被入侵后10条行动指南

10 Immediate Actions for a Post-Breach Reality

1.Accept that a breach is inevitable

No matter how well an organization is protected,
a network breach will eventually occur. A talented, persistent group of hackers will eventually be able to bypass your prevention methods, given enough time.

1.接受渗透是不可避免的

无论组织如何保护，
网络违规将最终发生。一个有才干，持久的黑客团队最终将能够绕过你的预防方法，给予足够的时间。

2.Focus on the malicious operation (Malop) timeframe

Once inside the environment, hackers move slowly and methodically to gain access to critical assets while avoiding detection. It can take months for hackers to gain full access, but once they do, the damage is nearly instantaneous. This is why the Malop timeframe offers a key window of opportunity to intercept a cyber attack.

2.专注于恶意操作（Malop）时间表

一旦进入环境，黑客就会慢慢地和有条不紊地移动，以获得关键资产，同时避免检测。黑客可能需要几个月才能获得完全访问，但一旦他们这样做，损害几乎是瞬间的。这就是为什么Malop时间框架提供了拦截网络攻击的机会的关键窗口。

3.Follow the hackers’ steps

No matter how hard attackers try to hide their tracks, they will always leave behind some faint traces that a proactive, well-trained security team can discover.

3.按照黑客的步骤

无论攻击者如何努力隐藏自己的轨道，他们总会留下一些微弱的痕迹，一个积极主动，训练有素的安全团队可以发现。

4.Shift to proactive hunting

Don’t wait to discover a breach after the damage is done. Start searching for traces of malicious activity that hackers leave behind and link separate events to a broader attack picture.

4.转向主动狩猎

不要在损坏完成后等待发现破坏。开始搜索黑客留下的恶意活动的痕迹，并将单独的事件链接到更广泛的攻击图片。

5.Continuously collect and analyze data

Continuously collect every piece of information from your environment - from endpoints and the network - as it is essential for spotting malicious activities.

5.持续收集和分析数据

从您的环境（从端点和网络）连续收集每一条信息，因为它是发现恶意活动所必需的。

6.Leverage threat intelligence to hunt for known malicious activities

Run the collected data against threat feeds and blacklists to confirm the existence of known threats. Analyze this data in real time to be able to spot malicious behavior as it emerges.

6.利用威胁情报进行狩猎

为已知的恶意活动
针对威胁源和黑名单运行收集的数据，以确认是否存在已知威胁。实时分析这些数据，以便能够发现恶意行为。

7.Look beyond signatures and hashes

As most attacks use new malware and exploits, they can only be identified by looking for known malicious behavior, such as reconnais- sance, network scanning, hacker communication with C&C servers, and data exfiltration.

7.看看超越签名和哈希

由于大多数攻击使用新的恶意软件和漏洞利用，它们只能通过查找已知的恶意行为来识别，例如侦察，网络扫描，与C＆C服务器的黑客通信以及数据泄漏。

8.Make judgements to eliminate false positives

Rule out normal user behavior and unsubstantiated suspicions that did not evolve into a larger malicious operation.

8.做出判断以消除假阳性

排除正常的用户行为和未证实的怀疑，这些怀疑没有演变成更大的恶意操作。

9.Put attacks in context to see the full threat picture

Connect separate pieces of evidence to form a coherent attack picture. This allows the team to connect seemingly unrelated threats and understand the full scope of an attack.

9.把攻击放在上下文看完整的威胁图片

连接单独的证据以形成连贯的攻击画面。这允许团队连接看似无关的威胁，并了解攻击的全部范围。

10.Finally: Consider an automated hunting platform

Increase your team’s productivity: Use an automated solution that continuously scans your entire environment and syncs together all of its elements to identify emerging threats and eliminate false positives.

10.最后：考虑一个自动狩猎平台

提高团队的工作效率：使用自动化解决方案，持续扫描整个环境，并同步所有元素，以识别新出现的威胁并消除误报。