Have your Pii & Respond too? IPii&r explained and why it is your new favorite information security acronym.
This post was last updated on February 3rd, 2021 at 04:16 pm
By Chris Auger
Regardless of your company’s size, from an attacker’s perspective, you have financial resources or can be a conduit to another organization’s funds. Today’s average attack is often part of an advanced persistent threat (APT) that has been in a compromised environment for 200+ days. This is a security risk which needs to be addressed in a proactive manner. Information security is a process that moves through phases building and strengthening itself along the way. Although Information Security has many strategies and activities, we can group them all into three distinct phases – prevention, detection, and response.
Each phase requires strategies and activities that will move the process to the next phase. The dynamic growth of new threats attaching vulnerabilities requires timely adjustments to the methodologies in the prevention, detection, and response cycle. A change in one phase affects the entire process. A proactive strategy adjustment in the prevention phase will adjust the detection and response activities. Lessons learned during the response phase will be addressed in the planning of prevention measures and detection configurations. Each phase must be designed with adequate capabilities and management oversight to ensure that each phase contributes the requisite weighted amount in the reduction of risk from cyber threats to the organization. Such is the case with the Dark Rhino Security I𝜋&r managed service.
DRS coined the term I𝜋&r, which stands for (I)incident (P)prevention (I)incident (I)dentification and (R)response (IPii&r) recast as I𝜋&r. Why introduce another acronym in an overcrowded field? Because our service is deeper than MDR and more continuous and affordable than IR. As such, a new way requires a new name: I𝜋&r.
Incident Prevention, Incident Identification, and Response = I𝜋&r
Definition: A proactive approach to prevention, isolation, and response to keep environments compromise-free and isolate threats, preventing legal, reputation, financial and data losses. Putting I𝜋&r in place with good endpoint protection achieves a highly protected environment.
Infocyte also believes wholeheartedly that Dark Rhino has the right approach. When we take a look at recent cases around Cobalt Strike being utilized to carry out ransomware attacks, proactive security modeled after an I𝜋&r approach is necessary.
Cobalt Strike is a threat modeling software that is used by top Red Teams. More and more cybercriminals are using tools like Cobalt Strike to carry out financially motivated attacks. Why? Because it’s essentially helping ‘B list’ hackers act like the ‘A list.’
Infocyte recently helped a client that faced an attack when their security team was alerted to multiple unknown file execution attempts on PCs. Luckily the file was blocked by application control. However, no other security controls had indicators to explain the file execution attempts.
Ideally, endpoint events can be prevented before they become incidents, but we do know that our world isn’t perfect and even the best tools can be vulnerable. The key is what to do when an endpoint event does occur. This is where I𝜋&r comes in.
Infocyte initially triaged the network and found active cobalt strike beacons in memory on three key servers. This gave the attackers full domain takeover with ransomware staged throughout the network. It was determined that a user with overly elevated privileges account had been compromised. While continuing the monitoring process, it was found that the attackers were caught attempting to execute the second stage of the ransomware.
Isolation or containment was critical as the next step. Network actions such as IP blocks and disabling the compromised user’s account were completed. Endpoint actions such as killing the Cobalt Strike injections and removing the staged ransomware from 5,000+ systems helped fully purge the system of the ransomware and malicious actors.
For more detail, view this presentation from Infocyte’s co-founder and Chief Product Officer, Chris Gerritz. If you’re interested in speaking with our team, please reach out to firstname.lastname@example.org.