A Weekend in Incident Response #35: The Most Common Cyber security Threats Today

Companies across different industries around the globe, along with government institutions, cite cyber attacks as one of the biggest security threats to their existence. As a matter of fact, in a recent Forbes survey of over 700 companies from 79 countries, 88 percent of respondents said that they are “extremely concerned” or “concerned” by the risk of getting attacked by hackers.

This fact is a clear indication that organizations have to ramp up efforts for enhancing their cyber resilience, but to do that successfully and in the most effective manner, they need to have a clear understanding of where the biggest cyber threats come from nowadays so that they can shape their cyber defenses accordingly. We take a look at the most common cybersecurity threats today, ranging from internal threats, cyber criminals looking for financial gains, and nation states.

Internal Threats

When talking about cyber security, some of the first things that usually come to mind are freelance hackers and state-sponsored attacks between hostile nations. But, many cyber security incidents actually come from within organizations, or to be more specific, from their own employees.

Pretty much all experts agree that employees are some of the weakest links in the cyber defense of every organization, in part due to low cyber security awareness, and sometimes due to criminal intent.

Employees often put their companies at risk of getting hacked without meaning to, by opening phishing emails or sharing confidential files through insecure channels, which is why organizations should make sure their staff knows the basics of cyber security and how to avoid the common cyber scams and protect data.

Connected Devices

With so many devices connected to the Internet nowadays, including video cameras, smart phones, tablets, sensors, POS terminals, medical devices, printers, scanners, among others, organizations are at an increased risk of falling victim of a data breach. The Internet of Things is a real and ever-increasing cyber threat to businesses and institutions, deteriorating their vulnerability to cyber attacks by adding more endpoints that hackers can use to gain access to networks, and by making it easier for hackers to spread malicious software throughout networks at a faster rate.

The Internet of Things is one of the factors that make DDoS attacks more possible and more easily conducted, and these types of attacks can have a significant and long-lasting impact on organizations, both in terms of financial losses and reputation damage.

Nation-State Attacks

Private entities and government institutions that are part of the critical infrastructure in their countries are under a constant threat of different types of attacks by hostile nations. As the number of channels and methods that stand at the disposal of hackers aiming to gain access to computer networks grows, organizations in the public and private sector are facing a growing risk of cyber attacks sponsored by nation-states that might have an interest in damaging the critical infrastructure of other countries, hurting their economies, obtaining top-secret information, or getting the upper hand in diplomatic disputes.

Most commonly, nation-state-sponsored cyber attacks use malware, such as ransomware and spyware, to access computer networks of organizations, as a means of gaining control over certain aspects of the critical infrastructure of another country.

No matter what types of attacks are common today, the number and level of sophistication of cyber threats to organizations are certainly going to grow in the future, which is why they have to constantly update and adjust their cyber defenses accordingly.

A Weekend in Incident Response #34: Proper Cyber Incident Response Plan in Critical Infrastructure Sectors Can Help Preserve Public Safety and International Peace

Cyber criminals do not discriminate against anyone when it comes to their targets of choice. They go after whatever organization they consider to have a potential to yield substantial financial benefits, without taking into account that some of their exploits might even lead to international conflict or an environmental catastrophe of unimaginable scale.

Cyber attacks on critical infrastructures have become commonplace lately, threatening public health and safety, and deteriorating relations between countries. Having in mind how sophisticated and advanced these cyber threats are, it is no wonder that it is extremely difficult to detect and prevent all of them, so a proper cyber incident response plan that would help contain the damage and recover from an attack becomes a necessity.

Incident Response Solutions for Critical Infrastructure Sectors

Critical infrastructure is comprised of organizations from various sectors, including health care, energy, telecommunications, financial services, government, and transportation, among others. All businesses and institutions that are part of one of these sectors are potential targets for cyber criminals.

To improve their ability to mitigate cyber security threats more effectively, these organizations are advised to create a workflow-based incident response plan relying on automation and orchestration platform.

Benefits of a Workflow-Based Security Incident Response Plan

By utilizing an incident response platform that allows an orchestrated approach while automating certain routine and time-consuming tasks, organizations can greatly reduce reaction times of their cyber security teams, and start the recovery process as soon as possible.

