Maslow’s hierarchy of needs for incident response

Advanced threats that utilize lateral spread techniques are becoming more commonplace. This has important implications for incident management that we can liken to Maslow’s Hierarchy of Needs for incident response.

The lateral movement of malware made headlines in May 2017 when the WannaCry variant of ransomware was released, infecting more than 200,000 machines in upwards of 150 countries. It was able to spread rapidly laterally using the EternalBlue exploit.  While the damage stemming from WannaCry was less than originally feared, this emerging method of spreading malware was concerning and for good reason.  

In July 2017, Equifax discovered that their network had been compromised as early as the previous May. More importantly, that the initial exploit spread to over 17 other servers, setting up 30 web shells in the process. 

That bad actors have long been able to infiltrate a network and wait for the right moment to attack is alone enough to expand incident response processes. Now that some of these attacks have the capacity to spread laterally, it’s an imperative. 

To that end, incident response may be best considered in a framework that mirror’s Maslow’s Hierarchy with three primary organizational needs: triage, scoping and threat hunting.

Incident response need 1: triage

For many organizations, this entry level of the hierarchy is all that is possible. During this process, a team will sift through the many alerts generated by their various detection systems to determine which alerts require immediate attention and which may be more safely deprioritized or ignored.

Success with this strategy assumes that the deployed detection solutions can identify the most important threats and that remediating the initial threat target will also completely stop the threat. 

As recent events have shown, the increase in laterally moving threats makes exclusive dependence on this process alone problematic. In the Equifax breach, the threat actors rapidly moved from the initially compromised target to other systems within the network in order to establish a “beachhead” should the initial target become discovered and remediated.

There’s more that needs to be done following triage.  

Incident response need 2: threat scoping

The middle category of the hierarchy includes a more comprehensive approach to determine the true extent of an event. Thorough scoping will ensure that an incident response team doesn’t remediate the initial target while leaving a broader breach unaddressed. 

This would include identifying the root cause of the event, identifying whether the threat also compromised other systems, and determining what, if any, data was exfiltrated. In an ideal environment, these questions would be answered as part of the initial response and triage, and the incident responders would have the tools available to address these concerns rapidly.

Scoping is most effective when a threat spreads from an initial target that the incident response team has positively identified. However, it does not address the threat that may have been introduced outside of the visibility of the detection systems installed in the network, which leads us to the third need.

Incident response need 3: threat hunting

Threat hunting is the process of searching for threats that have potentially gone undetected and are currently hiding on the network. Usually, threat hunters, based on the combination of experience and data, have a hunch to pursue.

The process may begin with identifying behaviors of other attacks and then looking for signs of those attacks present on the network. It may also begin with observing unusual traffic patterns, abnormal protocol activities or anomalous resource usage on the network.

Engaging in threat hunting means that you are taking a more proactive approach to cyber defense. It often begins with the assumption that, regardless of the defenses in place, that there is always the potential that there is a threat that may have evaded detection. 

This is a reasonable assumption, given the 2017 Cost of Data Breach Study by the Ponemon Institute found the mean-time-to-identify (MTTI) was 191 days, while the mean-time-to-compromise (MTCC) was 66 days and ranged anywhere from 10 to 164 days.

Climbing the hierarchy of incident response

Not all incident response processes are created equal. The resources available to an organization often dictate what level of incident response is possible. However, when viewing incident responses in the likeness of Maslow’s Hierarchy, it provides a sense of the maturity security organizations have achieved in the current threat environment.

To climb the hierarchy, security organizations must:

1. Provide personnel with the goal, focus, and training to improve incident response maturity;
2. Implement scoping and threat hunting requirements as a matter of policy; and
3. Provide the technological resources that facilitate scoping and threat hunting as a natural progression in incident response.

A little effort will help advance your organization up the hierarchy and may help you prevent an advanced targeted threat from spreading within your organization.