Within any organization’s security operations center (SOC), regardless of the level of role undertaken (security analyst, engineer or manager), when it comes to the security program at hand, the overall high level goal is to ensure that potential security risks from the alerts generated are dealt with in the most efficient and effective way possible, keeping the threat and potential incident under control, resulting in minimal impact to the day to day operations of the business.
As more and more security alerts are being triggered, potentially with increasing veracity as hackers get more sophisticated, the mean time to detection and mean time to resolution (MTTR) is vital. This is when it becomes critical to make sure your security operation center and incident response teams are fully utilizing the tools and resources they have available to them, to detect, orchestrate, automate and measure their security operations and incident response processes and tasks.
With security incidents becoming more costly, organizations must find new ways to further reduce the mean time to detection and the mean time to resolution. At the same time, they face pressure from being heavily monitored based on a number of security program KPIs to accurately measure (and improve) performance, which will inevitably be reported back to varying levels of stakeholders, including security management, c-level executives, and even board level. (For more information about KPIs for security operations and incident response, download our recent whitepaper here). While some members of the SOC team such as the analysts will solely be focused on the incidents at hand, KPIs and questions surrounding service level agreements (SLAs), mean time to resolution (MTTR) and the overall return on investment (ROI) of security tools and technologies are bound to be at the forefront of the agenda of perhaps the SOC manager, but in particularly the CISO.
In this blog we will briefly discuss how a SOC can enhance its security operations program SLAs, MTTR and ROI, by investing in a Security Orchestration, Automation and Response tool, such as the IncMan SOAR platform from DFLabs and we will run through a basic scenario of what happens when a security alert is detected and triggered using IncMan SOAR.
Many large organizations already use a number of third-party solutions, including security information and event management (SIEM) and endpoint detection and response (EDR) tools, but the question is…is all of the information being generated by these tools and technologies being utilized and fused together providing meaningful aggregated, correlated and analyzed security intelligence? The answer is most probably no and the likelihood is the SOC team is being overwhelmed with the number of alerts and information that it is receiving, therefore not easily being able to identify which is a high level vs. low level threat, or know exactly which process should initially be taken to start putting a playbook or runbook into action to contain the specific threat alert they are dealing with.
How IncMan Tackles an Alert with Security Orchestration and Automation
An incident was automatically triggered in IncMan SOAR when the organization’s vulnerability management systems found that one of the critical servers reported non-compliance due to missing patches. The security analyst on duty assessed that the problem needed an immediate remediation. An incident management record was created to assign the correction of the problem to the system administrator in charge of the server. Automated actions triggered email notifications to the system administrator and to the security architecture and governance team, who manage the organization’s compliance.
Earlier in the year, the CISO mandated that changes within the large organization were monitored end to end through the system development lifecycle (SDLC). This would try to ensure that there were no security gaps in the infrastructure, as non-compliance within servers can create a security gap that can easily be exploited and misused by a hacker.
This is just one example of an alert that an organization could receive and in this case, it is quite a simple one. Imagine hundreds of alerts coming in per day related to suspected phishing attempts, malware injections, ransomware attacks and data breaches etc. to name a few, that are more complex. Analysts often get overwhelmed with the number of alerts they receive but need to be able to respond quickly to all of them, while also prioritizing them at the same time. The key is to transform the resource intensive and manual tasks into an effective and efficient automated and orchestrated process, where dual actions (automated and manual) can occur side by side as needed. Automating the process with the use of tools such as the IncMan SOAR platform will cut down the time to gather the data manually and the number of resources needed to complete the several stages of the process.
IncMan SOAR provided this customer with a real-time alert that was responded to and remediated almost immediately. Automated processes were followed, reducing the amount of human manual interaction required, including data collection, enrichment, containment and remediation, all in a more efficient, standardized and timely manner. IncMan SOAR facilitated the enrichment of information via the integration tools that the security team was already using and this helped to provide additional intelligence to the investigation, that triggered the original security alert, helping to validate its severity.
