Discussions about security breaches often focus on the planning elements, but simply talking about planning is not enough. Comprehensive plans need to be drawn up, fully executed and regularly reviewed in order to be successful. This is the only way to potentially contain the breach and limit the impact it could have on the organization. Properly planning and implementing is the difference between success and failure for companies when it comes to security and incident response.
As the ever-evolving cyber security landscape poses new challenges, companies are pushed even more to fight back the growing number and even more sophisticated levels of cyber attacks. Organizations across all sectors and industries are potential targets and could become victims at any time. With attacks escalating in all areas, whether via phishing or malware, for example, security operations teams need to be prepared to respond to existing and new types and strains of threats, in order to fully defend and protect their company assets and networks.
Along with prevention becoming increasingly difficult for security teams, some organizations also tend to have a weakness when it comes to incident response. Below outlines some of the main reasons why this failure is happening today and if this a true representation of your organization, it is important for action to be taken in order to improve it.
With the number of sophisticated cyber threats in the past several years growing at a phenomenal rate, the security industry has been facing an explosion of security tools available in the market. Many of these though have adversely resulted in creating more tasks for security teams and analysts in terms of monitoring, correlating, and responding to alerts. Analysts are pushed to work on multiple platforms and generate data from every single source manually, while afterwards then needing to enrich and correlate that data which can take many hours or even days.
Security budgets are often limited, and while it is often easier to gain support and approval for additional security apps and tools than it is for additional staff members, this means that many security teams often are forced to search innovative ways to perform many different tasks with extremely limited personnel resources.
Another important point to note is that with increased market competition for experienced and skilled analysts, companies are often forced to choose between hiring one highly skilled staff member versus a couple of less experienced, junior level ones.
Over the years, organizations have witnessed an increasing number of security tools to fight back the growing number of security threats. But even though these tools manage alerts and correlate through security information and management system, security teams are still overwhelmed by the volume of alerts being generated and in many instances are not physically able to respond to them all.
Every single alert must be verified manually and triaged by an analyst. Then, if the alert is determined to be valid, additional manual research and enrichment must take place before any other action to address the threat. While all of these processes take place, other potential alerts wait unresolved in a queue, while new alerts keep being added. The problem is, any one of these alerts may be an opportunity window for an attacker while they wait to be addressed.
Risk of Losing Skilled Analysts
Security processes are performed manually and are quite complex in nature, therefore training new staff members takes time. Organizations still rely on the most experienced analysts when it comes to decision making, based on their knowledge and work experience in the company, even with documented procedures in place. This is commonly referred to as tribal knowledge, and the more manual the processes are, the longer the knowledge transfer takes. Moreover, highly qualified analysts are considered a real treasure for the company, and every time a company loses such staff member, part of the tribal knowledge is also lost, and the entire incident response process suffers a tremendous loss. Even though companies make efforts to keep at least one skilled analyst who is able to teach other staff members the skills they have, they aren’t always successful in that.
Failure to Manage Phases
Security teams work with metrics that could be highly subjective and abstract, compared to other departments which often work with proven processes for measuring the effectiveness or ineffectiveness of a program. This is largely due to the fact that conservative approaches and methods for measuring ROI aren’t applicable, nor appropriate when it comes to security projects, and might give misleading results. Proper measurement techniques are of utmost importance when it comes to measuring the effectiveness and efficiency of a security program, therefore it is necessary to come up with a measurement process customized according to the needs of the company.
Another important issue that should be mentioned here is the one concerning the management of different steps of the incident response process. Security incidents are very dynamic processes that involve different phases, and the inability to manage these steps could result in great losses and damages to the company. For the best results, companies should focus on implementing documented and repeatable processes that have been tested and well understood.
In order to resolve these issues, organizations should consider the following best practices.
The coordination of security data sources and security tools in a single seamless process is referred to as orchestration. Technology integrations are most often used to support the orchestration process. APIs, software development kits, or direct database connections are just a few of the numerous methods that can be used to integrate technologies such as endpoint detection and response, threat intelligence, network detection, and infrastructure, IT service and account management.
