|
Mitigation and remediation are two words thrown around a lot in cybersecurity, often, interchangeably. While there exists a stark contrast between one and the other, both play a crucial role in security service providers’ risk-related decisions. In this article, we’ll take a closer look at both strategies and how threat intelligence contributes to each.
Mitigation Versus Remediation: The Differences
Mitigation and remediation are both a direct result of risk assessment, following the discovery of a new or advanced persistent threat (APT). Remediation is the act of removing a threat when it can be eradicated. Mitigation, on the other hand, involves creating strategies to minimize a threat’s negative impact when it cannot be eliminated.
Remediation is pretty straightforward in that it endeavors to identify attack patterns using indicators of compromise (IoCs). For example, when a scan catches a vulnerability, it has to be effectively patched to prevent malicious individuals from exploiting it. The immediate goal of remediation is to stop threats from entering the network through the gaping security hole.
In mitigation, removing the threat is non-negotiable, as it may result in service disruption. Mitigation involves conducting several risk assessments to gauge the risk profile of a specific threat and ensure that the remaining risks are acceptable. Unlike remediation, a vulnerability can be left unaddressed for the meantime provided it does not present unacceptable risks.
How Mitigation and Remediation Figure in the Kill Chain
Organizations now know better. Rather than assume their applications are impenetrable, they are seeking more proactive ways to uncover ongoing attacks through threat intelligence, computer forensics, or penetration testing.
As such, many security professionals understand that they need to go beyond the kill chain model to more effectively address attacks. Their response? Mitigation and remediation strategies guided by the fact that attacks do not stop with intrusion.
First, let’s take a closer look at the steps in a kill chain:
Knowing the elements that make up the kill chain allows cybersecurity experts to take the right action to thwart attacks. Understanding the attackers’ tools, tactics, and procedures (TTPs) that can be gleaned from steps 1 to 5 lies at the heart of mitigation. Incident responders or threat hunters can rely on machine learning (ML)-enabled threat intelligence tools to enrich their investigations so ongoing attempts can be identified and stopped before they turn into actual attacks. Future incidents can be avoided in the same manner.
Taking back control of compromised devices, meanwhile, happen in the remediation stage. Incident responders can, for instance, redirect bad traffic to black holes during an ongoing DDoS attack. And should a similar incident occur in the future, the best practices they followed in the past can be reapplied, reducing downtime and damage.
How Threat Intelligence Improves Both Processes
Cybersecurity professionals depend on threat feeds to provide actionable intelligence for their remediation or mitigation strategies. IoCs and threats are often documented in publicly available databases. To make sense of innumerable datasets, however, they can instead use aggregated threat intelligence for faster mitigation and remediation. External data feeds give IT security specialists access to near-real-time and accurate information which include but are not limited to:
In the event of a cyber attack, threat intelligence provides incident responders with detailed data to spot misconfigurations that can be addressed immediately (remediation) so as not to pose risks. In the case of APTs, cyberforensic investigators can look into WHOIS record databases to track down all malicious links for blocking (mitigation). In both cases, threat intelligence helps prevent further damage that can stem from attacks, apart from gathering evidence for potential legal action.
* * *
Threat intelligence empowers security professionals by giving them access to well-parsed and well-structured data to support their mitigation and remediation processes. While policy exceptions and other controls may hold them back from implementing remediation techniques, threat intelligence enables them to gain better visibility into all potential attack vectors.
Sponsored byIPv4.Global
Sponsored byDNIB.com
Sponsored byCSC
Sponsored byRadix
Sponsored byVerisign
Sponsored byWhoisXML API
Sponsored byVerisign