With a vast amount of information being generated, having the ability to provide this information in an easy to use and understand format, then facilitated the communication among different IT team members and departments, allowing them to share the visualized information via dashboards and detailed reports that standardize the information sharing process.
Utilizing Playbooks and Runbooks
So how does a SOAR solution like IncMan know which actions to automate when a security alert is triggered? A security operations center can maximize its incident response process by utilizing a range of already predefined automation and orchestration processes via playbooks and runbooks that expedite activities based on the type of security alert. You could have specific ones for ransomware or a phishing attack for example that have been written, trialed and tested a number of times, over and over again to ensure the correct actions are taken.
IncMan’s SOAR powerful engine provides an assortment of automation and actions that within second of being triggered can enrich, contain, remediate and notify stakeholders faster than a human being can react, to gather diverse information from different data sources. The process is flexible and can be used fully automated or in hybrid mode with human interaction to approve certain actions, for example, to block an IP-address or quarantine a compromised asset.
In summary, the above example would have been a mundane and manual process without the use of orchestration and automation, that would depend on human resources collecting information from different data sources, actioning a number of activities and writing a manual report.
The power of the correlation engine in IncMan SOAR cuts down the time by facilitating the collection of the threat information via the integrated third-party vendors’ data sources. With the help of playbooks and automated runbooks meaningful threat intelligence can be easily gathered enriched and correlated to produce a visualization of the incidents, that can be displayed in an automated standard report. The information is quickly available, easily shared to make available to all teams as necessary, without having to wait for dependencies to obtain additional information about the incident from the project teams.
IncMan SOAR maximizes the SLAs for security availability and MTTR, by delivering key details expeditiously via digital computation from multiple data sources of information and delivering it in a visual or readable detailed report format to multiple stakeholders, leadership team or anyone that needs them. The data can subsequently be kept, helping to build and identify historical trending, analysis, patterns, type of attacks to name a few, facilitating the automation actions of future alerts, creating a better security defense system.
Overall the benefits of using a Security Orchestration, Automation and Response platform outweigh the negatives and such a solution can increases the efficiency of your security operations center, enabling it to become more effective, focused on incident response management, proactively threat hunting while minimizing cybersecurity vulnerabilities, as opposed to carrying out the multitude of mundane, repetitive and time consuming basic tasks.
Automation and orchestration reduces the MTTR, as well as aiding the organization’s management team with standard visualization and focused detailed written reports, that helps to contribute to better meeting compliance such as breach notification requirements, while meeting the organization mission to operate in a secure infrastructure in an efficient manner, by increasing cybersecurity governance SLAs and ROI, ultimately maximizing the company resources by doing more with less.
Last week, Anton Chuvakin from Gartner announced that Augusto Barros and himself are planning to conduct research in Q4 2017 on the topic of Security Orchestration, Automation and Response (SOAR), or Security Automation and Orchestration, depending on which analyst firms’ market designation you follow. At DFLabs we are very excited that Gartner is finally showing our market space some love and will be helping end users to better assess and differentiate SAO offerings.
Anton provided many questions that he wanted SAO vendors to prepare for. The questions immediately piqued our interest, with one question, in particular, standing out to us.
1.When is SOAR a MUST have technology? What has to be true about the organization to truly require SOAR? Why your best customer acquired the tools?
Anton also said that he had one main problem with Security Automation and Orchestration. In his own words, “For now, my main problem with SOAR (however you call those security orchestration and automation tools…if you say SOAPA or SAO we won’t hate you much) is that I have never (NEVER!) met anybody who thought “my SOAR is a MUST HAVE.”
The question is not entirely unwarranted. During my own time at Gartner covering the SOAR space, I spoke to many clients who were seeking an SAO solution without knowing that they were. Typical comments were, “I have too many alerts and false positives to be able to deal with them all”, or “We are struggling to hire enough skilled people to be able to respond to all of the incidents that we have to manage”. Another common comment was, “I am struggling to report operational performance to my executives?”. Often, these comments were followed by the question, “Do you know of any technology that can help?”.
