Get Started with a One-to-One Personalized Demo
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.
This particular use case will pertain to privacy breaches. Within the last year we have experienced a couple of the greatest PII beaches in history. Facebook’s Cambridge Analytics, Equifax and NASA have all recently been victims of a breach costing each organization and its victims millions of dollars. Aside from the financial loss, the victims have had there personal information and privacy exposed to the world for monetary reasons. Such information includes social security numbers, home addresses, emails, credit card statements, login information, and access to bank accounts.
This type of information is referred to as Personally Identifiable Information (PII). Additionally, when a hospital or healthcare system has been breached all of the information blended with that is termed Protected Health Information (PHI). Both PII and PHI is often sold on the black market and can be very lucrative. Thus, one of the many reasons as to why PII beaches are so prevalent within the theme of cybersecurity attacks.
To illustrate this type of attack, we will use a mock PII Breach scenario to help our readers gain a better understanding. This scenario will be used throughout the remainder of this use case to pinpoint several significant elements that are common denominators among the majority of companies and organizations that have been breached in the past. Additionally, we will highlight IncMan SOAR’s PII Breach Incident Playbooks and Runbooks that generate automatic actions based on defined criterias and step-by-step procedures to explicitly follow.
In March of 2018 an attack scenario very similar to what we just described actually occurred in Atlanta, Georgia. A couple of hackers were able to gain entry into Atlanta's Government IT Infrastructure through brute-force password attacks on publicly exposed open Remote Desktop Protocol (RDP) ports. This resulted in dismantling Atlanta's court system, police department, and transportation system just to name a few. Georgia is still in a state of recovery and at the moment the current cost is a little under ten million dollars. In theory, once the hackers had gained access into Atlanta's primary government IT system they could have done anything they wanted to. However, they chose to deploy a ransomware attack. This is just one example out of many that are used every day to infiltrate organizations’ technology outfits regardless of the industry it resides in.
The threat actors were able to infiltrate the company’s network by exploiting vulnerabilities found in RDP TCP port 3389. RDP was developed many years ago by Microsoft for the purpose of providing its users with a Graphical User Interface (GUI) to conduct business from remote locations. By default, all Windows Operating Systems have RDP port disabled for security purposes and for the sheer amount of vulnerabilities associated with the protocol.
Unfortunately, novice systems administrators often forget to close the port once they have finished the need for it, leaving it exposed to the public. If an individual has been able to successfully gain access into a remote computer via the RDP port they will have the capability to conduct any type of business they so wish. This may include malicious acts such as doxxing, creating back-doors, or even dropping rootkits and various forms of malware such as the ransomware strain SamSam. However, speaking from personal experience, using this protocol has proven to be very beneficial and extremely convenient when required to do any type of network troubleshooting or engineering on systems located thousands of miles away.
Let's pretend the scenario was a little different and they had decided to drop a few rootkits, open a few backdoor ports, install some keyloggers and spyware, birth an Advanced Persistent Threat (APT), and finally delete all logs and evidence of any wrongdoings or Indicators of Compromise (IOC). For the sake of this hypothetical attack scenario, we're going to use the same Tactics, Techniques and Procedures (TTPs) that were used by the threat actors who conducted the brute-force RDP exploit.
This all too real hypothetical scenario is one of the many ways in which a few of the greatest cybersecurity attacks in history concerning PII and PHI beaches have literally destroyed the lives of many people. We will break down and explain different phases of the attack, numerous tools that are used within those phases, and why Advanced Persistent Threats (APTs) of this nature go unnoticed for so long.
There are a significant number of other methods that can be used to gain access into a computer system in order to own the infrastructure. This spans way beyond the scope of this use case but just to name a couple for informational purposes, these might include:
Unpatched Assets with Multiple Vulnerabilities for Exploitation
Insider Threats (Intentional & Non-Intentional)
Social Engineering Tactics & Phishing Campaigns
Poorly Written Programs/Applications Containing Vulnerabilities
Malware Embedded Pop-Ups & Adware
Henceforth, we will render a few basic security measures that if implemented would prevent 99% of the large-scale breaches and cybersecurity attacks that we witness every day. Additionally, we will illustrate how specially crafted Playbooks and Runbooks are developed to address these types of attacks in DFLabs’ IncMan SOAR solution. Moreover, we will indicate how IncMan SOAR supports defensive and offensive security measures in an autonomous manner, eliminating the need for continuous human intervention and oversight, which in turn eliminates a lot of remedial tasks and frees your security teams and resources to focus on other important tasks.
