As cyberattacks multiply, it is interesting to lift the veil on the technical actions that are undertaken by the Consulting Analysts as soon as suspicious movements are made.
Detection, response… If the technical dimension is important, human action is at least as important.
What happens behind the scenes when a cyber attack is identified? What are the first movements made by analyst consultants? Their first reflexes, the first gestures they make with the customer who has just been impacted? How are the teams in charge of the response formed? At a time when cyber-attacks are multiplying, it may be interesting to give some visibility on the nature of the interventions that are carried out on a daily basis by the technical teams in charge of defending companies. The objective being that the organizations that will read these lines can draw from it some strong ideas allowing them to better approach this critical phase if by chance a cyberattack were to affect them.
Establish a report as soon as possible
Let us detail some of the steps that are performed by technical experts at the time of a cyber attack. For this, let’s get closer to Renaud Leroy, consultant analyst who has already worked for a large number of organizations. As a security analyst, Renaud Leroy works daily on attacks.
“We intervene on these offensives and determine in which phase are the events and detections observed: at the beginning, in the middle or at the end? This is the concept of ‘Kill Chain’, the representation of the course of an attack “ he explains.
“An attack can be in progress, but it can also have premises. It is therefore characterized by many parameters that should be clearly identified. What are the attack methodologies used? Where are we with the attack? Was this attack successful or is it still ongoing? What assets and people are involved? What stage are we at? What are the supposed intentions of the attacker? What is he trying to achieve? What are its objectives ? »
When faced with this type of aggression, Renaud Leroy takes into account multiple factors. He contextualizes, tries to define the operating mode he is dealing with, the strategy adopted by the cyber-attacker(s)… To put it in a synthetic way, he globalizes his vision by taking into account with the client his business needs, the people and roles, assets, attackers’ methodologies and their modi operandi.
A human-driven analysis
Then comes the in-depth analysis stage. This is carried out by humans, it being understood that the Artificial Intelligence (AI) and Machine Learning with which the detection tools are currently equipped have already done their job.
“The platform helps us enormously, but the human brain is more than necessary in order to dig deeper into the analysis, which is crucial. You also have to move very quickly because the later the response, the more the attack will have been able to deploy”, explains Renaud Leroy.
It is at this stage that contextualization, collective intelligence and information sharing come into play. To do this, cybersecurity experts act in concert, are available 24 hours a day, 7 days a week.
“I have colleagues available on all continents. Time differences oblige, these are able to take over when I leave my post, and vice versa. Thus, an attacked client benefits from permanent help”.
Often, when the attack is quite easy to counter, one or two people are mobilized. Sometimes, when more focused, a larger team can be assembled.
“You should know that every day we identify dozens of suspicious events with our customers, and that everyone asks for confirmation, attention, and of course a response. With current technologies and the proliferation of applications, we are dealing with a ‘brouhaha’, that is to say a noisy environment. The products that are used by companies are not all secure, and to spot an attack in such a context, it is necessary to combine the contributions of a very fine technology with a discernment that only the human eye allows. »
Two categories of customers
The analysis of these alerts is actually divided into two phases. The first relates to detection; the second takes the form of in-depth investigation via a tool that allows pivoting on the company’s network activity information. The customer’s metadata is used to enrich, deepen, contextualize… the alerts.
“This response phase can take just a few hours, but it can also take up to a few days, sometimes even a few weeks”, explains Renaud Leroy.
“There are also two categories of customers: some have a SOC, a Security Operation Center, with an internal team dedicated to the organization’s security. Others have outsourced their defense and clearly need a third party to deal with. For our part, we are used to dealing with different security systems, in various sectors. We adapt on a case-by-case basis, it is quite usual. »
This is to say that security is a real job, which requires a sense of adaptation, reflection as well as framed actions. Identification, contextualization, understanding… The actions carried out are plural and even go as far as post-compromise reporting. In any case, it must be clearly understood that cybersecurity experts evolve at the heart of the pillars which are monitoring, control, minimization of the surface of exposure of the infrastructure and updates. All this in an ecosystem where various and numerous operating modes are deployed, and very often where several attackers act (providers of various and varied services: access, resale, service). Thus, everything is changed to reach potential victims, which de facto refers to the – central – mission of the Consulting Analysts. Beyond their strictly technical actions, they never cease to reassure those of their customers who sometimes find themselves faced with a reality that is difficult to grasp.
At Vectra AI
We would like to give thanks to the author of this article for this outstanding material
24 hours to cyber emergencies, security experts in action » PACA’s economic and political newsletter
Check out our social media accounts as well as other pages related to it.https://www.ai-magazine.com/related-pages/