Typically, these organizations had a mature security monitoring program, usually built around a SIEM. They often had critical drivers, such as regulatory requirements, or held sensitive customer data. We hear the same buying drivers from our own customer base.
To sum up the most common drivers for someone asking about Security Automation and Orchestration:
- A high volume of alerts and incidents and the challenge in managing them
- A large portfolio of diverse 3rd party security detection products resulting in a large volume of alerts
- Regulatory mandates for incident response and breach notification
- An overstretched security operations team
- Reporting risk and the operational performance of the CSIRT and SOC to an executive audience
One interesting thing is that when there is no external driver like regulatory compliance, deploying a Security Automation and Orchestration solution is often determined by maturity. Most organizations don’t realize that they will be unable to cope with the volume of alerts and the resulting alert fatigue until they have deployed a SIEM and a full advanced threat detection architecture.
The common misconception is that the SIEM can help to reduce the number of incoming alerts by applying correlation rules. This not entirely untrue, but correlation rules will only reduce a small percentage. They are essentially signature based. You need to know in advance what you want to correlate, and adding a correlation rule to cover all and every incoming alert is not a trivial task. Even with correlation rules, additional work will be required to qualify an incident. Gathering additional IoC’s, incident observables and context is still a very manual process. Lastly, detection is only one part of the entire incident response process – notifying stakeholders, gathering forensic evidence and threat containment will also have to be done manually. These are the areas where SAO solutions provide the greatest ROI – as a force multiplier.
In incident response, protecting against a targeted attack is like slaying the hydra. For those not familiar with what a hydra is, it is a multi-headed serpent from Greek mythology, that grows two new heads for every head you chop off. A determined attacker will try again and again until they succeed, targeting different attack vectors and using a variety of tactics, techniques, and procedures.
The Snowden and Shadowbroker leaks really drove this home, giving partial insight into the toolkit of nation state actors. What really stuck out to me was the sheer variety of utilities, frameworks, and techniques to infiltrate and gain persistence in a target. Without the leak, would it be possible to reliably determine that all of those hacking tools belonged to a single entity? Would a large organization with thousands of alerts and hundreds of incidents every day be able to identify that these different attacks belonged to a single, concerted effort to breach their defenses, or would they come to the conclusion that these were all separate, unrelated attempts?
Our colleagues in the Threat Intelligence and Forensic analysis industries have a much better chance to correlate these tools and their footprint in the wild – they may discover that some of these tools share a command and control infrastructure for example. A few did have at least an outline of the threat actor, but judging by the spate of advisories and reports that were released after the leaks, not very many actually appear to have achieved this to a great degree. The majority were only able to piece the puzzle together once equipped with a concise list of Indicators of Compromise (IoC) and TTP’s to begin hunting with.
“How does this affect me? We are not important enough to attract the attention of a nation state actor”
Some readers may now be thinking, “How does this affect me? We are not important enough to attract the attention of a nation state actor”. I would urge caution in placing too much faith in that belief.
On the one hand, for businesses in some countries the risk of economic espionage by-nation state hacking has decreased. As I wrote on Securityweek in July, China has signed agreements with the USA, Canada, Australia, Germany and the UK limiting hacking for the purpose of stealing trade secrets and economic espionage. However, this does not affect hacking for national security purposes, and it will have little impact on privately conducted hacking. These are also bilateral agreements, and none exist in other nations, for example, Russia or North Korea. For militarily and economically weaker nation states, offensive cyber security is a cheap, asymmetric method of gaining a competitive or strategic advantage. As we have seen, offensive cyber activity can target civilian entities for political rather than economic reasons, and hackers are increasingly targeting the weakest link in the supply chain. This means that the potential probability of being targeted is today based more on your customer, partner, and supply chain network, and not just on what your organization does in detail. Security through obscurity has never been a true replacement for actual security, but it has lost its effectiveness as targeted attacks have moved beyond only focusing on the most prominent and obvious victims. It has become much easier to suffer from collateral damage.
