A Weekend in Incident Response #26: Tackling Advanced Persistent Threats Through Email Parsing Rules and Information Sharing

Advanced persistent threats (APTs) have become a particularly common type of cyber attack used by cyber criminals and state-sponsored actors looking to gain continuous access to government and private organizations’ networks. These attacks are extremely difficult to defend against, due to their sophistication and precise targeting which helps successfully circumvent cyber defenses and maintain access to an organization’s network undetected for prolonged periods of time.

The severity of the damages incurred by advanced persistent attacks and the costs associated with them, will continue to rise exponentially. Organizations would be wise to invest more financial and human resources into detecting, preventing, and eradicating those attacks.

Incoming Email Automation

A fast reaction time and the ability to diagnose a cyber threat correctly as quickly as possible is key to resolving cyber incidents and containing the potential damage that can arise from them. To that end, organizations need to automate their cyber incident response processes, in order to accelerate the reaction of their cyber-security professionals and enable them to identify every threat and resolve every incident in a timely manner. An automation-and-orchestration cyber incident response platform is arguably the ideal solution for organizations that are potential targets of advanced persistent threats.

These platforms have a wide spectrum of features that are aimed at tackling advanced persistent threats, with incoming email automation being among the most effective ones. Email parsing rules within cyber incident response platforms allow your cyber-security team to detect intrusions and block potentially hazardous emails. After such rules have been created, the platform can analyse incoming emails and scan specific parameters, including the subject, the body, and the sender address, to filter out the ones with malicious content, helping to prevent advanced persistent threats attempting to access your network through phishing email messages.

Information Sharing Capabilities Also Key

Another essential feature of some cyber incident response platforms is the ability to share incident information with law enforcement and with cyber threat intelligence platforms, improving an organization’s capability to successfully defend against advanced persistent threats. For instance, if a platform supports threat intelligence exchange platforms such as STIX, you will be able to share and receive key information related to current and past cyber security events, allowing you to adjust your cyber defense program based on changing methods, tactics and channels used by advanced persistent threat attackers.

In a word, staving off advanced persistent threats requires a comprehensive approach by cyber security professionals. It should be centered around the use of a cyber incident response platform capable of threat intelligence sharing and incoming email automation, as some of the most effective tools for battling these types of sophisticated cyber attacks.

A Weekend in Incident Response #25: Closing the Gap in U.S. Federal Agencies Cyber Security

In March, the U.S. Office of Management and Budget (OMB) released a report on the cyber performance of federal agencies, revealing that a total of 30,899 cyber incidents were reported by them in fiscal 2016. The OMB states that this is an alarming figure and that it indicates that there are significant gaps in the cyber defenses of federal agencies across the country.

According to the report, federal agencies have made good progress in improving their cyber defenses last year, but are still quite vulnerable to cyber attacks and need to ramp up their efforts for protecting their networks and data. Of the almost 31,000 incidents in 2016, a total of 16 have been designated as major incidents, which means they had the potential to threaten national security, the economy, civil liberties, or relations with foreign countries. With this in mind, federal agencies need to keep stepping up their efforts for strengthening their defense against cyber attacks.

Detecting and Preventing Malware and Phishing Attacks

Given that the report states the vast majority of cyber incidents reported by federal agencies involved phishing attacks and malware infections, they are now advised to look into improving their capabilities to respond to these types of attacks and detect and prevent them in the future. There are a couple of ways this can be done. When talking about cyber incident response, one of the most cost-effective and efficient solutions is employing an automation-and-orchestration cyber incident response platform, capable of keeping cyber security events under control, mitigating risks and improving an organization’s ability to prevent future attacks.

These platforms have wide-ranging features that give Computer Security Incident Response Teams (CSIRTs) the opportunity to detect, track and predict cyber security breaches immediately. There are platforms that can help reduce reaction times when responding to an incident, through the employment of automated playbooks designed to accelerate the response to specific types of attacks – such as malware or phishing attacks, which are often faced by government agencies.

Integrated Knowledge Base to Guide You Through the Response Process

Through the use of those playbooks, as well as the available integrated knowledge base, cyber security professionals can quickly identify where an attack is coming from and determine the location of the infected or breached device or part of the network, and follow that up with the containment of the damage to prevent it from spreading.

What’s more, these types of platforms can create automatically generated reports on every incident, in addition to collecting digital evidence for forensic investigations, allowing for the quick notification of law enforcement and provide them with the necessary documentation, thus complying with data breach notification and reporting regulations.

