Supervised Active Intelligence: Taking the Guesswork out of your Cyber Incident Response

In the upcoming months we will share details that outline our successful methodology “Supervised Active Intelligence”. We envision a world where your security team is empowered with all the information they need to make an intelligent, informed security decision based on coordinated information, intelligence and incident enrichment activities as early in the incident response life-cycle as possible.

We speak to a lot of Security Operations Center (SOC) personnel who want information in front of them before they start investigating. This is a part of human nature. We want as much information as we can get in order to make a decision. Too often we find that SOC teams spend most of their time digging around for information that is readily available in our Enrichment package within IncMan™

Conversely another problem we see is that businesses are drowning in technology. In fact, few know how many products they have at their disposal. This is something that’s not too uncommon, the purchase of more products leads to a false sense of security. We even see businesses use manual methods of cataloging and managing cyber/physical incidents by the use of Microsoft Excel

IncMan™ can leverage all of your endpoint/gateway malware analysis, intrusion detection/prevention and even intelligence services and put them in direct control with your Incident response. IncMan™ is able to leverage and directly interface within a single manageable interface. This will not only reduce up-skill for specific interfaces allowing less reliance on specialists, but allows your team to start the following chain of events:

‌• Enrich your team with all the required information to not only provide your immediate reaction teams with the information for decision makers, forensic coverage and reaction protocols
‌• Create your containment actions based on the products you have evaluated to meet a specific requirement in a company policy that aligns with best practice
‌• Mitigate the incident, providing evidence to legal entities, managed service providers and internal teams
‌• Re-mediate and action policy updates to your incident response, orchestrating your team as well as product solutions
‌• Feeding and influence knowledge bases, working with intelligence services and providing more information about what happened to your required services.

If you follow our standards and best practice, this will aid your GDPR readiness, HIPAA compliance, ISO 27001 and many more. Assuring for board members and management when a breach or other cyber events occur.

If you’re interested in seeing how we can work together to grow your incident response capabilities, visit us at https://www.DFLabs.com and schedule a demonstration of how we can utilize what you already have and make it better.

A Weekend in Incident Response #15: Responding to Increasingly Common DDoS Attacks Through Automated Playbooks

Cyber-attackers never stop inventing new and more creative methods and techniques that are supposed to be more difficult to prevent. One of the most common types of attacks nowadays are the DDoS attacks (Distributed Denial of Service attacks) , which are on the rise recently, unlike data breaches, according to the 2017 Cyber Incident & Breach Response Guide issued by the Online Trust Alliance.

Mitigating DDoS attacks is complicated and time-consuming. They often last several days and even weeks, bringing an organization’s operations to a complete halt for prolonged periods of time. It takes a coordinated effort from an organization’s CSIRT, C-level and its Internet Service Provider (ISP). Since it can take a lot of time to recover from a DDoS attack, it’s essential to have a response plan in place that is specifically designed to respond to these types of cybersecurity incidents. This will help reduce the team’s response time, contain the damage, and resume operations as soon as possible.

DDoS Attack Playbooks

In order to prepare for a future DDoS attack, it’s recommended that organizations utilize a cyber incident response platform, which has the ability todetect, predict and respond to various types of cybersecurity incidents. These platforms provide specialized automated playbooks for the different types of incident, allowing organizations to automate the immediate response to a cybersecurity event and give their SOC and CSIRT the time to focus on recovery and making the organization’s systems fully functional as soon as possible.

Effective Containment and Recovery

A typical DDoS attack playbook includes the key aspects of a cyber incident response, such as analysis, containment, remediation, recovery, and post-incident actions. By employing such a playbook, the organization can quickly determine the specific part of the infrastructure that has been affected by the attack, so that the team can know the necessary actions required to take in order to resolve the incident. A pre-defined playbook will help organizations contain the damage by notifying the SOC and CSIRT on how to block the DDoS attack based on the analysis performed by the incident response platform.

After you have taken the proposed actions to contain the incident, the playbook will guide you through the remediation process. It will involve contacting your ISP and notifying law enforcement, which is where a cyber incident response platform’s capability to create automated incident reports comes in handy, too.

Finally, if you are utilizing a cyber incident response platform, you will have the possibility to enhance your preparedness for future cybersecurity events, by creating statistical reports that contain all the necessary metrics, which you can use to adjust your response to different types of attacks.