Cyber criminals are becoming more organized and professional
On the other hand, cyber criminals are becoming more organized and professional, with individual threat actors selling their services to a wide customer base. A single small group of hackers like LulzSec may have a limited toolbox and selection of TTP’s, but professional cybercrime groups have access to numerous hackers, supporting services and purpose-built solutions. If they are targeting an organization directly and are persistent and not opportunistic, it will be as difficult to discern that a single concerted attack by one determined threat actor is taking place.
What this means in practical reality for any organization that may become the target of a sophisticated threat actor, is that you have to be on constant alert. Identifying, responding to and containing a threat is not a process to be stepped through with a final resolution step – instead, cyber security incident response is an ongoing, continuous and cyclical process. Advanced and persistent attacks unfold in stages and waves, and like a war consist of a series of skirmishes and battles that continue until one side loses the will to carry on the conflict or succeeds in their objectives. Like trying to slay the hydra, each incident that you resolve means that the attacker will change their approach and that the next attempt may be more difficult to spot. Two new heads have grown instead of one.
To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT
To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT – but we must do this without creating a perpetual state of alarm. The former means that your team of analysts is always aware and alert, looking at individual incidents as potentially just one hostile act of many that together could constitute a concerted effort to exfiltrate your most valuable data, disrupt your operational capacity, or abuse your organization to do this to your partners or customers. In the latter case, your analysts will suffer from alert fatigue, a lack of true visibility of threats, and a lack of energy and time to be able to see the bigger picture.
The hydra will have too many heads to defeat.
In the Greek legend of Heracles, the titular hero eventually defeats the Hydra by cauterizing each decapitated stump with fire to prevent any new heads from forming. Treating an incident in isolation is the Security Incident Response equivalent of chopping off the head of the hydra without burning the stump. Applied to our problem, burning the stump means that we have to conduct the response to each incident thoroughly and effectively, and continue the process well beyond containment.
We must invest more time in hunting and investigating, and we have to correlate and analyze the relationship between disparate incidents. We must use threat intelligence more strategically to derive situational awareness, and not just tactically as a machine-readable list of IoC’s. This also requires gathering sufficient forensic evidence and context data about an incident and related assets and entities during the incident response process, so that we can conduct post event analysis and continuous threat assessment after containment and mitigation have been carried out. This way we can better anticipate the level of threat that we are exposed to, and make more informed decisions about where to focus our resources, add mitigating controls and improve our defenses. In Incident Response “burning the stump” means making it more difficult for threat actors to succeed in the future by presenting them with a hardened attack surface, reducing their reside time in our infrastructure, and reducing the time we need to discover and contain them. To do this we need to learn from every incident we manage.
Interested to know what 412 IT professionals and cyber security professionals think on the latest Security Analytics and Operations trends?
Cyber criminals do not discriminate against anyone when it comes to their targets of choice. They go after whatever organization they consider to have a potential to yield substantial financial benefits, without taking into account that some of their exploits might even lead to international conflict or an environmental catastrophe of unimaginable scale.
Cyber attacks on critical infrastructures have become commonplace lately, threatening public health and safety, and deteriorating relations between countries. Having in mind how sophisticated and advanced these cyber threats are, it is no wonder that it is extremely difficult to detect and prevent all of them, so a proper cyber incident response plan that would help contain the damage and recover from an attack becomes a necessity.
Incident Response Solutions for Critical Infrastructure Sectors
Critical infrastructure is comprised of organizations from various sectors, including health care, energy, telecommunications, financial services, government, and transportation, among others. All businesses and institutions that are part of one of these sectors are potential targets for cyber criminals.
To improve their ability to mitigate cyber security threats more effectively, these organizations are advised to create a workflow-based incident response plan relying on automation and orchestration platform.
