At the heart of incident response, and by extension of Security Automation and Orchestration technologies, resides the Cyber Incident. A typical definition of a cyber security incident is “Any malicious act or suspicious event that compromises or attempts to compromise, or disrupts or tries to disrupt, a critical cyber asset”. Almost everything we do in a SOC or a CSIRT is based on incidents, and there are a variety of potential incident sources, for example:
- Alerts from cyber security detection technologies such as Endpoint Detection & Response or User Entity Behavior Analytics tools
- Alerts from Security Information & Event Management Systems (SIEM)
- Emails from ITSM or case management systems
- Website submissions from internal stakeholders and whistle-blowers
- Phone calls from internal users and external 3rd parties
This diversity of incident sources means that a solid SAO solution must offer a variety of different methods to create incidents. Regulatory frameworks also frequently mandate being able to originate incidents from different sources. DFLabs IncMan offers a rich set of incident creation options.
There are three primary ways to create incidents in IncMan, offering flexibility to accommodate a variety of incident response process requirements and approaches.
Option 1: Automated Incident Creation
We will feature automated incident creation in a more detail in a future post. In the meantime, I will show you the location of this feature.
Select settings menu, then head to the external sources:
You will see that under the external sources option there are 3 options available to use as sources to automate incident creation:
- Incoming events automation, for CEF/Syslog
- Incoming Mail automation, for a monitored email account
- Integrations, for all QIC integration components.
Automating incident creation supports a variety of filters to support a rules-based approach. In addition, it is also possible to create incidents using our SOAP API. Certified 3rd party applications use this mechanism to create incidents within IncMan, for example, Splunk.
Option 2: Manual Incident Creation
Click the incidents menu option, then click the + symbol selecting the incidents screen
Fill out all mandatory fields (these can be defined in the custom fields screen) then step through and complete the incident wizard to create the incident:
Once all relevant fields have been completed, click save and this incident will then appear in the incident view and apart of the queue you assigned in the details screen.
Option 3: Incident creation from source
Select an incident source for the incident you want to create, for example, a Syslog or CEF message, an Email, or a Threat intelligence source (STIX/TAXI, ThreatConnect):
In this screen, you can then convert this source item to an incident, or link the source to an existing incident.
The DNA sequence for each human is 99.5% similar to any other human. Yet when it comes to incident response and the manner in which individual analysts may interpret the details of a given scenario, our near-total similarity seems to all but vanish. Where one analyst might characterize an incident as the result of a successful social engineering attack, another may instead identify it as a generic malware infection. Similarly, a service outage may be labeled as a denial of service by some, while others will choose to attribute the root cause to an improper procedure carried out by a systems administrator. Root cause and impact, or incident outcome, are just a couple of the many considerations that, unless properly accounted for in a case management process, will otherwise play havoc on a security team’s reporting metrics.
Poor Key Performance Indicators can blind decision makers
What is the impact of poor KPI’s? All too often the end result leads to equally poor strategic decisions. Money and effort may be assigned to the wrong measures, for example into more ineffective prevention controls instead of improved response capability. In a worst case scenario, poor KPI’s can blind decision makers to the most pertinent security issues of their enterprise, and the necessary funding for additional security may be withheld altogether.
Three best practices are required to address this all too common problem of attaining accurate reporting:
- A coherent incident management process is necessary in order to properly categorize incident activity. Its definitions must be clear, taking into account outliers, clarifying how root causes and impacts are to be tracked, and providing a workflow to assist analysts in accurately and consistently determining incident categorization.
- The process must be enforced to guarantee uniform results in support of coherent KPI’s. Training, quality assurance, and reinforcement are all necessary to ensure total stakeholder buy-in.
- Security teams must have the technologies to support effective incident response and proper categorization of incidents.
There are several ways that the IncMan platform supports the three best practices:
First, IncMan provides a platform to act as the foundation for an incident management program. It provides customizable incident forms allowing for complete tailoring to an organization and the details it must collect in support of its unique reporting requirements. Custom fields specific to distinct incident types allow for detailed data collection and categorization. These custom fields can be coupled with common attributes to track specific data, thereby providing a high level of flexibility for security teams in maintaining absolute reporting consistency across the team’s individual members.
