Mitigation and remediation are two words thrown around a lot in cybersecurity, often, interchangeably. While there exists a stark contrast between one and the other, both play a crucial role in security service providers’ risk-related decisions. In this article, we’ll take a closer look at both strategies and how threat intelligence contributes to each.

Mitigation Versus Remediation: The Differences

Mitigation and remediation are both a direct result of risk assessment, following the discovery of a new or advanced persistent threat (APT). Remediation is the act of removing a threat when it can be eradicated. Mitigation, on the other hand, involves creating strategies to minimize a threat’s negative impact when it cannot be eliminated.

Remediation is pretty straightforward in that it endeavors to identify attack patterns using indicators of compromise (IoCs). For example, when a scan catches a vulnerability, it has to be effectively patched to prevent malicious individuals from exploiting it. The immediate goal of remediation is to stop threats from entering the network through the gaping security hole.

In mitigation, removing the threat is non-negotiable, as it may result in service disruption. Mitigation involves conducting several risk assessments to gauge the risk profile of a specific threat and ensure that the remaining risks are acceptable. Unlike remediation, a vulnerability can be left unaddressed for the meantime provided it does not present unacceptable risks.

How Mitigation and Remediation Figure in the Kill Chain

Organizations now know better. Rather than assume their applications are impenetrable, they are seeking more proactive ways to uncover ongoing attacks through threat intelligence, computer forensics, or penetration testing.

As such, many security professionals understand that they need to go beyond the kill chain model to more effectively address attacks. Their response? Mitigation and remediation strategies guided by the fact that attacks do not stop with intrusion.

First, let’s take a closer look at the steps in a kill chain:

1. Reconnaissance: Attackers research on the target by looking at public Internet records for expired certificates or domains they can use for attacks.
2. Weaponization: Once weaknesses are spotted in the target’s network, attackers create the payload they will use to infiltrate defenses.
3. Delivery: This refers to the actual act of delivering a malicious payload. Phishing emails, links embedded in spam, or malware-laced email attachments are typically used.
4. Exploitation: This only occurs when attackers choose to enter a network by abusing a vulnerability in a connected device or system.
5. Installation: Attackers installs malware on a vulnerable system in the network to gain control, elevate access privileges, or exfiltrate data.
6. Command and control (C&C;): This involves the use of a C&C;server to communicate with infected hosts within the target’s network.
7. Actions on objectives: Attackers deliver the final blow to the target network, often by exfiltrating data or shutting down operations.

Knowing the elements that make up the kill chain allows cybersecurity experts to take the right action to thwart attacks. Understanding the attackers’ tools, tactics, and procedures (TTPs) that can be gleaned from steps 1 to 5 lies at the heart of mitigation. Incident responders or threat hunters can rely on machine learning (ML)-enabled threat intelligence tools to enrich their investigations so ongoing attempts can be identified and stopped before they turn into actual attacks. Future incidents can be avoided in the same manner.

Taking back control of compromised devices, meanwhile, happen in the remediation stage. Incident responders can, for instance, redirect bad traffic to black holes during an ongoing DDoS attack. And should a similar incident occur in the future, the best practices they followed in the past can be reapplied, reducing downtime and damage.

How Threat Intelligence Improves Both Processes

Cybersecurity professionals depend on threat feeds to provide actionable intelligence for their remediation or mitigation strategies. IoCs and threats are often documented in publicly available databases. To make sense of innumerable datasets, however, they can instead use aggregated threat intelligence for faster mitigation and remediation. External data feeds give IT security specialists access to near-real-time and accurate information which include but are not limited to:

1. Domain infrastructure data that reveals registrants, their email addresses, organizations, and other information, which may be tied to ongoing publicized attacks
2. Secure Sockets Layer (SSL) vulnerabilities and misconfigurations that could be signs of malicious connections
3. A list of domains that resolve to a particular IP address and could reveal ties between both known and unknown malicious hosts
4. Reputation scores to determine how safe or unsafe accessing a particular domain is

In the event of a cyber attack, threat intelligence provides incident responders with detailed data to spot misconfigurations that can be addressed immediately (remediation) so as not to pose risks. In the case of APTs, cyberforensic investigators can look into WHOIS record databases to track down all malicious links for blocking (mitigation). In both cases, threat intelligence helps prevent further damage that can stem from attacks, apart from gathering evidence for potential legal action.

* * *

Threat intelligence empowers security professionals by giving them access to well-parsed and well-structured data to support their mitigation and remediation processes. While policy exceptions and other controls may hold them back from implementing remediation techniques, threat intelligence enables them to gain better visibility into all potential attack vectors.