This approach can increase cyber security teams’ ability to resolve incidents in a timely manner and prevent government agencies from losing valuable and sensitive data that could be used by attackers for ransomware or to damage the country’s critical infrastructure.

A Weekend in Incident Response #24: Department of Defense Contractors Required to Comply with New Cyber Incident Reporting Rules

Critical infrastructure is always a common target of cyber criminals. Similar to other countries, the Department of Defense (DoD) is a crucial part of the critical infrastructure in the United States, and as such, it is often exposed to various types of cyber attacks. Not only the Department itself, but its contractors are also under various cyber security threats. That is why the DoD is tightening up the requirements related to the cyber security of its contractors and subcontractors, in an effort to prevent cyber attacks on some of the key components of the nation’s critical infrastructure and protect classified information that is of major geopolitical and strategic importance.

As part of those efforts, the DoD issued a Final Rule aimed at better protecting covered defense information, applying to the Department’s contractors and subcontractors, in October of 2016. Most notably, the final rule revises the “Cloud Computing Services” and the “Safeguarding Covered Defense Information and Cyber Incident Reporting” clauses, referring to the way how contractors and subcontractors are required to handle covered defense information and report cyber incidents to authorities.

How Can Contractors Overcome the Challenges Involved in Mandatory Compliance with These Regulations?

As soon as the final rule was announced, many contractors doing business with the DoD expressed their concerns that the companies included in their supply chain will not be able to achieve full compliance with it before the December 31, 2017 deadline. Their grievances had to do with the clauses requiring contractors and subcontractors to notify the Department of Defense of a cyber security incident within 72 hours of it occurring, as well as some processes related to investigation and documentation of incidents.

The problem that the contractor and subcontractor communities have with these clauses is that they are expected to incur significant additional expenses for their businesses and require hiring additional human resources.

Avoid Increased Costs and Save Time with Just One Incident Response Platform

While the concerns that contractors have expressed regarding this rule are well founded, there are solutions that could help them avoid those potentially significant costs increases, while still ensuring complete compliance with these strict regulations.

One of the possible solutions is utilizing an automation-and-orchestration platform, providing complete case management for cyber security events. By using such a platform designed for fast and effective incident response, contractors and subcontractors will be able to notify authorities of any incident they detect in a timely manner, and collect and keep the required documentation that is required in the later stages of a future investigation.

Incident response platforms can track digital evidence for forensic investigation, along with keeping track of all actions taken by an organization’s cyber security team during an incident response process. On top of that, they can automatically create incident reports containing information that allow your cyber security teams to assess the current status of an incident, what has caused it, and the scope of the damages. With this capability, organizations can have a peace of mind that they will always be covered in case they suffer a cyber security breach. Understanding that they could now rely on an incident response platform to take care of the reporting and notification requirements included in the Department of Defense’s final rule on safeguarding covered defense information and cyber incident reporting.

Top 5 Features to Evaluate When Selecting a Security Orchestration and Automated Response Product

Security Orchestration and Automated Response (SOAR) is a relatively new cyber security solution category. The aim of these platforms is to provide a centralized software solution to manage the complete lifecycle of a cyber incident, orchestrate security products to a determined goal, and respond to cyber incidents in an automated or semi-automated fashion. The SOAR category is of particular interest to Security Operations Center Teams, as this product is now seen as the backbone of incident management.

Given the differences that can exist between Security Operations Center or Cyber Incident Response teams, it’s rare to find items that share a commonality between the incident response organizations when evaluating incident response solutions. Given that, the following seem to share a common focus during the evaluation process:

In no particular order:

1. Supervised Active Intelligence™
This is a methodology that best describes one of our most powerful features within IncMan™, the ability to arm your SOC teams with selected intelligence related to a cyber incident. This feature provides targeted information and is provided directly to the assigned investigator. This information is paramount to starting a cyber investigation, and we see on a daily basis that cyber incidents without this information have a very slow reaction time. However, the most important factor is your teams take steps that are guided by the intelligence generated within an IncMan playbook as they work through their playbook actions.

2. Intelligent Correlation Engine
As per the Supervised Active Intelligence feature, within our IncMan platform, the intelligence will be captured and build upon the growing information around cyber incidents. This information is analyzed by IncMan, providing a visual representation of how an incident has progressed and if any other incidents share common features. I.e. they affected the same users, or same machine types, patterns that have emerged etc. We visualize this information over a timeline, allowing the SOC team the ability to correlate the cyber security incidents to business events or even basic tracking how malware has traversed through several machines and at what rate.