Benefits of a Workflow-Based Security Incident Response Plan
By utilizing an incident response platform that allows an orchestrated approach while automating certain routine and time-consuming tasks, organizations can greatly reduce reaction times of their cyber security teams, and start the recovery process as soon as possible.
A workflow-based platform, that incorporates a set of actions tailored to specific types of cyber attacks, allows security teams to go through all stages of an incident response quickly and effectively, by providing them with concrete steps that need to be taken based on the type and scope of an attack. Furthermore, based on the attack types, knowledge sharing articles could be associated with the incident for faster and more efficient resolving.
In addition to workflows, automation-and-orchestration incident response platforms can easily integrate with intelligence sharing platforms, allowing organizations to send and receive essential cyber security events information, improving their ability to prevent future attacks.
Cyber attacks on critical infrastructure are probably going to become even more common, so investing in an incident response platform with automation and orchestration capabilities would be of great help to organizations looking to enhance their cyber defenses moving forward. By doing that, they would also be contributing to efforts for preserving international peace and public safety.
We have recently experienced a devastating wave of ransomware attacks such as Wannacry or ‘WannCrypt’ which spread to more than 200 countries across the globe. While Russia was hit hard, Spain and the United Kingdom saw significant damage to their National Health Services. Hospitals were forced to unplug their computers to stop the malware from spreading even further. This is just one of the security threats posed by special malware that encrypts computer files, network file shares, and even databases thereby preventing user access (Green 18-19). It happens in spite of heavy investments in a wide array of security automation and orchestration solutions and staff required to triage, investigate and resolve threats.
The primary problem is that organizations seem to be losing the battle against cyber attackers (Radichel, 2). The security administrators are overburdened and compelled to manually perform time-consuming and repetitive tasks to identify, track, and resolve security concerns across various security platforms. Notwithstanding the time and effort, it is difficult to analyze and adequately prioritize the security events and alerts necessary to protect their networks. Still, the inadequate visibility into the present activities of the security teams, metrics and performance leave security managers struggling to justify additional resources. It has long been accepted that the organizational efficiency depends heavily on the ability of the security system to reduce false positives so that analysts can focus on the critical events along with indicators of compromise.
Security event automation and orchestration ensures that an organization detects a compromise in real time. A rapid incident response ensures a quick containment of the threat. Through the automation of common investigation enrichment and response actions, as well as the use of a centralized workflow for performing incident response, it is possible to minimize response times and thus make the organization more secure. Security events automation and orchestration expedites workflows across the threat life-cycle in various phases. However, for the security team to deploy security automation and orchestration of event-driven security, there must be access to data concerning events occurring in the environment that warrant a response. To effectively employ event-driven security, automation should be embedded into processes that could introduce new threats to the environment (Goutam, Kamal and Ingle, 431). The approach requires that there be a way to audit the environment securely and trigger event based on data patterns that indicate security threat or intrusion. Of particular importance, continuous fine tuning of processes is required to make certain the events automation and orchestration being deployed is not merely automating the process, but providing long-term value in the form of machine learning and automated application of incident response workflows that have previously resolved incidents successfully.
At a time of increased cybersecurity threats, a structured approach can expedite the entire response management process from event notification to remediation and closure through automated orchestration and workflow. An automatic gathering of key information, the building of decision cases and the execution of critical actions to prevent and/or remediate cyber threats based on logical incident response processes are enabled. With security orchestration and event automation, various benefits are realized such as cost effectiveness, mitigation of security incidents and improved speed and effectiveness of the response. Hence, security event automation and orchestration is the real deal in containing security threats before real damage takes place.
Preparing for cybersecurity incidents and responding to them can be a significant burden for any organization. On a daily basis, most security teams will commonly deal with numerous cybersecurity events, many of which will trigger some number of resource-taxing and time-consuming tasks such as gathering and vetting information, analyzing data, and generating incident reports.