Next, playbooks can be associated with specific incident types, providing step-by-step instructions for specialized incident response activities. Playbooks enforce consistency and can further reinforce reporting requirements. However, playbooks are not completely static, and while they certainly provide structure, IncMan’s playbooks also offer the ability to improvise, add, remove or substitute actions on the fly.
The platform’s Knowledge Base offers a repository for reference material to further supplement playbook instructions. Information collection requirements defined within playbook steps can be linked to Knowledge Base references, arming analysts with added information, for example with standard operating procedures pertaining to individual enterprise security tools, or checklists for applicable industry reporting requirements.
IncMan also includes Automated Responder Knowledge (ARK), a machine learning driven approach that learns from past incidents and the response to them, to suggest suitable playbooks for new or related incident types. This is not only useful for helping to identify specific campaigns and otherwise connected incident activity but can also highlight historical cases that can serve as examples for new or novice analysts.
Finally, the platform’s API and KPI export capabilities enable the extraction of raw incident data, allowing for data mining of valuable reporting information using external analytics tools. This information can then be used to paint a much clearer picture of an enterprise’s security posture and allow for fully-informed strategic decision-making.
Collectively, the IncMan features detailed above empower an organization with the means to support consistency in incident categorization, response, and reporting. For more information, please visit us at https://www.dflabs.com
I can remember sometime around late 2001 or early 2002, GREPing Snort logs for that needle in a haystack until I thought I was going to go blind. I further recall around the same time cheering the release of the Analysis Console for Intrusion Databases (ACID) tool which helped to organize the information into something that I could start using to correlate events by way of analysis of traffic patterns.
Skip ahead and the issues we faced while correlating data subtly changed from a one-off analysis to a lack of standardization for the alert formats that were available in the EDR marketplace. Each vendor was producing significant amounts of what was arguably critical information, but unfortunately all in their own proprietary format. This rendered log analysis and information tools constantly behind the 8-ball when trying to ingest all of these critical pieces of disparate event information.
We have since evolved to the point that log file information sharing can be easily facilitated through a number of industry standards, i.e., RFC 6872. Unfortunately, with the advent of the Internet of Things (IoT), we have also created new challenges that must be addressed in order to make the most effective use of data during event correlation. Specifically, how do we quickly correlate and review:
a. Large amounts of data;
b. Data delivered from a number of different resources (IoT);
c. Data which may be trickling in over an extended period of time and,
d. Data segments that, when evaluated separately, will not give insight into the “Big Picture”
How can we now ingest these large amounts of data from disparate devices and rapidly draw conclusions that allow us to make educated decisions during the incident response life cycle? I can envision success coming through the intersection of 4 coordinated activities, all facilitated through event automation:
1. Event filtering – This consists of discarding events that are deemed to be irrelevant by the event correlator. This is also important when we seek to avoid alarm fatigue due to a proliferation of nuisance alarms.
2. Event aggregation – This is a technique where a collection of many similar events (not necessarily identical) are combined into an aggregate that represents the underlying event data.
3. Event Masking – This consists of ignoring events pertaining to systems that are downstream of a failed system.
4. Root cause analysis – This is the last and quite possibly the most complex step of event correlation. Through root cause analysis, we can visualize data juxtapositions to identify similarities or matches between events to detect, determine whether some events can be explained by others, or identify causational factors between security events.
The results of these 4 event activities will promote the identification and correlation of similar cyber security incidents, events and epidemiologies.
According to psychology experts, up to 90% of information is transmitted to the human brain visually. Taking that into consideration, when we are seeking to construct an associational link between large amounts of data we, therefore, must be able to process the information utilizing a visual model. DFLabs IncMan™ provides a feature rich correlation engine that is able to extrapolate information from cyber incidents in order to present the analyst with a contextualized representation of current and historical cyber incident data.
As we can see from the correlation graph above, IncMan has helped simplify and speed up a comprehensive response to identifying the original infection point of entry into the network and then visual representing the network nodes that were subsequently affected, denoted by their associational links.
