The terms security automation and security orchestration are often used almost interchangeably nowadays in the IT ecosystem. But it’s very important to note that these terms have completely different meanings and purposes. The aim of this blog is to discuss the core differences by explaining what these terms mean exactly, what their functions are and how they can be used within an IT context.
When automation emerged in the security field, it became a crucial asset for security teams that were already exhausted from time-consuming, repetitive, low-level tasks. Orchestration was the next step for better time and resource management for teams, as it helped professionals respond to issues faster, and prioritize important tasks with defined and consistent processes and workflows.
Security orchestration vs. security automation – the difference
When we speak about automation, it’s often wrongly assumed to mean automating an entire process, which is not always correct. The proper definition of security automation is setting a single security operations-related task to run on its own, without the need for human intervention (or a task could be semi-automated if some form of human decision is required).
On the other hand, orchestration, in essence, refers to making use of multiple automation tasks across one or more platforms. This means that automation tasks are part of the overall orchestration process, which covers larger, more complex scenarios and tasks. With this being said, we can say that orchestration means the automated coordination and management of systems, middleware, and services. Security orchestration uses multiple automated and semi-automated tasks to automatically execute a complex process or workflow, and these can consist of multiple automated tasks or systems.
Security Orchestration aims to streamline and optimize repeatable processes and ensure correct execution of tasks. Anytime a process becomes repeatable and tasks can be automated, orchestration can be used to optimize the process and eliminate redundancies.
Automation and orchestration can be best understood by differentiating between a single task and a complete process. Automation only handles a single task, while orchestration makes use of a more complex set of tasks and processes. When a task is automated, it speeds things up, especially when it comes to repeating basic tasks. But optimizing a process is not possible with simple automation, as it only handles a single task. A process is not limited to a single function, so optimization is only possible with orchestration. If done right, orchestration achieves the main goal of speeding up the entire process from start to finish.
By now, we believe you’re aware of the core difference of security automation vs security orchestration, but bare in mind that these two are not completely inseparable and are used in conjunction with each other. As we’ve been discussing so far, security orchestration is not possible without automation. Now let’s go through the main benefits of both orchestration and automation:
Automation makes many time-consuming tasks run smoothly without (or with little) human intervention, thus allowing organizations to take a more proactive approach in protecting their infrastructure from increasing volumes of security alerts and potential incidents, which would take far too many man-hours to be able to complete.
The primary goal of orchestration is to optimize a process. While security automation is limited to automating a particular task, orchestration goes way beyond this. With automation providing the necessary speed to the processes, orchestration, on the other hand, provides a streamlined approach and process optimization.
What happens when these two work together?
- Better utilization of assets, allowing the organization to be more efficient and effective
- Improved ROI on existing security tools and technologies
- Increased productivity – all tasks are automated and orchestrated between themselves
- Reduced security analyst fatigue from alert and task overload
- Processes remain consistent due to standardization of activities.
Orchestration and automation work together to empower security teams, allowing them to be more effective, and ultimately focus on incident analysis and important investigations, rather than on manual, time-consuming and repetitive tasks. Having all of the tools to hand within a centralized, single and intuitive orchestration platform can only benefit your security operations team. This ultimately means more time for analysts and incident respondents to focus on issues that require a level of human intervention for a higher level of investigation for mitigation and remediation.
Both of these concepts: security automation and security orchestration relate to each other, and it’s often very difficult to differentiate between them. As we discussed in detail regarding this confusion, one last piece of advice would be to look at these in their fundamental difference, which lies in their varying individual goals. Automation is all about codification and orchestration is all about systematization of processes. The adequate differentiation between these two principles will help you to achieve a streamlined and accurate execution of your incident response processes and tasks.
Attending face-to-face events does wonders for career networking and acquiring knowledge, plus it’s always incredibly helpful to see the latest advancements in technology first-hand, view a new tool in action, or simply get some answers to questions you have from industry experts.
This becomes even more important if your organization wants to stay up to date with the latest security trends and ahead of the ever-evolving cyber threats, especially with such a quickly evolving threat-landscape we are faced with today. If this is the case, then attending these top-notch cyber security conferences in the months ahead should be a priority for you and your security team, whether you are a C-level executive, a security operations manager or security analyst, there will be something there to benefit you.
There are a growing number of events taking place around the globe with cyber security as its main focus this fall. These gather tech enthusiasts, developers, pioneers, security experts, and many other masterminds, all at the same venue with a single goal in mind – to improve their cyber security ecosystem. Picking the conferences and summits a company should attend may be a real challenge as there are so many to choose from and this is exactly why we prepared a quick guide on some of the most exciting events to be at, large and small alike. It’s not too late to plan your travel!
So, here’s the lineup of our top-rated cyber security events where DFLabs will be present, that will give you the opportunity to chat with your peers, attend presentations and hear keynotes, engage in discussions about the dark web, cyber espionage, malware and more importantly, incident response and how to detect, respond to and remediate potential security incidents, as well as many other topics.