3. Extended Knowledge base with your own intelligence or from others
We understand as an organization how important it is to use multiple sources of external intelligence. This has allowed us to provide the ability to extend the IncMan knowledge base with the information required by your SOC team. For example, some clients use the knowledge base to add additional fraud intelligence and prevention information. We natively support TAXII and other feeds using the STIX format of intelligence sharing. Alternatively, if you are a part of an intelligence sharing network, IncMan permits the API connection.

Another feature which we often see utilized by CSO’s and CISO’s alike is regarding the knowledge base and Cyber Incident linking capabilities. We allow tagging and linking of knowledge base articles with cyber incidents to aid reporting and impact visibility to the stake holders.

4. Integrating your environment
As mentioned earlier, IncMan allows the use of your current environment and the products you already have readily available. As our client, we want to bring you from “Zero to Hero” in the shortest time span possible with pre-configured integrations that are enabled within minutes. With IncMan you choose how you want to leverage your existing products. The crucial point is we know every environment is a mixture of multiple moving parts and we can integrate with your existing framework to ensure maximum availability while minimizing response time and resource expenditures.

5. Playbooks
Playbooks can be thought of in the context of American football. The term playbook was created to give a visual meaning to orchestrating team members for a single goal, given a scenario presented to a team or organization. The three distinct teams are as follows

Defense, and containment for cyber incident response
Special Teams for enrichment and providing both teams with more information and field position for American football
The offense for mitigating incidents and going on the offensive to put the company in a positive, advantageous position given the situation that is presented in front of them.

For those of you not into the American Football analogy; Playbooks give your teams meticulous control over pre-defined workflows to drive policy and procedures in a repeatable, consistent and enforced manner. This allows for enrichment, containment, and mitigation driven through one product – IncMan.

How Trading Platforms Are not the Same as Incident Response Platforms?

What’s wonderful about all our security industry and specifically the products, is that we constantly see similar fancy dashboard reporting. These views focus on an abundance of information being displayed to aid users trying to correlate and make historical data relevant. It’s vital data but I don’t think this information is best placed in this scenario. I am going to focus on the perspective that is most relevant to myself, and that’s incident response. For incident response, historical data is relevant when you have a purpose to use it. Our main focus, within incident response, is to respond to incidents that are relevant right now.

We often focus on thinking outside the box and use examples from other business models in order to facilitate our own growth. I think this concept is common and serves its purpose for planning, but we must understand the purpose for which we’re trying to use this concept. I always laugh when I see a show of the morning which displays stock/indices information. I ask myself, who is next to implement that view in their security product? Considering this, I think it’s something we need to seriously think about. Is this information relevant for this purpose at this point of a cyber investigators journey?

Over-complicating and over-stimulating users with too much data can have the opposite effect of the desired consequence. You’ll lose value and purpose for this information and ultimately it can become another piece of background clutter that is easily ignored. Time is essential when dealing with any cyber security event, not only from a response standpoint but also an evidentiary gathering perspective. Orchestrating information at the correct time is just as important as responding to the incident itself. Evasion techniques, obfuscation, and piggybacking are just some of the thought processes cyber intruders will use. It’s extremely difficult to know when the right time will be for each individual case, however having an incident response platform to gather and display incident information is essential and following this information in a visual manner will prove effective to the war rooms.

An incident responder’s dashboard should be clear and concise. The investigator, analyst or stake holder should see information that can drive them to an action on a granular level. While this information may be different from organization to organization, the concept should remain the same. I do enjoy a good list, so here are some of the thoughts I have when planning a dashboard view:

Active Cyber Incidents per business units and their priority, some people mention this as a health status. Either way the concept is the same. Which business units have incidents registered against them? What’s the priority of the incident? This should simply generate a % number and a color coding. Use RED, if major, Green is low priority and non-invasive tasks identified. The number should represent the inverse of incidents * by the priority raised
Events identified by source, knowing which products are producing the most events is quite key in identifying if this source is doing its job or if the source could be configured differently
Playbook stage number, time to close organized by priority.

Incident data is critical, and the general rule of thumb is more is preferable to not enough. However, given that the purpose is to understand the relevant data as it relates to current and future incidents, this simple technique ensures that your incident data feeds not only remain timely, but provide maximum value as well.