The ability to ingest large amounts of data and conduct associational link analysis and correlation, while critical, does not have to be overly complicated, provided of course that you have the right tools. If you’re interested in seeing additional capabilities available to simplify your cyber incident response processes, please contact us for a demo at [email protected]
The WannaCry ransomware attack sent shockwaves through businesses and governments all around the globe by bringing day-to-day activities in hospitals, banks, telecommunication operators, and local and state agencies to a grinding halt. Undoubtedly, this attack put a big spotlight on ransomware, highlighting it as a powerful, dangerous, and potentially life-threatening attack methodology exploited by cyber criminals as a means for quickly making significant financial gain. Recently, however, another method has emerged as an increasingly common tool for cyber extortion, one that is expected to gain much more traction in the near future.
The emerging threat in question is doxing and involves attackers obtaining confidential, proprietary, sensitive, or private information via social media or hacking, and threatening to publicly share that information if ransom is not paid. There have been a few notable doxing events in recent years involving hacker attempts to extort large corporations, with Walt Disney Pictures emerging as the latest victim. In another high profile case involving cyber extortion, hackers are today threatening to release a stolen upcoming blockbuster film, in advance of its premiere, unless they receive a pirate-like ransom of bitcoins in return. With doxing becoming a go-to modus operandi for an increasing number of cyber criminals, organizations seeking to safeguard their proprietary information need to become more aware of the threat doxing represents and implement solutions to protect against these extortion attacks.
Improve the Ability to Identify Doxing Attacks Quickly
Beyond implementing layered preventative and detective security controls, efforts for defending against doxing attacks should include devising a proper cyber incident response plan, preferably one established within the framework of a cyber-security automation and orchestration platform. Through the adoption of such a platform, organizations would address the first and most important part of the process for tackling doxing threats – being prepared to quickly and effectively respond to the attack.
A cyber incident response platform provides organizations with automation and orchestration capabilities through integration with existing security infrastructure and structured response playbooks. This level of preparedness vastly improves their ability to detect, track, and recover from doxing attacks. By providing a consistent and repeatable response strategy, a better prepared organization can reduce or even completely avoid the potentially substantial and damaging impact of a successful extortion attempt.
This platform allows cyber-security teams to detect, predict, and track breaches in their organizations’ computer systems, and to respond quickly and inline by leveraging integrations with existing security infrastructure. The inline response reduces overall reaction times and allows for quick containment and eradication of the threat.
The platform dramatically accelerates the incident triage and response process to improve efficiency, and can even integrate with an organization’s forensic systems, allowing for fast and efficient gathering of digital evidence to help identify attackers and support subsequent law enforcement efforts.
By leveraging the full capabilities of a cyber-security automation and orchestration platform, organizations would be able to more quickly determine the scope and impact of extortion attacks, respond accordingly, and provide authorities with the information necessary to accelerate their investigation. Collectively, leveraging these capabilities would ensure an increased chance for resolving and recovering from the incident without succumbing to ransom demands.
Small businesses may not be the first thing that comes to people’s minds when talking about prime targets for cyber attackers. This is because government agencies, corporations, along with organizations and companies that are part of a country’s critical infrastructure are much more coveted targets, due to the high reward potential associated with them – both in terms of financial gains and retrieving confidential information. However, data breaches and other types of cyber incidents have recently become a common occurrence for many small businesses. Hackers are increasingly trying to gain access to the emails and acquire personal and other confidential information of their employees that are in charge of handling the companies’ finances.
One of the reasons why small businesses are seeing a rise in cyber attacks and data breaches is that cyber criminals have become increasingly aware of the fact that hacking into a small business’ computer network is fairly easy, in part due to the low cyber-security awareness of their employees. Additionally, the cyber defense programs and solutions that small businesses utilize are weak or even non-existent, thus making them easy prey despite not having a particularly high financial reward potential for cyber criminals. Lastly, small businesses have adapted to cloud services to conduct a large portion of their operations, and most cloud providers offer data encryption, making them extremely vulnerable to cyber threats.