Orchestration and automation might be related, but their end goals are completely different. Orchestration aims to improve efficiency by increased coordination and decreased context switch among tools for a faster and better-informed decision-making, while automation aims to reduce the time these processes take and make them repeatable by applying machine learning to respective tasks. Ideally, automation increases the efficiency of orchestrated processes.
Strategic and Tactical Measurement
Information in favor of tactical decisions usually consists of incident data for analysts and managers, which might consist of indicators of compromise assets, process status, and threat intelligence. This information improves decision-making from incident triage and investigation, through containment and eradication.
On the other hand, strategic information is aimed at executives and managers, and it’s used for high-level decision making. This information might comprise statistics and incident trends, threat intelligence and incident correlation. Advanced security programs might also use strategic information to enable proactive threat hunting.
If these challenges sound familiar within your security operations team, find out how DFLabs’ Security Orchestration, Automation and Response solution can help to address these to improve your overall incident response.
Performing threat hunting and incident response on live hosts, collectively referred to here as live analysis, can be a complicated task. When performed properly, they can detect and preserve volatile artifacts, such as network connections, running processes, hooks and open files, which may be the only evidence of today’s advanced attacks. Live analysis may also be the only option when taking a host offline for traditional disk forensics is not an option, such as with business-critical application servers or domain controllers. However, if performed improperly, they can alert attackers to your presence, destroy critical information or render any evidence gathered inadmissible in legal proceedings.
Live forensics and live threat hunting
Live forensics and live threat hunting begin as two different processes. When performing live forensics, we typically start with a pivot point; something has already been detected as anomalous which has prompted us to examine the host. During live threat hunting, we are seeking that anomaly, that indicator of potential malicious activity, to use as a pivot point for further investigation. Once that initial indicator has been discovered, the traditional incident response process, often involving further live forensics begins.
Performing live analysis poses several unique challenges when compared to traditional offline disk forensics. Although any forensic process must be documented and repeatable, these attributes are especially important when performing live analysis. Unlike offline disk forensics, where the original evidence should theoretically remain static and unchanged, live evidence is constantly changing. In fact, we are changing the live evidence by performing live forensics. Although the live analysis process is repeatable, it cannot be repeated while achieving exactly the same results; processes start and end, network connections are terminated, and memory is re-allocated. This means that our live analysis processes must be able to stand up to increased scrutiny.
Because live analysis involves executing commands on a running host, it is crucial that the process is also performed in a secure manner. Only trusted tools should be executed. Each tool and the commands used to execute them should be tested prior to being executed during a live analysis to ensure that the results are known and only the intended actions occur. It is also important to ensure that the tools and commands you tested are the same ones being executed during each live analysis situation.
On Friday, September 7th, I will be speaking at the SANS Threat Hunting and IR Summit in New Orleans regarding some of the challenges and best practices when performing threat hunting and incident response on live hosts. I will also be demoing DFLabs free tool, the No-Script Automation Tool (NAT), which can be used to assist in the live data acquisition process. If you have not had a chance to see NAT, please check out our blog post here, and our demo video here.
Also, find out which top cyber security events DFLabs will attend this fall.
I hope to see you all at the SANS Threat Hunting and IR Summit soon. Safe travels and avoid the storm!
SANS recently released their 2018 SOC Survey and many of their findings were of no surprise to anyone who has been responsible for maintaining their organization’s security posture. Many respondents reported a continued breakdown in communication between NOC and SOC operations, lack of dynamic asset discovery procedures, and event correlation continues to be a manual process even though SOC staffing is being worn thin by the surmounting responsibilities they have to take on.
Why Measuring SOC-cess Matters?
Anyone who has been a part of a security team knows these issues are an everyday battle, but those “common” issues were not what caught me off guard. The most shocking statistic I gathered from this survey is that only 54% of respondents reported that they are actively using metrics to measure their SOC’s success! I was taken aback by this finding and couldn’t help but wonder if all the other reported SOC deficiencies could be directly related to this missing link?