It is for this reason that every tool, every solution, and every procedure that can help ease that burden is often more than welcome. Implementing Standard Operating Procedures (SOP) is one of the essential steps towards ensuring a more streamlined and effective incident response process, one that allows security professionals to focus on the more substantial and high-value activities, such as in-depth investigations and implementing improvements in the overall incident response program.
Coordinating Incident Response
Standard operating procedures are aimed at helping CSIRTs to follow the most effective possible workflow when dealing with cyber security events. A typical SOP should contain a list of specific actions that that security professionals need to take whenever their organization faces a particular cyber incident. It ensures that all employees within an organization know their responsibility and what activities they need to take in the event of a cyber attack. For instance, an SOP might note at what point in the incident the CSIRT member is responsible for reporting data breaches to the Information Security Officer and where to submit incident reports in the aftermath of a breach. Further, the SOP might also state how to assign an incident severity level and where to distribute a list of recommendations or specific instructions on how to address a particular threat.
Another important aspect of a SOP is that it should ensure that all workflows and actions taken during incident response are in compliance with regulations that the organization is required by law to adhere to.
Orchestrate and Automate the Process
In order to be worthwhile and effective, cyber security teams and resources from an organization must adhere to SOPs and realize benefits from doing so. Some of the actions recommended or required by a SOP in a given situation may take up a large portion of the time and effort of a security team, so adopting a solution that can orchestrate and automate some of those tasks can go a long way towards realizing those benefits by saving time and cutting costs.
Security automation and orchestration platforms can programmatically handle some of those time-consuming manual tasks, such as generating and sending reports, thereby help drastically reduce reaction times. They can also help quickly determine the severity of an incident and the impact it has on an organization, freeing security resources to focus on the containment, eradication and recovery activities the sop standard operation procedure requires.
In summation, security automation and orchestration platforms are a crucial tool for ensuring a proper implementation of standard operating procedures as a key piece of the cyber incident response puzzle.
In the context of cyber security, two of the most pressing concerns facing many organizations are the ever-rising number of cyber attacks and figuring out how to keep them at bay without having to increase manpower. The recent Cyber attacks are now more sophisticated and noticeably more common than they were even just a few years ago. Faced with this increased volume, private entities and government agencies are struggling to figure out how to help their security teams respond to cyber events in an effective and timely manner, while finding that most potential solutions require either substantial financial expense, or rely on the addition of specialized human resources.
Hiring skilled staff is a real challenge for most organizations amid an acute and global cyber security skills shortage. Unmet demand has led professionals in this field to command disproportionately high salaries and made it that much more difficult for businesses and governments to attract cyber security talent. Consequently, organizations are now also forced to seek out technical solutions that might actually help decrease their reliance on specialized and expensive human resources. This is where cyber security incident response platforms come in as arguably the most convenient, practical and cost-effective solution to the growing cyber security threat issue and specialized resource shortage.
Ease the Strain on Security Teams by Automating Time Consuming Incident Response Tasks
A security automation and orchestration platform is the economical solution to enable an organization to respond to cyber threats and eradicate them in the most effective and fastest way possible. It is also the best way to ease the strain on security teams which, in many organizations, are already overwhelmed with an uninterrupted incident response workload.
Analyzing and assessing the legitimacy, impact and scope of a cyber incident are some of the most time-consuming tasks undertaken by cyber security professionals today. It is exactly within those tasks that an orchestration and automation platform can be of most service. From an incident identification and analysis perspective, these platforms are force multipliers which greatly accelerate the incident triage process. They provide an organization with the ability to analyze the cause and effect of each incident and to assess the scope and impact to an organization from any number of incidents at any given time. From a response perspective, and beyond their ability to automate response activity on existing security infrastructure, they can generate automated incident reports for distribution to in-house security teams, providing response and recovery resources with key insights into the scope and severity of an incident, thereby often dramatically reducing reaction times.
