By Krupa Srivatsan, Director of Product Marketing at Infoblox
Supply chain attacks are specifically designed to leverage an active entry vector via third party vendors and attack the system. The recent supply chain attacks were also focused on a particular user group or business type, meaning that not all who downloaded the malware were impacted. Organizations increasingly adopting SaaS platforms–as well as third party vendors–need to understand the risk of exposures to the external platforms they are using. Today, the real question for organizations is to quickly determine whether or not they have also been compromised.
SANS outlines a robust 6-step incident response process, which includes Preparation, Identification, Containment, Eradication, Recovery and Lessons learned. The challenge for organizations is understanding which factors help them to successfully implement this incident response process. Experts acknowledge that DNS plays a foundational role in the process since it lies at the center of both identification and containment. For example, a majority of malware activity can be traced using DNS logging and monitoring of DNS traffic, making DNS an early warning signal when it comes to threat detection.
DHCP and IPAM data also allow InfoSec professionals to better understand scope of attacks and gather intel on compromised assets. DHCP fingerprint gives information on the type of device that is compromised, and IPAM metadata delivers additional network information, which can tell you where on the network the compromised end host is located. This means that when we combine the intel from DNS, DHCP and IPAM (collectively known as DDI), we can get crucial forensic information from the “crime scene” that tells us the extent of damage, which network assets are compromised and how the attack was orchestrated–all of which is crucial for SecOps teams to be able to prioritize incident response.
A robust incident response process also heavily depends on contextual threat intelligence consolidated from multiple external threat intelligence sources, internal threat intelligence sources and network data in a centralized fashion. Integration with case management systems, SIEMs, hunting tools, vulnerability management systems and DDI is also crucial for a fast orchestrated response when threats are detected. The end goal is for an organization to use an ecosystem approach to have better situational awareness as well as incident knowledge. BloxOneTM Threat Defense by Infoblox actively detects and blocks threats at the DNS layer, and integrates with the security ecosystem to share threat intelligence and event information, enabling organizations to improve their security posture in an increasingly complex world. BloxOneTM Threat Defense not only consolidates threat intelligence from multiple sources such as commercial providers, government agencies and educational institutions, they also help scope the extent of threat damage and help prioritize response based on contextual network data.
When an adversary is as sophisticated as the one that conducted the SolarWind supply chain attacks, the only aspect of security that organizations can count on is a rock solid incident response process. This is where leveraging DNS data and IPAM metadata can help organizations quickly identify vulnerabilities that need to be patched, prevent future attacks and quickly get back on their feet. A robust incident response plan backed by DDI is the best way for organizations that find themselves under attack to trigger immediate responses, share threat intelligence, automate incident response and keep damage to a minimum.
Author Bio:
Krupa Srivatsan
Director of Product Marketing at Infoblox
Srikrupa has 20 plus years of experience in technology in various roles including software development, product management and product marketing. Currently, as Director of Product Marketing at Infoblox, she is responsible for messaging, positioning and bringing to market Infoblox’s security solutions that optimize operations and provide foundational security against known and zero-day threats. She has an MBA from University of California, Haas School of Business and a Computer Science Engineering degree.