A Weekend in Incident Response #18: Sharing Threat Intelligence as One of the Crucial Components of a Strong Cyber Defense

In many aspects, cyber crimes are similar to other, more traditional types of crimes. Forensic investigation and analysis of the evidence recovered at the crime scene are among the aspects that cyber attacks have in common with other crimes. These are some of the key components of a fast and effective solution to a crime of any type, but are especially important when it comes to cyber attacks. Being able to gather evidence and various data related to a cyber security event is crucial for detecting and preventing future incidents. Considering that government agencies, organizations, and businesses across many industries around the world are facing a growing threat of cyber attacks, sharing threat intelligence is becoming an increasingly important part of the global efforts for successfully tackling cyber crime.

Incident Response Platforms with Threat Intelligence Sharing Capabilities

Threat intelligence sharing is a major part of the broader cyber-security incident response process, and organizations are advised to pay special attention to it. Among other things, this means that when they start shopping around for a cyber incident response platform, it’s recommended that they look for a platform that can provide this capability, because trying to share cyber threat intelligence through other means can add an unwanted burden to their cyber-security teams and incur substantial costs.

There are a lot of cyber-incident response platforms that support various threat intelligence sharing tools and mechanisms, including TAXIISTIXSplunk, QRadar, and ThreatConnect, presenting a fast and simple method for sharing threat information among organizations.

These types of platforms allow you to notify other organizations, cyber threat analysts, threat sharing communities, and everyone involved with cyber defense, of every cyber security incident, sharing with them very important information, such as where a given attack has come from, attack patterns, and possibly identification of the attackers, among others.

Sharing Threat Intelligence Increases Response Plan Effectiveness

Sharing intelligence often proves to be crucial to resolving cyber incidents as fast as possible and containing the damage after an incident occurs. It can also help predict and detect future incidents, allowing organizations to prepare and adjust their cyber defense accordingly and take appropriate actions to mitigate the potential risks.

Ultimately, sharing threat intelligence can help lead to the development of more advanced incident response platforms and the creation of more effective response plans, further deterring cyber attackers and preventing breaches.

A Weekend in Incident Response #17: Enhancing Your Cyber Security Efforts Through a Layered Approach

People working in cyber security nowadays face numerous challenges on a regular basis. Starting from having to deal with advanced threats, through managing third-party risk, ending with ensuring regulatory compliance, which is becoming an increasingly difficult challenge, in light of the growing regulations and mandates introduced by governments across the globe. With so many aspects to consider, cyber security professionals sometimes have trouble focusing on cyber incident response and recovery. That is why organizations should consider enhancing their cyber security efforts through a layered approach, because it would allow them to detect incidents, manage risks, and quickly respond to different types of cyber security events.

Involvement of C-Level Managers, System Administrators, and Cybersecurity Teams

In order to be effective, the layered cyber security approach needs to include an organization’s c-level management, system administrators, and cyber security teams. For starters, the users of your computer networks and systems should alert your company’s system administrators of any technical problems and suspicious behaviors within your system as soon as they detect them. To that end, all members of your organizations who use your information systems should go through some sort of cyber security awareness training, so that they can recognize when something is wrong and notify your cyber security incident response team in a timely manner.

The next layer of defense is centered around the duties and activities of an organization’s cyber security incident response team. They need to be able to recover from any cyber security event and conduct threat intelligence to prevent future incidents.

On top of that, cyber security teams need to take actions to ensure regulatory compliance, and that puts them under additional strain and might take their focus away from incident response and recovery.

Combining Human Resources and Automation for a Deeper Defense

Keeping in mind that cyber security teams have a lot on their plates, as they are tasked with so many duties, they could use an automated cyber incident response platform to make their lives easier. More specifically, they need a platform that combines human resources and automation, to be able to implement the layered security approach successfully. These types of platforms allow organizations to utilize both the expertise of cyber security professionals and the accuracy and efficiency of an incident response software.

By using a platform with automation and orchestration capabilities, cyber security teams will have the intelligence that will help them resolve an incident and take the necessary measures to prevent future incidents. Such platforms help reduce CSIRTs reaction time, by conducting the forensic investigation and tracking digital evidence during an incident, providing essential information, along with pre-defined workflows, to help organizations figure out how to resolve an incident as quickly and as effectively as possible to protect their most valuable assets.