I have been in the security industry for close to ten years, most of which was spent as a SOC analyst and SIEM engineer for a large MSSP. It was my responsibility to be an extension of my client’s security arm and those clients ranged from large Fortune 500 companies to small family owned businesses. Each client was unique, what one found to be important, another thought of as noise. The diversity between each of these clients taught me early on how important it is to understand what their definition of success was so that I may help them to not only achieve their security goals but to assist them in staying ahead of today’s rapidly expanding threat landscape.
This diversity also taught me another valuable lesson: not all security programs are created equally. Naturally, my larger clients had a more mature security posture, they knew what they wanted and what it would take to get them there, and they had the funding to back it up. Unfortunately, some of my smaller clients were not as lucky. They were severely understaffed, their IT department was the Security department, they lacked adequate funding to stay ahead of the ever-growing security curve, and in many cases, the measurement of success resembled a game of whack a mole.
Does this sound familiar? If the answer is yes, you can rest assured that you are not alone. Even the most secure, highly funded organizations have struggled with these obstacles. However, I believe one of the biggest differences between these organizations and the organizations striving to be like them isn’t directly due to the lack of funds, but instead the metrics they are using to show value in what they are trying to accomplish.
Don’t get me wrong, funding is and always will be an obstacle that organizations, large or small, will have to overcome when trying to build and maintain a security program. But the larger and more dangerous obstacle is the one we are creating for ourselves by not measuring and monitoring our security strengths and weaknesses through a strong security metrics program.
This type of security program will be as different as the organization it aims to define. To truly understand what success looks like for you there are a few recommended tasks, that when completed, will give you a greater understanding of your environment and a strong foundation for your security metrics program.
How to enhance your security program
- Conduct a risk assessment
A risk assessment is meant to help identify what an organization should be protecting and why. A successful assessment should highlight an organization’s valuable assets and showcase how they may be attacked and what would be at stake if an attack is successful. Armed with the results of this assessment, organizations can not only begin to address their deficiencies but now have a solid set of metrics that they can use to measure their success as they move forward.
- Perform vulnerability assessments
Vulnerability assessments are another vital security tool which is designed to detect as many vulnerabilities as possible in an environment, and aid security teams in prioritizing and remediating the issues as they are uncovered. All organizations regardless of maturity will benefit from these types of assessments, but organizations with a low to medium security posture may benefit the most. The result of these assessments will help give greater definition to what an organization’s metrics should consist of and what steps are necessary for continued success.
- Adopt a security framework
Even if you are not held to a compliance standard, adopt a security framework anyway. I understand that choosing a framework to model form does not guarantee an organization’s safety, but it is proven that those organizations who adopt a standard have a higher security maturity and are more likely to identify, contain, and recover from an incident faster than those who do not follow security program’s best practices. These frameworks, in conjunction with the security assessments mentioned above, were built to give organizations a blueprint of how to best protect their environment and measure their successes.
I sincerely believe in the value of a rich metrics program and have seen first hand what it can do for an organization. With the level of sophistication in today’s cyber attacks and the environments they target, we can no longer afford to leave our security up to chance. It is my hope that when SANS publish their SOC Survey for 2019, that we have taken the steps necessary to change this statistic because I know as an industry we can do better.
If you want to read more about KPIs and the metrics that we suggest should be set, monitored and measured for a more efficient and effective security program, read our white paper titled “Key Performance Indicators (KPIs) for Security Operations and Incident Response”.
Cyber Security Incidents: The Problem and Challenges
Cyber security incidents are complex, potentially involving numerous assets being monitored by a myriad of different prevention and detection technologies. Investigating a cyber security incident requires the involvement of many different people, processes and technologies, all of which must work together seamlessly for an effective and efficient response. Failure to properly orchestrate these many moving parts can lead to increased risk, exposure and losses.
During a cyber security incident, context is key. Without proper context, analysts and managers are unable to make informed decisions regarding potential risk, containment, and recovery. Providing this necessary context can be a manual, time-consuming tasks, wasting valuable time as attackers continue to move throughout the network unobstructed.