What Criminals Are After
In most cases, the typical cyber attack on a small business’ computer network aims to retrieve a company’s financial information, employee records, customer records, as well as customer credit or debit card information, which they could later use to steal company funds, commit financial fraud, identity theft, or extortion.
The most common types of cyber security events faced by small businesses include phishing, SQL injections, malware, ransomware, DDoS attacks, and web-based attacks. The first line of defense against these attacks are a company’s employees. They need to go through cyber-security training to be able to recognize and detect a cyber threat – with statistics showing that a large part of data breaches are related to employee inattention.
Security Automation Is the Next Line of Defense
While cyber-security training for employees is something that every company needs to provide in this age of constant threat of cyber attacks, that alone is not enough to protect businesses against all potential cyber security incidents. Raising employee cyber-security awareness should be followed up by implementing appropriate solutions aimed at detecting, tracking, and eradicating cyber security incidents. In that regard, small businesses could use a security automation and orchestration platform, which can greatly reduce their reaction time following a cyber incident, and prepare them for more timely detection and prevention of future attacks.
Such a platform can help you protect customer and employee information, as well as valuable financial information, since it is capable of assessing the scope of the incident, identifying the affected device or devices, and containing the damage, by providing complete reports on the damages occurred, in addition to providing specialized rules and strategies that allow cyber-security professionals to react much more quickly and effectively to eradicate the incident. These types of platforms are the most straightforward and effective solution for small businesses’ concerns regarding cyber threats, which they are only going to see more of in the near future.
What’s wonderful about all our security industry and specifically the products, is that we constantly see similar fancy dashboard reporting. These views focus on an abundance of information being displayed to aid users trying to correlate and make historical data relevant. It’s vital data but I don’t think this information is best placed in this scenario. I am going to focus on the perspective that is most relevant to myself, and that’s incident response. For incident response, historical data is relevant when you have a purpose to use it. Our main focus, within incident response, is to respond to incidents that are relevant right now.
We often focus on thinking outside the box and use examples from other business models in order to facilitate our own growth. I think this concept is common and serves its purpose for planning, but we must understand the purpose for which we’re trying to use this concept. I always laugh when I see a show of the morning which displays stock/indices information. I ask myself, who is next to implement that view in their security product? Considering this, I think it’s something we need to seriously think about. Is this information relevant for this purpose at this point of a cyber investigators journey?
Over-complicating and over-stimulating users with too much data can have the opposite effect of the desired consequence. You’ll lose value and purpose for this information and ultimately it can become another piece of background clutter that is easily ignored. Time is essential when dealing with any cyber security event, not only from a response standpoint but also an evidentiary gathering perspective. Orchestrating information at the correct time is just as important as responding to the incident itself. Evasion techniques, obfuscation, and piggybacking are just some of the thought processes cyber intruders will use. It’s extremely difficult to know when the right time will be for each individual case, however having an incident response platform to gather and display incident information is essential and following this information in a visual manner will prove effective to the war rooms.
An incident responder’s dashboard should be clear and concise. The investigator, analyst or stake holder should see information that can drive them to an action on a granular level. While this information may be different from organization to organization, the concept should remain the same. I do enjoy a good list, so here are some of the thoughts I have when planning a dashboard view:
– Active Cyber Incidents per business units and their priority, some people mention this as a health status. Either way the concept is the same. Which business units have incidents registered against them? What’s the priority of the incident? This should simply generate a % number and a color coding. Use RED, if major, Green is low priority and non-invasive tasks identified. The number should represent the inverse of incidents * by the priority raised
– Events identified by source, knowing which products are producing the most events is quite key in identifying if this source is doing its job or if the source could be configured differently
– Playbook stage number, time to close organized by priority.
Incident data is critical, and the general rule of thumb is more is preferable to not enough. However, given that the purpose is to understand the relevant data as it relates to current and future incidents, this simple technique ensures that your incident data feeds not only remain timely, but provide maximum value as well.
