According to Verizon’s Data Breach Investigations report 2017, social engineering was a factor in 43% of breaches, with Phishing accounting for 93% of social attacks.
Our premise is that an incident appears to be a Spear Phishing attempt has been forwarded to the SOC. The SOC team must qualify the incident and determine what needs to be done to mitigate the attack.
We begin our investigation with an incident observable, a fully qualified domain name (FQDN).
We will correlate the FQDN with several external threat intelligence services to assess whether this is truly an ongoing Phishing attempt or a benign false positive. We have used VirusTotal and Cisco Umbrella in this example, but other threat intelligence and malware services could be used instead.
We have 3 different potential outcomes and associated decision paths:
The R3 Runbook
1. The FQDN is automatically extracted from the incident alert and then sent to Cisco Umbrella Investigate for a classification.
2. Depending on the outcome – whether Cisco Umbrella Investigate classifies the FQDN as benign or malicious – we can take one of two different paths.
3. The FQDN will be rechecked with VirusTotal to verify the result. We do this whether the first classification was malicious or benign. At this point we do not know whether one of the two services is returning a false positive or a false negative, so we do a double check.
4. IF both external 3rd party queries confirm that the FQDN is malicious, we have a high degree of certainty that this is a harmful Phishing attempt and can step through automatically to containment. In our example, we automatically block the domain on a web gateway.
5. Alternatively, if only one of the two queries returns a malicious classification, we need to hand the runbook off to a security analyst to conduct a manual investigation. At this point, we cannot determine in an automated manner where the misclassification resides. It could be that one of the services has stale data, or doesn’t include the FQDN in its database. With the ambiguous result, we lack the degree of confidence in the detection to trust executing fully automated containment.
6. If both VirusTotal and Cisco Umbrella Investigate return a non-malicious classification, no further action will be necessary at this point. We will notify the relevant users that the incident has been resolved as a false positive and can close the case for now.
This R3 Phishing Runbook demonstrates the flexibility and efficiency of automating incident response . Incident Qualification is automated as much as is feasible but keeps a human in the loop when cognitive skills are required. It only automates containment when the degree of confidence is sufficient. It eliminates false positives without requiring human intervention.
DFLabs previews new cyber incident response playbook for Asian regulatory environment
Boston – November 7, 2016 – DFLabs, the global leader in cyber incident response automation and orchestration, announced today its Vice President of Engineering, Andrea Fumagalli, will present on “Standardizing Data Breach Response: State of the Art” at Data Privacy Asia 2016, to be held November 9-11 in Singapore at the One Farrer Hotel & Spa. DFLabs will also preview a new playbook dedicated to breach notification, response and compliance activities specific to the Asian regulatory environment.
One of the largest data sets on the market, the IncMan RP playbook is a unique new module of the company’s cyber incident response automation and orchestration platform, IncMan. The playbook is based on U.S. and EU regulations and industry standards and gives customers immediate access to a large number of pre-built incident and data breach response actions to follow. Providing the most playbooks available today to handle the entire breach response process – from technical to operational and legal – it is divided into state/federal, industry sector and type of incident/breach segments and works with both human and machine based processes.
“Active data breach and privacy regulations are making incident response platforms mandatory and our commercial and government customers in Singapore and Asia are working very hard to establish the right framework for cyber incident and breach response. As the first mover in fast growing categories of Security Operations, Analytics and Reporting (SOAR) and Security Incident Response Platforms (SIRP), we are happy and proud to participate in this important event, educate on global standards and best practices, and serve customers with our unique new playbooks,” said Dario Forte, Founder and CEO of DFLabs.
In his Data Privacy Asia 2016 session on Wednesday, November 9th from 4:00pm- 4:30pm, Fumagalli will cover the recent progress made by ISO (International Organization for Standardization) in the field of Incident and Data Breach Response. In the past 36 months 5 standards have been published, with the purpose of providing practitioners and evaluator a series of tools – based upon consensus – able to support Cyber Security Operations and Breach Response. As one of the most recognized experts in ISO standards, he will give an overview on the entire spectrum, along with some insights on how to implement them within any size of the organization, including an overview of the available technologies to automate and orchestrate incident management and response.
“These developments further our vision of Supervised Active Intelligence® to combine automation, orchestration, and response in one powerful platform, giving cyber operations and incident response teams the ability to react faster globally while maintaining the critical element of human control,” added Forte.
DFLabs is a recognized global leader in cyber incident response automation and orchestration. The company is led by a management team recognized for its experience in and contributions to the information security field including co-edited many industry standards such as ISO 27043 and ISO 30121. IncMan – Cyber Incidents Under Control – is the flagship product, adopted by Fortune 500 and Global 2000 organizations worldwide. DFLabs has operations in Europe, North America, Middle East, and Asia with US headquarters in Boston, MA and World headquarters in Milano, Italy. For more information visit: DFLabs or connect with us on Twitter @DFLabs.
Leslie Kesselring, Kesselring Communications