Therefore, it is critical for security programs to implement an overall solution that aims to solve three key challenges:
- How can I use my existing resources more effectively?
- How can I reduce the mean time to detection (MTTD)?
- How can I reduce the mean time to response (MTTR)?
Combine the Power of LogPoint SIEM with DFLabs SOAR to Enable Faster and More Efficient Cyber Security Incident Response
The DFLabs and LogPoint Solution
DFLabs IncMan Security Orchestration, Automation, and Response (SOAR) platform automates, orchestrates and measures security operations and incident response tasks including threat validation, triage and escalation, context enrichment and threat containment. IncMan uses machine learning and Rapid Response Runbooks (R3 Runbooks) as a force multiplier that has enabled security teams to reduce average incident resolution times and increase incident handling.
LogPoint’s SIEM system is designed from the ground up to be simple, flexible, and scalable, providing a streamlined design, deployment, and integration tools to open the use of SIEM tooling up to all businesses. This means that the architecture can be continuously extended with additional functionality without the need for a full major release, to continue to support your business’s growing and changing needs.
Each as their standalone solution has their merits but also have their limitations. SIEMs are traditionally more commonly used within security operations infrastructure, ingesting large volumes of data, providing real-time analytics while generating alerts, but not all of these alerts can realistically be handled manually by security analysts. Orchestration and automation are critical components in responding effectively and efficiently to a cyber security incident. DFLabs IncMan SOAR platform is layered on top of the SIEM to manage the incident response process to each alert. Combing the aggregation, storage and analytics power of LogPoint with the orchestration, automation and response power of IncMan drastically multiplies the impact of the existing security program by removing the analyst from the repetitive, mundane tasks, allowing analysts to focus their time and energy where they can have the greatest impact.
Together they can provide security programs with the ability to:
- Automate repeatable, mundane tasks.
- Orchestrate actions across multiple security tools.
- Enrich raw data, allowing for more informed, effective decisions.
- Reduce the mean time to detection and mean time to response, minimizing potential risk.
Use Case in Action
A proxy has observed an internal host communicating with an IP address which is known to be a command and control server used by malicious actors. The proxy generated an alert, which was forwarded to LogPoint. Using the IncMan app, Logpoint automatically forwarded the event to IncMan, which automatically generated an incident and began an automated response, including executing the R3 Runbook shown below.
The runbook begins by performing several basic Enrichment actions, such as performing a Whois query and an IP geolocation search. These Enrichment actions are followed by a Containment action, which is used to block the malicious IP address at the perimeter firewall.
Once the initial IP address is blocked, an additional Enrichment action is used query LogPoint for a list of all IP addresses the internal host has communicated within the past 30 minutes. Next, an Enrichment action is used to query each of these IP addresses against the organization’s threat reputation service of choice (for example, VirusTotal, Cisco Umbrella or McAfee ATD).
Any IP addresses which have a negative reputation will undergo a similar process to the initially identified malicious IP address; first utilizing several Enrichment actions to perform basic data enrichment, then being blocked at the perimeter firewall using a Containment action.
Once these IP addresses have been blocked to prevent any additional risk, LogPoint is again queried; this time for any other internal hosts which may have been communicating with these additional malicious IP addresses.
If any other internal hosts have been observed communicating with any of these additional malicious IP addresses, a final Enrichment action will be used to gather further information regarding each internal host from the IT asset inventory. This information will be automatically stored within the IncMan Incident and will be available for an analyst for review and follow up.
To ensure that each additionally potentially compromised internal host is further investigated by an analyst, a Notification action is used to immediately notify security team leaders about the identification of these additional potentially compromised hosts. If the organization were utilizing an IT ticketing system, an additional integration could be used to automatically generate an IT ticket to ensure additional accountability.
