Security Week on using actionable intelligence to prevent future successful cyber attacks:
More sophisticated organizations are deploying technologies such as sandboxing that can detect and block unknown attacks which haven’t been seen before. In the moments after a breach, security teams will often focus on the event itself, but not draw additional insight from the attack, or analyze the events surrounding it.
These approaches can miss a fundamental truth of advanced attacks: they are not “point-in-time” activities, but sets of events that could occur over weeks, or potentially months or years. Advanced attackers will conduct a wide range of activity, such as in-depth recognizance, initial probes, small-scale infections to deliver second- or third-stage malware, and much more. The breach itself is the culmination of a continuous set of activities conducted over an extended period of time. Each and every step in this process, often referred to as the cyber attack lifecycle, represents another chance to detect and prevent the adversary.
When you simply try to remediate the results of a successful attack, or block that specific activity from occurring in the future, you are missing a priceless opportunity to gain context around that incident, such as “who,” “how,” and “why.” To put it clearly: the more information you extract from these events, the better you can architect your security posture to prevent a similar event from occurring again.
As the article says, these technologies are useful but they often times make it much easier for cyber security analysts to ignore the “how” and “why” of an attack. When the incident response team is uninterested in learning the specifics of how an attack was crafted, and focuses more on remediation, then the organization likely remains vulnerable to similar attacks in the future.
Learning lessons is the best way to increase and strengthen the security posture.