Security Orchestration and Response – Understanding the Noise

“Noise” is a prevalent term in the cyber security industry. DFLabs consistently receives feedback from vendor partners and clients that one of the major issues they face daily is the ability to sift through noise in order to understand and differentiate an actual critical problem from a wild goose chase.

Noise is vast amount of information passed from security products that can have little or no meaning to the person receiving this information. Typically, lots of products are not tuned or adapted for certain environments and therefore would present more information than needed or required.

Noise is a problem to all of us in the security industry, as there are meanings within these messages that are many times simply ignored or passed over for higher priorities. For example, having policies and procedures that are incorrectly identified or adapted or the product is not properly aligned within the network topology.

There is no one security product that can deal with every attack vector that businesses experience today. What’s more disturbing about this paradigm is that the products do not talk to each other natively, yet all these products have intelligence data that can overlay to enrich security and incident response teams.

Cyber incident investigative teams spending a vast number of hours doing simple administration that can be relieved by introducing an effective case management system. Given the sheer volume we can see from SIEM products on a day to day basis we can execute all of the human to machine actions and follow best practice per type of incident and company guidelines through automated playbooks.

Re-thinking about what information is being presented and how we deal with it is the biggest question. There are several ways to manage this:

• Fully automating the noise worthy tasks. If these are consistently coming into your Security Operations Center (SOC) causing you to spend more time on administration than investigation, it may be prudent to schedule the tasks in this manner.
• Semi-Automation of tasks can give your SOC teams more control of how to deal with huge numbers. Automating 95% of the task and then giving this last sign off a manual look over can heavily reduce time if your organisation is against completely automating the process.
• Leverage all your existing products to provide better insight into the incident. For example, leverage an existing active directory to lock out or suspend a user account if they log in outside of normal business hours. Additionally it’s possible to sandbox and snapshot that machine to understand what is happening. A key consideration here is to make sure not to disrupt work at every opportunity. It really is a balancing act, however depending on their privilege you may want to act faster for some users than others.

In 2017, the readiness and capability to respond to a variety of cyber incidents will continue to be at the top of every C-level agenda.

By leveraging the orchestration and automation capabilities afforded by IncMan™, stake holders can provide 360-degree visibility during each stage of the incident response life cycle. This provides not only consistency across investigations for personnel, but encourages the implementation of Supervised Active Intelligence™ across the entire incident response spectrum.

At DFLabs we showcase our capacity to reduce investigative time, incident dwell time all while increasing incident handling consistency and reducing liability. Arming your SOC teams with information prior to the start of their incident investigation will help to drive focus purely on the incidents that need attention rather than the noise.

If you’re interested in seeing how we can work together to grow your incident response capabilities, visit us at https://www.DFLabs.com and schedule a demonstration of how we can utilize what you already have and make it better.

A Weekend in Incident Response #16: Canadian Securities Administrators Issues Updated Guide on Disclosure of Cyber Security Risks and Incidents

The Canadian Securities Administrators (CSA) continues to ramp up its efforts for improving cyber security for reporting issuers, which include companies with publicly traded securities. The latest step in this direction is the introduction of the Multilateral Staff Notice 51-347 – Disclosure of cyber security risks and incidents, as an update to the Staff Notice 11-322 – Cyber Security guide issued in September, 2016. Тhe CSA considers cyber security to be one of its top priorities, and these guidelines are meant to help regulated entities mitigate cyber security risks.

The main goal of these latest notices is to regulate the way certain organizations disclose cyber security risks and incidents. Issuers are expected to comply with the obligations prescribed in the Multilateral Staff Notice, which among other things, requires them to file detailed reports on each detected cyber security risk and incident.

Automation Platform for Efficient and Detailed Disclosure

Complying with the continuous disclosure obligations might be difficult for some reporting issuers, as it may require spending a significant amount of time and money, potentially affecting their bottom line. However, there are solutions that can help ease that additional strain. For instance, there are automated platforms that are capable of maintaining complete control over cybersecurity incidents and managing risks.