Minimizing the time from threat discovery to resolution from hours to seconds
The combination of a SIEM and a SOAR solution can provide real end-to-end visibility to neutralize potential cyber threats. By providing early detection and faster remediation of security incidents it can totally transform the security operations and incident response capability of any organization’s security program. Adopting this structure will inevitably minimize the time from threat discovery to resolution but can also have a positive impact on many other factors including improved operational performance, increased return on investment of existing security technologies, reduced risk resulting from security incidents while meeting legal and regulatory compliance.
I can remember sometime around late 2001 or early 2002, GREPing Snort logs for that needle in a haystack until I thought I was going to go blind. I further recall around the same time cheering the release of the Analysis Console for Intrusion Databases (ACID) tool which helped to organize the information into something that I could start using to correlate events by way of analysis of traffic patterns.
Skip ahead and the issues we faced while correlating data subtly changed from a one-off analysis to a lack of standardization for the alert formats that were available in the EDR marketplace. Each vendor was producing significant amounts of what was arguably critical information, but unfortunately all in their own proprietary format. This rendered log analysis and information tools constantly behind the 8-ball when trying to ingest all of these critical pieces of disparate event information.
We have since evolved to the point that log file information sharing can be easily facilitated through a number of industry standards, i.e., RFC 6872. Unfortunately, with the advent of the Internet of Things (IoT), we have also created new challenges that must be addressed in order to make the most effective use of data during event correlation. Specifically, how do we quickly correlate and review:
a. Large amounts of data;
b. Data delivered from a number of different resources (IoT);
c. Data which may be trickling in over an extended period of time and,
d. Data segments that, when evaluated separately, will not give insight into the “Big Picture”
How can we now ingest these large amounts of data from disparate devices and rapidly draw conclusions that allow us to make educated decisions during the incident response life cycle? I can envision success coming through the intersection of 4 coordinated activities, all facilitated through event automation:
1. Event filtering – This consists of discarding events that are deemed to be irrelevant by the event correlator. This is also important when we seek to avoid alarm fatigue due to a proliferation of nuisance alarms.
2. Event aggregation – This is a technique where a collection of many similar events (not necessarily identical) are combined into an aggregate that represents the underlying event data.
3. Event Masking – This consists of ignoring events pertaining to systems that are downstream of a failed system.
4. Root cause analysis – This is the last and quite possibly the most complex step of event correlation. Through root cause analysis, we can visualize data juxtapositions to identify similarities or matches between events to detect, determine whether some events can be explained by others, or identify causational factors between security events.
The results of these 4 event activities will promote the identification and correlation of similar cyber security incidents, events and epidemiologies.
According to psychology experts, up to 90% of information is transmitted to the human brain visually. Taking that into consideration, when we are seeking to construct an associational link between large amounts of data we, therefore, must be able to process the information utilizing a visual model. DFLabs IncMan™ provides a feature rich correlation engine that is able to extrapolate information from cyber incidents in order to present the analyst with a contextualized representation of current and historical cyber incident data.
As we can see from the correlation graph above, IncMan has helped simplify and speed up a comprehensive response to identifying the original infection point of entry into the network and then visual representing the network nodes that were subsequently affected, denoted by their associational links.
The ability to ingest large amounts of data and conduct associational link analysis and correlation, while critical, does not have to be overly complicated, provided of course that you have the right tools. If you’re interested in seeing additional capabilities available to simplify your cyber incident response processes, please contact us for a demo at [email protected]
Small businesses may not be the first thing that comes to people’s minds when talking about prime targets for cyber attackers. This is because government agencies, corporations, along with organizations and companies that are part of a country’s critical infrastructure are much more coveted targets, due to the high reward potential associated with them – both in terms of financial gains and retrieving confidential information. However, data breaches and other types of cyber incidents have recently become a common occurrence for many small businesses. Hackers are increasingly trying to gain access to the emails and acquire personal and other confidential information of their employees that are in charge of handling the companies’ finances.
One of the reasons why small businesses are seeing a rise in cyber attacks and data breaches is that cyber criminals have become increasingly aware of the fact that hacking into a small business’ computer network is fairly easy, in part due to the low cyber-security awareness of their employees. Additionally, the cyber defense programs and solutions that small businesses utilize are weak or even non-existent, thus making them easy prey despite not having a particularly high financial reward potential for cyber criminals. Lastly, small businesses have adapted to cloud services to conduct a large portion of their operations, and most cloud providers offer data encryption, making them extremely vulnerable to cyber threats.