In short, the dual challenge of addressing a growing number of cyber attacks while maintaining an ability to mount an effective response within an existing cyber security team, is best tackled by employing an automation and orchestration platform. Deploying this tool as a force multiplier for both existing security infrastructure and human resources, allows security teams to offload the most intensive tasks and frees these professionals to focus on the more high-value areas of a cyber security threat response.
In light of the increased frequency of cyber attacks against health care institutions in the United States and around the globe, the recent announcement from U.S. Department of Health and Human Service (HHS) regarding the launch of a dedicated cybers ecurity center gives hope to security practitioners in this sector that they will soon be able to improve their cyber resilience against the escalating cyber threats.
The Health Cybersecurity and Communications Integration Center (HCCIC), scheduled to reach initial operating capability before the end of June, is modeled on the Department of Homeland Security’s (DHS) National Cybersecurity and Communications Integration Center. Christopher Wlaschin, the CISO at the U.S. HHS, identified the key goals of the HCCIC as trying to “reduce the noise about cyber threats in the health care industry” and to “improve the ability of health care institutions to protect against cyber attacks.”
Mobile Health Applications and Growing Ransomware Attacks Raise Concerns
The imputes for this center are twofold: first, the exploding rate of ransomware attacks on health care organizations in recent years, and second, the increased exposure to cyber attacks brought about by the growing adoption of mobile health applications. Together these developments have pushed the government to take more decisive action to help the health care sector build more effective cyber resilience systems.
Information Sharing and Best Practices
Information collaboration and analysis of cyber threat intelligence will be at the forefront of the activities undertaken by the new center. Sharing cyber threat intelligence within an industry sector and between private companies and authorities is a significant part of overall efforts for improving the preparedness of an organization to promptly and effectively respond to cyber incidents. However, this sharing of intelligence can often also create a torrent of noise, rendering it difficult for security practitioners to discern credible information on what actually constitutes a potential threat to the cyber security of their organization. Antithetically, unfiltered intelligence sharing can actually prevent a faster and more effective response.
For this reason, organizations require a programmatic solution to help them share only the essential information related to cyber threats, past and current, and the cyber security events they have already faced. The prescribed solution is an automation and orchestration platform that has the built-in capability to integrate with threat intelligence sharing platforms such as STIX, TAXII or Splunk, to name a few. This customizable platform can enable organizations within the health care sector to: share operational intelligence related to cyber security events in a secure and efficient manner; eliminate the risk of sharing any confidential company or patient data; and, cut out the noise from irrelevant information that so plagues intelligence sharing today.
In this new reality, where new and ever more sophisticated threats loom large on the horizon, health care organizations that choose to implement a cyber incident response platform with these built-in threat intelligence capabilities will do so knowing they have taken a big step forward to ensuring the protection of valuable business information, and confidential and sensitive patient data.
The WannaCry ransomware attack sent shockwaves through businesses and governments all around the globe by bringing day-to-day activities in hospitals, banks, telecommunication operators, and local and state agencies to a grinding halt. Undoubtedly, this attack put a big spotlight on ransomware, highlighting it as a powerful, dangerous, and potentially life-threatening attack methodology exploited by cyber criminals as a means for quickly making significant financial gain. Recently, however, another method has emerged as an increasingly common tool for cyber extortion, one that is expected to gain much more traction in the near future.
The emerging threat in question is doxing and involves attackers obtaining confidential, proprietary, sensitive, or private information via social media or hacking, and threatening to publicly share that information if ransom is not paid. There have been a few notable doxing events in recent years involving hacker attempts to extort large corporations, with Walt Disney Pictures emerging as the latest victim. In another high profile case involving cyber extortion, hackers are today threatening to release a stolen upcoming blockbuster film, in advance of its premiere, unless they receive a pirate-like ransom of bitcoins in return. With doxing becoming a go-to modus operandi for an increasing number of cyber criminals, organizations seeking to safeguard their proprietary information need to become more aware of the threat doxing represents and implement solutions to protect against these extortion attacks.