Using a platform that can predict, detect, and respond to cybersecurity breaches can help organizations contain the damage as results of incidents that have occurred, and reduce the risk of such incidents occurring in the future, while also complying with disclosure obligations.

One of the key capabilities of such platforms in relation to the disclosure obligations is the fact that they can create automated reports for each incident, and track every action that is taken by an organization’s computer security incident response team. These types of features are crucial for every organization’s efforts for complying with the above-mentioned requirements.

Multiple Customizable Report Types

The Multilateral Staff Notice requires reporting issuers to disclose specific and detailed reports on every detected material cyber security risk, while also disclosing what actions they take to mitigate and manage said risks. Furthermore, when disclosing cyber security incidents, issuers are required to notify authorities on the potential impact of an incident and the costs ensuing from it. This is where an automated cyber incident response platform can prove to be very useful to reporting issuers. These platforms are able to create different types of customizable reports, containing detailed information about a given cyber security risk or incident.

For example, they can generate encrypted PDF reports, along with DOC, IODEF, IOC and TXT reports, depending on an organization’s needs during a particular incident. These reports include information such as: incident kind, actions taken, evidence, and time of detection, to name a few.

Utilizing a platform of this type, reporting issuers can have peace of mind that all cybersecurity risks are detected in a timely manner and all incidents are resolved as quickly and effectively as possible, while complying with disclosure obligations in the process.

Supervised Active Intelligence: Taking the Guesswork out of your Cyber Incident Response

In the upcoming months we will share details that outline our successful methodology “Supervised Active Intelligence”. We envision a world where your security team is empowered with all the information they need to make an intelligent, informed security decision based on coordinated information, intelligence and incident enrichment activities as early in the incident response life-cycle as possible.

We speak to a lot of Security Operations Center (SOC) personnel who want information in front of them before they start investigating. This is a part of human nature. We want as much information as we can get in order to make a decision. Too often we find that SOC teams spend most of their time digging around for information that is readily available in our Enrichment package within IncMan™

Conversely another problem we see is that businesses are drowning in technology. In fact, few know how many products they have at their disposal. This is something that’s not too uncommon, the purchase of more products leads to a false sense of security. We even see businesses use manual methods of cataloging and managing cyber/physical incidents by the use of Microsoft Excel

IncMan™ can leverage all of your endpoint/gateway malware analysis, intrusion detection/prevention and even intelligence services and put them in direct control with your Incident response. IncMan™ is able to leverage and directly interface within a single manageable interface. This will not only reduce up-skill for specific interfaces allowing less reliance on specialists, but allows your team to start the following chain of events:

‌• Enrich your team with all the required information to not only provide your immediate reaction teams with the information for decision makers, forensic coverage and reaction protocols
‌• Create your containment actions based on the products you have evaluated to meet a specific requirement in a company policy that aligns with best practice
‌• Mitigate the incident, providing evidence to legal entities, managed service providers and internal teams
‌• Re-mediate and action policy updates to your incident response, orchestrating your team as well as product solutions
‌• Feeding and influence knowledge bases, working with intelligence services and providing more information about what happened to your required services.

If you follow our standards and best practice, this will aid your GDPR readiness, HIPAA compliance, ISO 27001 and many more. Assuring for board members and management when a breach or other cyber events occur.

If you’re interested in seeing how we can work together to grow your incident response capabilities, visit us at https://www.DFLabs.com and schedule a demonstration of how we can utilize what you already have and make it better.

From Ad-Hoc to SOC: First steps to growing your cyber incident response team capabilities in an ROI driven world

In my role as VP of Services at DFLabs, I get the opportunity to speak to stakeholders at every level pertaining to concerns they have about their current cyber incident response processes and how they are currently dealing with the challenges. From the analyst who deals with an ever-increasing number of alerts to the CISO who is constantly evaluating how best to apply limited funds and personnel, they all have one overwhelming concern; how best to build what they have into what is needed to successfully handle the evolving threats to data security.

Organizations typically will leverage the resources they currently possess. Spreadsheets become incident trackers. Ticketing and project management applications become investigation coordination repositories. Governance, risk and compliance software becomes the reporting platform. While the ROI for leveraging existing resources can’t be understated, the issue quickly becomes one of scalability. These systems comprised of patchwork applications that are unable to work together symbiotically are quickly outgrown.