Financial institutions are always at a great risk of falling victims to cyber-attacks. They are under a constant threat of being attacked by hackers looking to obtain confidential information that can be potentially very lucrative. In a bid to make sure banks are prepared to respond to cyber threats in the most efficient manner, three U.S. federal agencies in charge of overseeing and regulating the work of banks have proposed a set of cyber security requirements that the financial institutions must meet when it comes to the management of cyber security risks.
The Federal Reserve Board, the Federal Deposit Insurance Corporation, and the Office of the Comptroller of the Currency have issued an advance notice of proposed rulemaking (ANPR) that contains standards on how to manage and improve resilience regarding cybersecurity risks.
The standards are designed to help protect financial institutions, as well as their clients, against potential cyber threats.
Incident Response and Cyber Resilience Among the Standards
Per the advance notice, the proposed standards will cover a specific group of financial institutions, including depository institutions and depository institution holding companies with total assets of at least $50 billion, along with financial market infrastructure companies and non-bank financial companies that are supervised by the Board.
These covered entities should comply with specific cyber security requirements that are designed to improve their cyber incident response procedures and prepare for potential cyber-attacks.
The agencies propose five categories of standards regarding cyber security:
- cyber risk governance
- cyber risk management
- internal dependency management
- external dependency management
- incident response, cyber resilience and situational awareness
One Platform to Comply with all Cyber Security Requirements
Considering that there are a lot of aspects that the covered entities will have to pay attention to in order to meet the above-mentioned standards, it would be most cost-effective and practical for them if they adopted a platform that is capable of completing all tasks proposed by the standards.
Such platforms are now available on the market and can make life much easier for all organizations that these standards apply to. For instance, there are platforms that can help organizations ensure an effective and extensive incident response plan, providing complete control over cyber incidents. Organizations are advised to acquire such a platform that provides the ability to track and predict cyber security incidents, track and gather digital evidence, and create statistical reports, which are a key element to resolving a certain breach.
Also, that same platform can automatically manage all cases and data that’s required for cyber threats within your organization, as well as lab and inventory management, helping you comply with the cyber risk management requirements.
Finally, a platform that is specifically designed to prioritize your response and reduce the time it takes you to solve a cyber incident. The solution should help you comply with the Internal dependency management standards, while assessing the risk and provide action plans. A complete and full solution helps organizations reduce the risks of cyber-attacks and comply with the External dependency management standards.
The healthcare industry is under a constant threat of cyber attacks, mostly due to the fact that organizations within this sector keep a variety of confidential and pertinent information, such as credit card information, social security numbers, insurance-related information, and some believe most importantly personal medical records.
A recent report states that healthcare entities have been under increased risk of targeted attacks lately, including phishing attacks, ransomware attacks, and network hacking attacks. The heightened risk for cyber attacks points to a growing need for enhanced protection, in addition to raising awareness of the different types of cyber attacks that many healthcare organizations are facing.
Healthcare Surpasses Financial Sector as the Most Frequently Attacked Industry
According to data provided by Advisen and Hiscox, the average cost of a cyber incident in the healthcare industry cost $150,000. A recent report published by IBM states that the healthcare industry was attacked more frequently than any other sector last year, replacing the financial services sector at the top. According to the report, over 100 million healthcare records were compromised in 2015, which is a staggering figure by all standards.
The Advisen and Hiscox report also notes that there has been a 1.6-times increase in Health Insurance Portability and Accountability Act (HIPAA) violations in the last five years. This statistic suggests that entities such as hospitals and clinics, need to ramp up their efforts for ensuring HIPAA compliance because it is one of the key steps toward achieving improved protection against cyber attacks.
Detecting Ransomware and Phishing Attacks
Currently, the most common cyber threats faced by healthcare entities include phishing attacks and ransomware. These are the most commonly used techniques by hackers trying to retrieve confidential patient information that is critical to protect. The best practices for preventing such threats involve data encryption tools, which are recommended for all covered entities.
Another solution that can be useful to healthcare organizations is a software that can create rules and can be integrated with different tools that can be adjusted in a way that allows them to automatically detect and report problems. Platforms with such capabilities should be a crucial part of each entity’s cyber defense efforts.