Improve the Ability to Identify Doxing Attacks Quickly
Beyond implementing layered preventative and detective security controls, efforts for defending against doxing attacks should include devising a proper cyber incident response plan, preferably one established within the framework of a cyber-security automation and orchestration platform. Through the adoption of such a platform, organizations would address the first and most important part of the process for tackling doxing threats – being prepared to quickly and effectively respond to the attack.
A cyber incident response platform provides organizations with automation and orchestration capabilities through integration with existing security infrastructure and structured response playbooks. This level of preparedness vastly improves their ability to detect, track, and recover from doxing attacks. By providing a consistent and repeatable response strategy, a better prepared organization can reduce or even completely avoid the potentially substantial and damaging impact of a successful extortion attempt.
This platform allows cyber-security teams to detect, predict, and track breaches in their organizations’ computer systems, and to respond quickly and inline by leveraging integrations with existing security infrastructure. The inline response reduces overall reaction times and allows for quick containment and eradication of the threat.
The platform dramatically accelerates the incident triage and response process to improve efficiency, and can even integrate with an organization’s forensic systems, allowing for fast and efficient gathering of digital evidence to help identify attackers and support subsequent law enforcement efforts.
By leveraging the full capabilities of a cyber-security automation and orchestration platform, organizations would be able to more quickly determine the scope and impact of extortion attacks, respond accordingly, and provide authorities with the information necessary to accelerate their investigation. Collectively, leveraging these capabilities would ensure an increased chance for resolving and recovering from the incident without succumbing to ransom demands.
The latest ransomware attack that broke out last Friday, affecting more than 200,000 computers across 150 countries by Sunday, once again highlighted the need for improved preparedness to respond to large-scale cyber incidents by implementing advanced security automation and orchestration solutions capable of containing the damage from such events. In this case, the attackers exploited a vulnerability in Windows Server Message Block (SMB) protocol, which had been discovered and kept quiet for exclusive use by the National Security Agency (NSA).
WannaCry, as the virus is called, is delivered via an email attachment and when executed, paralyzes computers running vulnerable Windows operating systems by encrypting their files. Once it encrypts a computer’s hard disk, WannaCry then spreads to vulnerable computers connected to the same network, and also beyond, via the Internet. This is in many ways a typical ransomware attack, infecting computers with a virus that has the ability to spread quickly to other vulnerable systems; however, the infection in this instance, and the speed at which it spread, was more intense than any other such attack in recent memory. The consensus among cyber security experts around the world is that the damage from this attack could have been reduced to a minimum, and more serious consequences could have been avoided, if organizations had been better prepared and had more effective cyber incident response plans and solutions in place.
Early Detection and Damage Containment via Automation and Orchestration
When affected by an attack such as WannaCry, after an organization’s computer system has been breached, the best thing that the organization can do is try to keep the incident under control by preventing the infection from spreading. There are various security solutions designed to achieve this end, but an automation and orchestration platform is arguably the best suited for the task. When an infected computer is detected, this platform can quickly isolate it in the early stages of an attack, blocking traffic to and from it to contain its spread, and thus reduce the business impact to a minimum.
Recovery and Remediation
Once containment is achieved, the platform provides organizations with the ability to quickly remediate the incident by guiding cybersecurity professionals through the entire process, using pre-defined playbook actions for a faster and more effective execution. The playbook actions can suggest the best remediation and recovery methods, and how to enforce them in the most effective manner. For instance, how to restore files and update the appropriate firewall rules.
All of the above is only a fraction of the capabilities of a typical automation and orchestration platform, a security tool that has become critical for any organization seeking to avoid the immense cost and long-lasting consequences of cyber-attacks such as WannaCry.
Cyber-attacks such as this one are only expected to become more common and more sophisticated in the future, and for this reason WannaCry should serve as an example of why now is the time for organizations serious about cyber security to focus on improving preparedness and containment capabilities through investment in advanced security automation and orchestration.