A Weekend in Incident Response #26: Tackling Advanced Persistent Threats Through Email Parsing Rules and Information Sharing

Posted byDario Forte - 21st Apr 2017
A Weekend in Incident Response #26: Tackling Advanced Persistent Threats Through Email Parsing Rules and Information Sharing

Advanced persistent threats (APTs) have become a particularly common type of cyber attack used by cyber criminals and state-sponsored actors looking to gain continuous access to government and private organizations’ networks. These attacks are extremely difficult to defend against, due to their sophistication and precise targeting which helps successfully circumvent cyber defenses and maintain access to an organization’s network undetected for prolonged periods of time.

The severity of the damages incurred by advanced persistent attacks and the costs associated with them, will continue to rise exponentially. Organizations would be wise to invest more financial and human resources into detecting, preventing, and eradicating those attacks.

Incoming Email Automation

A fast reaction time and the ability to diagnose a cyber threat correctly as quickly as possible is key to resolving cyber incidents and containing the potential damage that can arise from them. To that end, organizations need to automate their cyber incident response processes, in order to accelerate the reaction of their cyber-security professionals and enable them to identify every threat and resolve every incident in a timely manner. An automation-and-orchestration cyber incident response platform is arguably the ideal solution for organizations that are potential targets of advanced persistent threats.

These platforms have a wide spectrum of features that are aimed at tackling advanced persistent threats, with incoming email automation being among the most effective ones. Email parsing rules within cyber incident response platforms allow your cyber-security team to detect intrusions and block potentially hazardous emails. After such rules have been created, the platform can analyse incoming emails and scan specific parameters, including the subject, the body, and the sender address, to filter out the ones with malicious content, helping to prevent advanced persistent threats attempting to access your network through phishing email messages.

Information Sharing Capabilities Also Key

Another essential feature of some cyber incident response platforms is the ability to share incident information with law enforcement and with cyber threat intelligence platforms, improving an organization’s capability to successfully defend against advanced persistent threats. For instance, if a platform supports threat intelligence exchange platforms such as STIX, you will be able to share and receive key information related to current and past cyber security events, allowing you to adjust your cyber defense program based on changing methods, tactics and channels used by advanced persistent threat attackers.

In a word, staving off advanced persistent threats requires a comprehensive approach by cyber security professionals. It should be centered around the use of a cyber incident response platform capable of threat intelligence sharing and incoming email automation, as some of the most effective tools for battling these types of sophisticated cyber attacks.