A workflow-based platform, that incorporates a set of actions tailored to specific types of cyber attacks, allows security teams to go through all stages of an incident response quickly and effectively, by providing them with concrete steps that need to be taken based on the type and scope of an attack. Furthermore, based on the attack types, knowledge sharing articles could be associated with the incident for faster and more efficient resolving.

In addition to workflows, automation-and-orchestration incident response platforms can easily integrate with intelligence sharing platforms, allowing organizations to send and receive essential cyber security events information, improving their ability to prevent future attacks.

Cyber attacks on critical infrastructure are probably going to become even more common, so investing in an incident response platform with automation and orchestration capabilities would be of great help to organizations looking to enhance their cyber defenses moving forward. By doing that, they would also be contributing to efforts for preserving international peace and public safety.

Security Event Automation and Orchestration in the Age of Ransomware

We have recently experienced a devastating wave of ransomware attacks such as Wannacry or ‘WannCrypt’ which spread to more than 200 countries across the globe. While Russia was hit hard, Spain and the United Kingdom saw significant damage to their National Health Services. Hospitals were forced to unplug their computers to stop the malware from spreading even further. This is just one of the security threats posed by special malware that encrypts computer files, network file shares, and even databases thereby preventing user access (Green 18-19). It happens in spite of heavy investments in a wide array of security automation and orchestration solutions and staff required to triage, investigate and resolve threats.

The primary problem is that organizations seem to be losing the battle against cyber attackers (Radichel, 2). The security administrators are overburdened and compelled to manually perform time-consuming and repetitive tasks to identify, track, and resolve security concerns across various security platforms. Notwithstanding the time and effort, it is difficult to analyze and adequately prioritize the security events and alerts necessary to protect their networks. Still, the inadequate visibility into the present activities of the security teams, metrics and performance leave security managers struggling to justify additional resources. It has long been accepted that the organizational efficiency depends heavily on the ability of the security system to reduce false positives so that analysts can focus on the critical events along with indicators of compromise.

Security event automation and orchestration ensures that an organization detects a compromise in real time. A rapid incident response ensures a quick containment of the threat. Through the automation of common investigation enrichment and response actions, as well as the use of a centralized workflow for performing incident response, it is possible to minimize response times and thus make the organization more secure. Security events automation and orchestration expedites workflows across the threat life-cycle in various phases. However, for the security team to deploy security automation and orchestration of event-driven security, there must be access to data concerning events occurring in the environment that warrant a response. To effectively employ event-driven security, automation should be embedded into processes that could introduce new threats to the environment (Goutam, Kamal and Ingle, 431). The approach requires that there be a way to audit the environment securely and trigger event based on data patterns that indicate security threat or intrusion. Of particular importance, continuous fine tuning of processes is required to make certain the events automation and orchestration being deployed is not merely automating the process, but providing long-term value in the form of machine learning and automated application of incident response workflows that have previously resolved incidents successfully.

At a time of increased cybersecurity threats, a structured approach can expedite the entire response management process from event notification to remediation and closure through automated orchestration and workflow. An automatic gathering of key information, the building of decision cases and the execution of critical actions to prevent and/or remediate cyber threats based on logical incident response processes are enabled. With security orchestration and event automation, various benefits are realized such as cost effectiveness, mitigation of security incidents and improved speed and effectiveness of the response. Hence, security event automation and orchestration is the real deal in containing security threats before real damage takes place.

A Weekend in Incident Response #33: Security Awareness Training Can Help Protect Organizations Against Ransomware Attacks

With all the damage done by the WannaCry and the Petya (also known as GoldenEye) ransomware attacks over the course of the last two months in mind, it is safe to assume that organizations that are a potential target of cyber criminals should move to enhance resilience to these types of attacks. There are various actions that businesses and government institutions can take to escape unscathed from this global ransomware epidemics.

Aside from using sophisticated tools that are designed to detect and remove ransomware, employees themselves are an important piece of the puzzle when it comes to defending against targeted cyber-attacks. Raising employee awareness on cybersecurity can go a long way towards improving the ability of organizations to avoid damages caused by cyber incidents because the staff is often cited as one of the weakest links in cyber defenses.

