Threat Intelligence

    Act Surgically, Not Indiscriminately: Craft Precision Responses to Breaches 

    Learn the key lessons of Colonial Pipeline and other high-profile breaches: the faster you can achieve clarity about an attack, the more successful your response will be. 

    by Andrew Williams

    Key Points

    • Breach response should be precisely targeted, so it solves the problem without causing unnecessary collateral damage.
    • Precision-targeting your responses is only possible if you have deeper insight and stronger integration – both for ingesting data and for driving action.
    • It starts by integrating the powerful and extensive intelligence available from email.


    It’s now widely understood that, no matter how many technological safeguards organizations put in place – web security, endpoint security, CASB, you name it – everyone must plan for breaches, not just prevention. As you plan, remember: context is king. You must quickly understand where the breach came from, how it arrived, what methodologies it leveraged, and who it affects. Why? Because you need a precision response, not a sledgehammer.

    Colonial Pipeline’s Experience – and How it Could Have Been Different

    The best example may be last year’s notorious Colonial Pipeline breach. As you may recall, it downed gasoline and jet fuel transmission throughout much of the eastern United States, leading the U.S. government to issue an emergency declaration for 17 states as well as Washington, D.C.

    When Colonial Pipeline’s systems fell to ransomware, the system’s owners apparently struggled to understand the attack’s context. Even though it appeared that only billing systems were impacted, management couldn’t know for sure that the criminals weren’t capable of physically attacking the pipeline – causing immense danger to life and property.

    Given the high risk of continuing operations without a full understanding of what was actually occurring, management felt it had to “flip the switch” and turn off everything. The massive follow-on effects ranged from gas price spikes and airline delays. And, after nearly 50 years of reliable operations, Colonial Pipeline is now best known for its cybersecurity disaster.

    What might have happened instead?

    Once a security beacon was tripped, or threat hunters identified a potential compromise, Colonial Pipeline might have known the exact scope of the attack. With that information, it could have surgically targeted a response, avoiding unnecessary impacts on systems that weren’t actually compromised. 

    Some elements of the response might have triggered automatically, either at an API integration level or via playbooks or runbooks. Where that wasn’t possible, precise information might have been provided to analysts empowered to undertake more complex manual mitigations such as system rebuilds or recovery tasks. Deep integration – whether you call it a mesh architecture or something else – would then drive the relevant response wherever needed. 

    All that would have happened faster, reducing dwell time and limiting whatever damage was in fact occurring. Many of the shutdown’s ripple effects might have been avoided -- along with much of the long-term reputational impact.

    Leveraging All the Clues Hidden Inside Your Email

    Since over 90% of inbound attacks manifest themselves first via email, it’s crucial to rapidly capture accurate intelligence from email, and also to drive rapid action whenever evidence of a potential breach appears. A single inbound message names the intended recipient, the purported sender, the infrastructure used to send it, how it moved through the network, and of course, its content: text, attachments, embedded images, URLs. This context offers valuable clues to discover the attack chain, and find the originating email. To determine the most appropriate responses, you need to use them for all they’re worth. That starts with ingesting email insight into whatever centralized toolsets you’re using – SIEM, SOAR, XDR, whatever they may be.

    Let’s consider a simple example. Somehow an email makes it through primary protections, but a built-in backup verification recognizes a potential threat. This recognition signals Mimecast’s Secure Email Gateway service to immediately remove the same email from each of several mailboxes it has reached – before most of the recipients have attempted to open it. Since I know that the message has only reached a few mailboxes, and I can identify exactly who has or hasn’t interacted with it, I don’t have to remediate where it isn’t needed.

    Now consider a modern phishing attack, originating from a malicious Office 365 environment recently spun up to support it. The email tells us what individual sender it is impersonating, and we see that it is redirecting the user back to same malicious Office 365 infrastructure. When we scan the destination URL, we find a mismatched SSL certificate, signaling that it’s impersonating a legitimate site. We detect phish kits embedded in the page, linked to the malicious attachment we found.

    We can now walk the attack backwards, to see the route it followed. We see that six of our endpoints attempted to log on, and each clicked the same URL in the same email. We can trace the email back to its origin, and see where the sender came from, what domain it used, even which infrastructure was utilized to route the email through.

    Focus on the Real Problem, and Leave the Rest Alone

    As a team, we can now quickly deduce how far the threat has spread, and the breadth of its impact in our organization. We can tell whether or not we’re seeing malicious logins from the individuals we know received the email. With that knowledge, we can intelligently, whether via automation, orchestration, or manually. We can block the dangerous URL across all our email platforms, and prevent that sender from reaching any of our recipients. As discussed earlier, we can also remove whatever malicious emails have already made it through, rapidly remediating across all mail platforms to remove the threat.

    Just as importantly, we know what we don’t have to do. We don’t have to scan the users’ machines for malware; we’ve determined that it’s just a phishing site. I’ve determined that the users’ credentials were at risk, but nothing else.

    We’re also positioned to be more proactive. For example, we have the tools and integrations in place to run tabletop exercises, discover what might really happen in a high-pressure situation, and adapt our systems to respond more effectively, possibly with more extensive automation. 

    The Bottom Line

    By capturing the right information and establishing the right integrations, you can plan breach response that relies on the scalpel, not the sledgehammer – and quickly cures the problem without killing the patient. 

    Learn more about Mimecast's Alliance & API ecosystem


    Subscribe to Cyber Resilience Insights for more articles like these

    Get all the latest news and cybersecurity industry analysis delivered right to your inbox

    Sign up successful

    Thank you for signing up to receive updates from our blog

    We will be in touch!

    Back to Top