hardware deemed not compliant according to the IT usage policy increases the attack surface of the company's assets. Many organizations have a whitelist of applications that have been tested and are verified as safe for use within the organization. These compliant software packages should also be regularly upgraded and patched as well as monitored by the company's security team for vulnerabilities and exploits reported by each vendor.

  • Utilize a vulnerability scanner to detect vulnerable systems and applications
    • Prioritize and mitigate vulnerabilities that cannot be patched
    • Liaise with vendors to determine mitigation strategies and temporary solutions for such un-patchable vulnerabilities.

Regular scans should be conducted using a vulnerability scanning appliance on the company's network in order to identify applications that may be vulnerable to exploitation.

A new-found vulnerability may not always be patched immediately due to patch availability from the vendor; however, in these cases the vendor of the vulnerable application will typically be able to provide a mitigation strategy until a patch is made available.

Alternative mitigation strategies include isolating the vulnerable applications/assets from the wider network, or temporarily limiting the communication protocols available to the vulnerable assets until patching can be completed.

  • Research, test and employ advanced techniques to mitigate threat types
    • By placing a file in an area of the disk that is whitelisted and/or ignored by all applications allows a company to conduct monitoring of the file or area for changes (known as Placing trip wires, or Canary files). As this should never change, it is an early indication that a potential ransomware infection has occurred. This technique is best suited to critical systems and large file shares where the potential for false positive alerting is reduced and easily manageable.

Smaller organizations and home users can purchase internet security packages, which include solutions designed to protect against Ransomware. These packages use a similar method via preventing third party applications from accessing files selected by the user for protection.

  • Educate users on safe practice and cyber threats
    • Perform user awareness campaigns
      • Send high priority "Must Read" emails warning of phishing email attacks
    • Conduct regular table top exercises and targeted training for critical users
    • Provide additional training and awareness for critical systems' users

Where possible, organize for the email team to remove known malicious emails from the email servers. Attackers commonly take advantage of newsworthy events to leverage trust from end users in order to make phishing campaigns more successful. Pre-warning end users of a suspected phishing attack will help raise awareness and assist the end users in detecting these attacks.


Organizations are overwhelmed with legacy technologies negatively impacting productivity and creating a false sense of security

Breach mitigation will not be completely effective in all cases as advanced attackers are well-funded, organized and capable. True zero-day vulnerabilities are previously undisclosed with the initial discovery often being made by a security researcher during (or after) incident response activities. By then it is too late. The zero day has performed its duty in breaching the targeted network for the attackers. The attacker's goals may vary in impact and severity; from political to espionage the attacks may not differ, but the goal of selling or destroying data may have a very different impact on the victim. Monitoring for the emergence of evidence regarding what happened to the data after it was stolen may allow an organization to react swiftly to minimize damages as a result of the data leak or data destruction for financial gain. Regardless, a company can still prepare for most breach eventualities.

When developing threat detection, protection and prevention use cases, it's useful to create a threat scenario. For example, a scenario on the impact and capability of a ransomware infection would highlight areas where attention is required for response and recovery actions.

Ransomware Threat scenario

An end user receives a phishing email and clicks a link that takes the end user to an untrusted website. The link downloads and infects the target with ransomware. The ransomware scans the target hard drive, in addition to any accessible network shares, encrypting specific file types. Once encrypted a popup screen displays demanding payment to unlock the system. Failure to pay results in the deletion of the decryption key, offering no method to restore the affected files.


This threat scenario highlights several potential issues, which may be prevented or prepared for prior to the realization of the threat. Typical ransomware infections scan network shared folders attached to the target asset, spreading themselves to connected shares using worm capabilities before encrypting any data or showing signs of infection on the original compromised asset.

Mitigation advice for ransomware often includes regular data backups to an offsite facility. As is the case for hardware failures and natural disasters, these backups do not include the latest available data. Ransomware attacks are more prevalent and likely to occur than total redundant hardware failures or natural disaster, thus requiring more in-depth analysis. Of course, backups are still necessary and provide some assurance of returning to business.

Payment, generally considered an invite to further ransomware and other potential attacks from threat actors, does not guarantee full resolution of the situation. The potential for future re-encryption, or decryption failure, makes paying the ransom a business decision. This decision should be made after conducting a risk assessment comparing the cost of temporary data loss, impact of downtime and the consequences of permanent data loss. To prepare for this scenario, stakeholders must be briefed, and ready to make a business decision. Third-party incident response groups are typically brought in during these situations.

Preparation allows these third-party incident response teams to act swiftly, quickly disrupting the attack, effectively minimizing impact and restoring service with minimal disruption.