Employees, the First Line of Defense Against Ransomware

One of the reasons why organizations need to raise cybersecurity awareness within their staff is that ransomware usually finds a way into IT systems through phishing emails opened by an employee. The main risk is a result of the fact that most employees are not very well-versed in distinguishing between legitimate emails and fake ones that aim to install malicious software onto their computers, which is done in one of two ways. One way is to include a call-to-action prompting recipients to download an attachment that contains a malware. Once that file is installed onto the computer, the malware basically disables the computer, preventing the user from accessing it, or from opening certain essential files.

The other way involves emails providing a URL that recipients are supposed to click, with the URL being created in such a manner that resembles a popular and well-known website. That way, recipients do not suspect that there is something wrong with the website they are prompted to visit by the email message, but once they click the malicious URL and go to that website, malware is instantly installed onto their computer.

After a piece of malware is installed on a computer, it has the ability to spread across other computers that it is connected to, thus infecting and blocking access to the entire network.

Tackle Social Engineering Through Education

Organizations can reduce the risk of getting hit by a ransomware attack by educating employees about the methods utilized in these scams, which involve a great deal of social engineering, taking advantage of certain psychological weaknesses. By making employees more aware of the most common ransomware schemes, as well as the fact that they have one of the key roles in the cyber defense of their organization, chances of preventing attacks can be greatly increased.

Cyber security professionals need to train all employees on how to detect ransomware scams, by pointing out to them that they need to pay extra attention to details when receiving emails from an unknown sender or containing suspicious content. The most important details that employees should pay attention to include the display name of emails, the salutation, and whether an email contains an attachment that they are not expecting.

Employee education is paramount when it comes to defending against ransomware attacks, and organizations need to invest more time and resources into this increasingly important aspect of cybersecurity.

What Should You Do if You Are Hit by the Petya Ransomware Attack?

While many institutions and businesses from various industries were still reeling from the WannaCry attack that took the world by storm back in May, cyber criminals launched another crippling ransomware attack earlier this week, catching a lot of cyber security professionals across 60 countries by surprise and bringing essential business operations to a halt.This latest high-profile attack, called Petya ransomware, bears many of the hallmarks of WannaCry, in that it is a typical ransomware scheme, paralyzing computers and spreading through internal networks after infecting one machine.

Another important similarity is that just like WannaCry, Petya exploited the same Microsoft Windows vulnerability – Eternal Blue, to spread within networks. On the other hand, there is one significant difference between the two attacks – Petya, unlike WannaCry, was not aimed at extorting money, but rather incurring serious damage to computer networks, with researchers saying that Petya was just disguised as ransomware, but its main goal was to spread throughout networks as fast as possible and cause the biggest infrastructural damages possible.

Containing the Damage

Petya ransomware was primarily designed to infect computers in order to prevent organizations from continuing their day-to-day operations, rather than gaining financial benefit, and the attack did affect business operations of many companies, inflicting severe financial and reputation damage upon them. Ransomware attacks are extremely difficult to prevent, and the best thing organizations can do to avoid serious long-term consequences in case they get hit by one, is to make sure they have the tools to respond to it and contain the damage as fast as possible.

That can be best done with the help of an incident response platform with automation and orchestration capabilities. These types of platforms can help security teams reduce their reaction time when responding to an incident, which is crucial when attacks such as Petya occur. With a set of playbook actions specific to ransomware attacks, an incident response platform will allow your team to detect and analyze the attack faster, and it will suggest a specific list of actions that can help contain the damage in the most effective way possible. When it comes to ransomware attacks, recommended containment actions include isolating compromised machines, blocking communication over ports, and disconnecting shared drives, among other things.

Post-Incident Reactions

Once you have taken the suggested containment actions, the platform will help you accelerate the recovery and remediation processes, and perform the appropriate post-incident procedure. The post-incident reactions are particularly important when dealing with ransomware attacks, as they play a major role in ensuring compliance with breach notification rules covering these types of cybersecurity incidents, such as the HIPAA Breach Notification Rule in the US.

To conclude, even though preventing ransomware attacks is a major challenge and there is not much that organizations can do in that regard, there are a lot of things they can do to reduce the impact of such incidents and avoid long-lasting consequences, which are usually associated with these types of cybersecurity events.