Confirm that an actual PII Breach has occurred and if so determine the scope, severity and amount of information disclosed.
Document and log all events and actions for the Post-Incident After Action Report (AOR).
Verify the TTPs' that were used by the threat actor to identify the vulnerabilities in the network.
Illustrate how IncMan SOAR’s Playbooks and Runbooks play a vital role in minimizing the impact of the breach.
Contain and isolate all recognized infected systems assets.
Eradicate and remediate all malicious content from compromised assets.
Prepare public/employee statements and work with the legal and public relations departments for further actions.
Conduct post-incident processes such as modifications of the company’s PII Breach policies, debriefings, and lessons learned.
The tools listed below that will be used in this hypothetical scenario are for training purposes only. There exists no partiality among these tools aside from the fact that IncMan SOAR's integration capabilities are directly partnered with these products and services. Seemingly, the tools chosen for this scenario remain very popular within the cybersecurity industry.
These are the specific security tools that are used by the breached organization within their Information Security Department and Security Operations Center. IncMan SOAR guarantees that these devices are fully integrated and are being employed to their greatest potential to provide optimal security measures.
The Runbook defines what specific tools, actions, logical decisions, and automation capabilities will occur during an incident. Below you'll find the entire PII Breach Runbook from start to finish with all of the included stages needed to remediate a compromise. We will be going into depth on each of the stages and various tools used in that stage.
Communication and Notification of an incident are incredibly important. We will be using ServiceNow to create an initial ticket to permit for those that have access to that ticket to provide continuous updates on the current incident. Additionally, an email will be drafted and sent to various stakeholders, key individuals, and distribution groups like incident response teams. Microsoft Outlook will be the application used for email creation distribution.drafted and sent to various stakeholders, key individuals, and distribution groups like incident response teams. Microsoft Outlook will be the application used for email creation distribution.
During the Enrichment portion, we will be validating the compromise assuring that it is not a false positive. Reputation checks of potentially malicious IPs, URLs, and Domain Names will be conducted by IBM X-Force and Cisco Threat Grid. This will be able to provide us with intelligence about any types of malicious command and control servers that might be being used as a means to store the data that has been excavated outside of the company's network. It will also be essential to initiate a scan on the network assets to determine any abnormalities on the host or other system assets such as suspicious open ports, unauthorized executables and applications, and rogue user or administrative accounts.
If there is a particular asset in question that may support indications of already being compromised, a special scan of system processes will be conducted through the use Carbon Black Defense. Moreover, Splunk, which is the company's primary Security Information and Event Management (SIEM) tool will generate a report of the last six months to identify any abnormalities and behaviors, especially those associated with data exfiltration.
Once all of the scanning has been complete the reports are available for review and the information will be provided to the appropriate personnel. Analysis of the reports will support the decision on whether or not to follow through with the incident response lifecycle. Additionally, if it turns out to be a false positive it will not warrant any further action.
If it is not a false positive and it is an actual breach, then we will continue with the rest of the incident response process. In this case all of the indicators of compromise have validated that it is in fact a breach and the rest of the incident response portion will continue.
If the reports generated by the scans and the other intelligence gathered on the incident during the enrichment phase validate that the incident is in fact a true compromise, the containment portion is now enacted. There will be a host of tools and actions to follow that will be necessary to promote a successful triage process. If a company has pre-develop policies and procedures this aspect should run rather smoothly. Additionally, relying on the Playbooks and the documentation associated with each step will be incredibly valuable in eliminating the need for any second-guessing on what procedures to follow. Now that the incident response team has identified the infected host, it will be mandatory to quarantine it among with the rest of the network assets. Once segregation has occurred, all running processes on the host will be terminated and a snapshot of the current state of the asset must be obtained. Generating a snapshot of the infected host for forensics purposes is essential to understanding the TTPs utilized by the threat actors.
After the asset image has been obtained, the forensics tools will determined if it is necessary to reimage the entire assets. While this process is taking place the company's security operation center will also blacklist all malicious Domain Names and IP addresses via McAfee’s Web Gateway. Additionally, all users of the network that have Active Directory and email accounts will be required to perform a password reset.
Because of the nature of the attack type, threat actors will often create administrative accounts to elevate their privileges gain access to restricted material. This is why it will be necessary to temporarily disable administrative accounts to perform an audit on all users with administrative rights. After the forensics images have been captured and the host have been reimaged and all malicious content and artifacts have been removed, it will now be time to transition into the final phase of Recovery.