The Mitigation strategy must be built on the following actions:

  • Breach response exercises
    • Key stakeholders should be included in table-top exercises on virtual breach incidents
      • While there is no substitute for real-world experience the exercise can be made to "feel real" with time sensitive activities scored against the clock and reviewed during the lessons learned phase at the conclusion of the exercise.
    • The best analysts in the world have handled many different incidents, gaining invaluable experience that cannot be taught. A breach response exercise provides a team the opportunity to experience an advanced attack without the risk.
    • Simulating real-world technical breaches test and prepare the company's security operations center (SOC).

Running breach exercises allows a company to develop new complex attack scenarios and challenge a company's team to conduct more advanced exercises to better prepare your organization.

  • Develop a 'moat & drawbridge' isolation response
    • In emergency situations, isolation for the protection of the wider network is critical
        • Ensure all network partitions are mapped and capable of isolation in emergency situations.
    • Critical networks should be isolated first; what constitutes a critical network may depend on the threat. Develop a matrix to determine the priority of network partitions during a breach.


Breaches will occur. It's simply not possible to prevent every attack from resulting in a breach. Even the most tech savvy and conscientious employees can fall victim to an advanced spear phishing attack. The most current and robust technology can potentially be exploited via a zero-day vulnerability from an incentivised attacker.

However, with careful and guided preparation and prevention, a company is more than half way to mitigating a breach before it occurs. The final step, response, must be swift, decisive and exacting.

Having the ability to monitor the attack, and pull up the draw bridge (when deemed necessary) in seconds not hours, may aid in better understanding the attacker's end goal. This can be useful for intelligence purposes, possibly identify the attacker's potential exfiltration point, or uncover additional compromised assets in use (or potentially used to regain entry once you've remediated and recovered from the attack).

  • Strategic monitoring
    • Following a breach, strategic monitoring is the act of watching the threat actors conduct operations on the network with a view to understanding their capabilities, goals and tactics. Although risky, in some circumstances this tactic can be extremely useful in combating a persistent threat actor. This strategy should not be attempted without expert advice from a team of security professionals who are trained and capable of performing a breach response exercise such as this or outsourced to a third party incident response team.

Responses must be tailored to the threat. The response for a breach attempting to exfiltrate sensitive data cannot be the same as a response for a ransomware attack. When developing attack scenarios, use cases should be coupled with Incident Response Procedures (IRP) tailored to the threat type. These procedures must be reviewed, analyzed and updated at the end of every related incident to ensure they are kept up-to-date, amended to resolve any issues encountered with the procedure and maintained with the applicable advancing analyst and technology capabilities. All other areas of the IRP should be targeted against the specific threat.

Attack vectors and TTPs are used to build Attack Scenarios, which are used to identify threat indicators. Threat indicators are mapped against data sources to identify exploitable Detection Logic. Detection Logic is mapped against IRP's.

Example of Threat Scenarios

Threat scenario

Example of Commonality across IRP's identified


Example of internet access to internet without proxy IRPs

Internet access

Response procedures should include steps for incident Triage, Investigation, Containment, Eradication and Recovery. Incident closure only occurs following a full debrief; this may be weeks or months following a breach. There are no prizes for closing a breach incident quickly as it is akin to a project. Forensic/malware analysis must be conducted and post-breach monitoring use cases implemented. These use cases must have an increased priority response to decrease response times in the event the attackers resurface or were not successfully removed from the network during the initial breach remediation (it is not uncommon for advance attackers to leave behind multiple backdoors). Do not underestimate advanced attackers when they use seemingly basic-attack methodology. Just as you would not use a precision laser to cut a loaf of bread, an advanced attacker would not use a zero-day vulnerability against a target vulnerable to well-known exploit code.

The Response strategy must be built on the following actions:
  • Identify the immediate impact and apparent goal of the breach
    • Determine which response procedure is best to mitigate the attack; decide whether to monitor or disrupt the attack.
  • Collect evidence and forensically analyze the breach
    • Multiple incidents occur on a daily basis, but a breach should not be a regular occurrence. Understanding the mechanics and strategy behind the breach can help to prepare and, ultimately, respond quickly and efficiently to future breach attempts. The goal of this strategy is to build up to an advanced SOC (ASOC) with the ability to disrupt advanced attacks before the threat actor reaches their goal.
  • Conduct a debrief
    • Use this portion of the response procedure to identify weak points in technology, training and capabilities. When producing the final breach report for the executives include a detailed roadmap of why it happened, how to prevent it happening again, and the estimated cost of being capable of disrupting future breaches allows the business to work alongside the security team to develop a Business-Driven Security solution.

These strategies are only a small part of the overall security program an organization needs to maintain safe operations with minimal impact to the assets which keep the business running. Each strategy can be diversely expanded, reduced or combined according to business and security requirements. Leaving out any of these strategies negatively impacts the business and increases overall risk.

It's incumbent on all of us to develop a threat mitigation strategy.