How to React in Case You Are Attacked
Even though there are tools designed to detect and prevent ransomware and phishing attacks, hackers often manage to find a way to go around all sorts of defenses and breach even the most sophisticated security armors. When that happens, organizations must be prepared to react as quickly and as effectively as possible with a proven solution.
To that end, all covered entities, including healthcare organizations, need to have a Computer Security Incident Response Team (CSIRT) in place. In order to help their CSIRT resolve cyber incidents, entities are advised to acquire platforms that have the ability to automatically notify CSIRTs when a cyber attack occurs, be it via e-mail or SMS, and gather a team of investigators to do the forensics on a given incident.
Incident Response platforms featuring specialized playbooks are also necessary for tackling healthcare-related incidents. They are the most indicated tool for resolving cyber incidents fast and efficiently, through their ability to accelerate the incident triage process, integrate with forensics and response systems, and predict similar events in the future. Some of those platforms (SIRPs) are also able to provide playbooks for vertical regulation, such as HIPAA and similar.
On November 3, 2016, a new cyber incident reporting rule for Defensive Industrial Base (DIB) companies that are doing business with the U.S. Department of Defense (DoD) has gone into effect.
The final rule, recently published by the Office of the Chief Information Officer of the DoD, will implement requirements that all DoD contractors and subcontractors will have to comply with when reporting cyber incidents. It defines the mandatory cyber incident reporting requirements, which the Department of Defense says will apply to “all forms of agreement between DoD and DIB companies”. The agreements in question include contracts, grants, cooperative agreements, and any other type of legal instrument or agreement.
Adopting a Standard Reporting Mechanism
One of the goals of this rule is to establish a uniform reporting standard for cyber incidents on unclassified DoD contractor networks or information systems. Under this rule, DoD contractors and subcontractors will be required to report cyber incidents that result in “actual or potentially adverse effect on a covered contractor information system or covered defense information residing therein, or on a contractor’s ability to provide operationally critical support“.
While it is interesting to see that every cyber incident is potentially subject to reporting, it’s also important to note that this rule changes the definition of Covered Defense Information (CDI). The rule states that it will now refer to any data in the Controlled Unclassified Information Registry that requires “safeguarding or dissemination controls pursuant to and consistent with law, regulations and Government-wide policies“ and is either marked or otherwise identified in an agreement and provided to the contractor by or on behalf of the DoD in support of the performance of the agreement, or collected, developed, received, transmitted, used, or stored by or on behalf of the contractor in support of the performance of the agreement.
Also, there is a new definition for covered contractor information system, which is now defined as “unclassified information system that is owned or operated by or for a contractor and that processes, stores, or transmits covered defense information.”
Using Incident Response Platform for Efficient and Quick Reporting
There is a lot of data and different types of information that go into a cyber incident report. While -on the technical side- there is an ongoing discussion on which taxonomy should be used for effective reporting, strategists are in agreement that creating a proper cyber incident report that complies with the above-mentioned requirements is not an easy task, and it might take a lot of time and resources to do it.
However, there are various solutions designed for this exact purpose, that can help contractors save a lot of time and money by automatically gathering all the necessary information following an incident and creating reports that can help during investigations.
For instance, all entities that the DoDs Final Rule on Cyber Incident Reporting applies to can get a lot of use out of a software with KPI report summary capabilities, creating information summaries for all incidents under previously specified user criteria.
Also, such a software should be able to create custom reports that can be invoked by the user, employing previously created custom templates, complying with most cyber incident reporting standards and requirements worldwide, not only in the United States.
Is the Existing Vendor Supply Chain Ready for This?
In general, I personally think there is still a consistent number of companies -that are part of the IT supply chain- which is not ready for such regulations. On the other hand, vendor risk management is quickly becoming part not only of the Government system but also of the business practice. So breach notification policies shall be globally followed as part of it. The main risk is that will be interpreted as a compliance task, not a security one. Thus, the real challenge will be creating value out of such compliance task. My personal experience suggests me that value can be created only in two ways: by providing the correct information (in a timely and standard manner) and by sharing them. Time will tell.