At this point the containment phase has been completed and all compromised assets have been remediated. Any host needing reimaging has been completed and all users requiring password resets has been done. As part of the triage process, the scanning of network assets will begin again to validate that infected host are in fact remediated fully. Once the scanning reports validate full remediation the assets can now be reintroduced into the network. This also includes reopening necessary ports for business and reinitializing services. Additionally, the original incident ticket created in ServiceNow will be updated and remain open to allow for post-incident information inclusion.
A properly developed Playbook is considered one of the most important aspects to successful remediation. In linear fashion, it explicitly details each step in a systematic manner for each phase of the incident response lifecycle. Below you will find the Playbook developed specifically for a PII Breach. Some of the steps within the categories are universal and can be applied to many Playbooks. There are also multiple steps specific to this compromise. We will not be going into depth on every single step for each stage of the incident response Playbook but will summarize and highlight the key points that should be taken into consideration.
It is during the preparation phase of the incident response process that identifies each and every aspect of the steps necessary to achieve a successful end-to-end recovery. Preparation is the first stage of the program and it is by far the single most important aspect of the incident response lifecycle. It is during the stage that policies, documentation, and procedures are drafted reviewed and practiced.
Specifically concerning the current PII Breach, it will be quintessential in thoroughly reviewing the specific policy on PII Breaches pertaining to the company. It will also be an essential time for all necessary stakeholders, executive staff, incident response teams, and any other individuals that are relevant to the situation. The primary means of communication will be through email chains and via ticketing systems such as the one used in this scenario ServiceNow.
Moving from the preparation to detection phase there will be multiple actions that will occur.
This is where enrichment actions pertaining to the portions of the Runbook can be validated and cross referenced with other types of threat intelligence reputation feeds. Being able to successfully validate IP addresses, Domain Names, Geolocations, and infected assets provides the needed information to guarantee that the artifacts and indicators of compromise are in fact malicious.
During the analysis phase we can take all of the information that has been gathered from the logs, along with all of the intelligence data obtained on the artifacts for incident review.
This is a very important aspect of the incident response lifecycle because if the information provided turns out to be a false positive the entire compromise will be finalized and no further actions will be taken. If it turns out to be an actual incident then processes associated with prioritization and criticality will take hold and various types of matrices shall be created.
After the analysis phase is complete, the containment of the compromise is to follow.
During this stage a multitude of actions will take place, such as isolating the compromised host, requiring users to reset their passwords. The purpose behind this is to ensure that the threat actor that has invaded the system will no longer have their user credentials to traverse through the system. Additionally, it will be necessary to block certain IPs’ and Domain Names that are associated with the incident.
The eradication portion will conduct certain actions to facilitate in eliminating all malicious artifacts associated with the compromise. This will include reimagining the compromised asset if necessary and performing forensics operations on any other network assets that may have been subject to the attack. It will also be necessary to run another network scan to validate that all remediation on the compromised assets are in fact clear of any residual malicious content.
The actions of the recovery phase are very similar to that of the eradication phase in the sense that certain remediation actions go hand-in-hand. For instance, once the compromised assets have been reimaged they will have their network and port configurations reset and introduced back into environment. Moreover, an important aspect about the recovery phase is that all of the status reports of all the phases will be accumulated and prepared for the next phase which is the lessons learned phase.
The lessons learned phase could be considered one of the most important aspects of the incident response lifecycle. It is here that all of the documentation and information is stored, reviewed, and used for lessons to be learned.
Oftentimes the outcome of the lessons learned phase will result in certain company policies being modified or network systems that may need to be reconfigured, to prevent the possibility of a future compromise such as the one experienced.
This will conclude our hypothetical PII Breach attack scenario. Everyday companies both large and small alike are being breached through very simple attack methods. This is why it is incredibly important to have the right security tools in place with the ability to have the functionality of full orchestration and automation. These tools help prevent and combat against not only PII Breaches but also any type of cybersecurity attack. Through the incorporation of IncMan SOAR’s Playbooks and Runbooks being able to fully automate and orchestrate these security tools that an organization’s security program uses will drastically reduce the success of a particular attack type such as the one illustrated above.
Heather Hixon / 25 Apr 2019
This use case allows the security team to be automatically notified once an incident has been confirmed as valid, preventing valuable time from being wasted by analysts triaging an event.
Heather Hixon / 17 Apr 2019
Learn how to use IncMan SOAR’s integrations and R3 Rapid Response Runbooks to quickly gather incident data from across diverse hybrid-cloud environments.
Cody Mercer / 4 Mar 2019
For threat intelligence to be effective it has to meet 3 tenants which are actionable, timely and confirmed. The acronym that we like to use is ‘ACT’.
Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.