What Criminals Are After
In most cases, the typical cyber attack on a small business’ computer network aims to retrieve a company’s financial information, employee records, customer records, as well as customer credit or debit card information, which they could later use to steal company funds, commit financial fraud, identity theft, or extortion.
The most common types of cyber security events faced by small businesses include phishing, SQL injections, malware, ransomware, DDoS attacks, and web-based attacks. The first line of defense against these attacks are a company’s employees. They need to go through cyber-security training to be able to recognize and detect a cyber threat – with statistics showing that a large part of data breaches are related to employee inattention.
Security Automation Is the Next Line of Defense
While cyber-security training for employees is something that every company needs to provide in this age of constant threat of cyber attacks, that alone is not enough to protect businesses against all potential cyber security incidents. Raising employee cyber-security awareness should be followed up by implementing appropriate solutions aimed at detecting, tracking, and eradicating cyber security incidents. In that regard, small businesses could use a security automation and orchestration platform, which can greatly reduce their reaction time following a cyber incident, and prepare them for more timely detection and prevention of future attacks.
Such a platform can help you protect customer and employee information, as well as valuable financial information, since it is capable of assessing the scope of the incident, identifying the affected device or devices, and containing the damage, by providing complete reports on the damages occurred, in addition to providing specialized rules and strategies that allow cyber-security professionals to react much more quickly and effectively to eradicate the incident. These types of platforms are the most straightforward and effective solution for small businesses’ concerns regarding cyber threats, which they are only going to see more of in the near future.
In March, the U.S. Office of Management and Budget (OMB) released a report on the cyber performance of federal agencies, revealing that a total of 30,899 cyber incidents were reported by them in fiscal 2016. The OMB states that this is an alarming figure and that it indicates that there are significant gaps in the cyber defenses of federal agencies across the country.
According to the report, federal agencies have made good progress in improving their cyber defenses last year, but are still quite vulnerable to cyber attacks and need to ramp up their efforts for protecting their networks and data. Of the almost 31,000 incidents in 2016, a total of 16 have been designated as major incidents, which means they had the potential to threaten national security, the economy, civil liberties, or relations with foreign countries. With this in mind, federal agencies need to keep stepping up their efforts for strengthening their defense against cyber attacks.
Detecting and Preventing Malware and Phishing Attacks
Given that the report states the vast majority of cyber incidents reported by federal agencies involved phishing attacks and malware infections, they are now advised to look into improving their capabilities to respond to these types of attacks and detect and prevent them in the future. There are a couple of ways this can be done. When talking about cyber incident response, one of the most cost-effective and efficient solutions is employing an automation-and-orchestration cyber incident response platform, capable of keeping cyber security events under control, mitigating risks and improving an organization’s ability to prevent future attacks.
These platforms have wide-ranging features that give Computer Security Incident Response Teams (CSIRTs) the opportunity to detect, track and predict cyber security breaches immediately. There are platforms that can help reduce reaction times when responding to an incident, through the employment of automated playbooks designed to accelerate the response to specific types of attacks – such as malware or phishing attacks, which are often faced by government agencies.
Integrated Knowledge Base to Guide You Through the Response Process
Through the use of those playbooks, as well as the available integrated knowledge base, cyber security professionals can quickly identify where an attack is coming from and determine the location of the infected or breached device or part of the network, and follow that up with the containment of the damage to prevent it from spreading.
What’s more, these types of platforms can create automatically generated reports on every incident, in addition to collecting digital evidence for forensic investigations, allowing for the quick notification of law enforcement and provide them with the necessary documentation, thus complying with data breach notification and reporting regulations.
This approach can increase cyber security teams’ ability to resolve incidents in a timely manner and prevent government agencies from losing valuable and sensitive data that could be used by attackers for ransomware or to damage the country’s critical infrastructure.