We can all agree that no single solution is the magic bullet that will solve all incident response challenges. Any progress will begin with a centralized incident response orchestration platform that acts as a force multiplier for your existing personnel and resources. You wouldn’t use a spoon to dig a 6-foot hole when there are tools designed to dig the hole that are more efficient and effective. This platform should include at a minimum:

  • A solid platform of cyber incident management –A cost-effective incident management platform designed for each stage of the incident response life cycle is the foundation for immediate and long-term success and organizational expansion. A successful platform will be able to incorporate your existing infrastructure and personnel and increase their capabilities. It should not require hiring new personnel or expensive professional services to be effective.
  • Actionable intelligence – Intelligence feeds such as TAXII or other feeds that support STIX can add additional information that promotes informed decision making during each stage of the incident response life cycle.
  • Seamless integration with existing and future technologies – To expand with customer and infrastructure needs, an orchestration platform must be able to not only leverage existing technologies but offer the capability to expand for future integrations as needed.
  • True incident orchestration – Provides the ability to utilize Supervised Active Intelligence™ (SAI), to make informed decisions at each stage of the incident response life cycle while providing a 360-degree view of the incident. This includes critical incident enrichment data with a choice of Human to Machine and/or Machine to Machine actions with consistent, defendable, results across a variety of incident response scenarios.

At DFLabs we have integrated these features and more to give stakeholders the tools they require, built on a platform that gives them the confidence they need. DFLabs’ IncMan® is ranked as one of the most innovated incident response orchestration platform that provides the same unparalleled value to the incident responder as it does to the CISO. Our advanced technology empowers our customers to receive, respond and remediate cyber incidents at a total cost of ownership unavailable elsewhere.

If you’re interested in seeing how we can work together to grow your incident response capabilities while keeping an eye on the ROI bottom line, visit us at https://www.DFLabs.com and schedule a demonstration of how we can utilize what you already have and make it better.

A Weekend in Incident Response #15: Responding to Increasingly Common DDoS Attacks Through Automated Playbooks

Cyber-attackers never stop inventing new and more creative methods and techniques that are supposed to be more difficult to prevent. One of the most common types of attacks nowadays are the DDoS attacks (Distributed Denial of Service attacks) , which are on the rise recently, unlike data breaches, according to the 2017 Cyber Incident & Breach Response Guide issued by the Online Trust Alliance.

Mitigating DDoS attacks is complicated and time-consuming. They often last several days and even weeks, bringing an organization’s operations to a complete halt for prolonged periods of time. It takes a coordinated effort from an organization’s CSIRT, C-level and its Internet Service Provider (ISP). Since it can take a lot of time to recover from a DDoS attack, it’s essential to have a response plan in place that is specifically designed to respond to these types of cybersecurity incidents. This will help reduce the team’s response time, contain the damage, and resume operations as soon as possible.

DDoS Attack Playbooks

In order to prepare for a future DDoS attack, it’s recommended that organizations utilize a cyber incident response platform, which has the ability todetect, predict and respond to various types of cybersecurity incidents. These platforms provide specialized automated playbooks for the different types of incident, allowing organizations to automate the immediate response to a cybersecurity event and give their SOC and CSIRT the time to focus on recovery and making the organization’s systems fully functional as soon as possible.

Effective Containment and Recovery

A typical DDoS attack playbook includes the key aspects of a cyber incident response, such as analysis, containment, remediation, recovery, and post-incident actions. By employing such a playbook, the organization can quickly determine the specific part of the infrastructure that has been affected by the attack, so that the team can know the necessary actions required to take in order to resolve the incident. A pre-defined playbook will help organizations contain the damage by notifying the SOC and CSIRT on how to block the DDoS attack based on the analysis performed by the incident response platform.

After you have taken the proposed actions to contain the incident, the playbook will guide you through the remediation process. It will involve contacting your ISP and notifying law enforcement, which is where a cyber incident response platform’s capability to create automated incident reports comes in handy, too.

Finally, if you are utilizing a cyber incident response platform, you will have the possibility to enhance your preparedness for future cybersecurity events, by creating statistical reports that contain all the necessary metrics, which you can use to adjust your response to different types of attacks.