6-7 September 2018, New Orleans, US
This two-day in-depth summit is focused on the latest in threat hunting and incident response techniques that can be used to successfully identify, contain and eliminate adversaries targeting your networks. The summit will put special focus on the effectiveness of threat hunting in reducing the dwell time of adversaries, providing actionable threat hunting strategies, as well as tools, tactics, and techniques that can be used to improve the defense of companies’ organization. Our Senior Product Manager, John Moran, will also be speaking on the subject of “Threat Hunting Using Live Box Forensics”.
13-14 September, 2018, Warsaw, Poland
The SCS conference consists of presentations from leading world authorities in the cyber security realm. This conference gathers leading international companies with presentations focused on cyber security, as well as guests from all around the globe, while maintaining a large Polish presence. DFLabs, along with its Polish based partner, Orion Instruments Polska, will be engaging with the audience during live presentations, as well as on the exhibition floor during this 2-day event.
18-19 September, Copenhagen, Denmark
DFLabs is a proud sponsor of Think In 2018, LogPoint’s first ever customers and partners conference. With the recent integration of LogPoint’s SIEM with DFLabs’ SOAR solution, this conference will provide a unique opportunity to connect with both organizations in one place and enable you to ask important questions in relation to how this joint solution can support your business needs. See first-hand a comprehensive joint demonstration during the live briefing sessions regarding how to integrate an effective incident response program combining the power of SIEM and SOAR technology.
18-20 September, Singapore
GovWare is into its 27th year and is the cornerstone event for the Singapore International Cyber Week featuring the latest trends in all things cybersecurity, focused around the Government sector. DFLabs with its partner PCS Security will be showcasing its solutions to “Control Your Cloud”, where you can learn how to create a more efficient and effective response to cyber security incidents.
18-19 September, London, UK
SINET is dedicated to building a cohesive, worldwide cybersecurity community with the goal of accelerating innovation through collaboration. SINET is a catalyst that connects senior level private and government security professionals with solution providers, buyers, researchers and investors. DFLabs is delighted to be participating in and sponsoring this London event to share knowledge and broaden the awareness and adoption of innovative cybersecurity technologies.
9-11 October, Nuremberg, Germany
it-sa is Europe’s largest exhibition for IT security and one of the most important worldwide events where experts will be providing information on current issues, strategies and technical solutions. In partnership with Softshell, DFLabs will be showcasing its latest solution features to enable organizations to transform their security operations, acting as a force multiplier for their security team to decrease the time to detect and resolve incidents.
14-18 October, Dubai, UAE
If you’re talking technology within the Middle East, Africa and Asia, GITEX is the place to be. Right from world-famous industry names to Silicon Valley’s hottest startups, everyone heads to GITEX in anticipation of big business partnerships, future-ready gear and booming success. As the largest technology event in the Middle East, Africa and South Asia, see new technologies and innovation come alive. During GITEX Technology Week, DFLabs will be available with our partner RAS Infotech at booth G02.
If you are attending one or more of these events, or even if your aren’t able to attend and would like to learn more about our ever-evolving Security Orchestration, Automation and Response platform and to improve the performance of your security program, do make sure to get in touch, whether for an informal chat, a more formal discussion or to see a live demo.
We look forward to hearing from you and seeing you there!
Regardless of the number of cyber security events you attend, their specific focus, size or location, there are always several important items on the agenda and key takeaways for both security professionals and security vendors alike, which keeps us going back for more.
Cyber security professionals attend these events to gather with people who share the same interest and expertise as they do, to learn about new and upcoming things in the industry, to network and meet people, as well as seek out potential vendor solutions to solve their common day challenges and pain points.
On the flipside, cyber security vendors want to do pretty much the same in terms of hearing about the latest trends and advancements in technologies and solutions, while taking the opportunity to meet and network with like-minded people, as today we tend to largely focus our communications less formally over email and social networks, rather than by using the old-fashioned face to face method. If they can, they will, of course, want to showcase their solution first-hand, so the full benefits can be seen, which isn’t a bad thing, as face to face meetings are becoming somewhat few and far between.
There are literally hundreds happening daily, weekly, monthly on a global scale, too many to possibly count. Conferences and events DFLabs has recently participated in include probably the most renowned event, RSA Conference US in San Francisco, as well as last week’s GISEC event in Dubai, which were great successes, meeting with new prospects, existing customers, as well as channel and technology partners. If you didn’t get a chance to meet up with us then, feel free to drop us a line.
So how do you choose which ones to attend? This will depend on a number of deciding factors personal to you, including your agenda, the event program, what you want to achieve, size, location, cost of attending, as well as what fits in with juggling your busy schedule and availability. If Security Orchestration, Automation, and Response (SOAR) is a high priority on your list, these are some of the events to look out for and plan to attend in the next few months.
Upcoming Events: 5-7 June, London, UK
Coming into its 23rd year, Infosecurity Europe continues to be the main hub for cyber security professionals to gather and meet in the city once a year, featuring a comprehensive conference program with a large host of exhibitors. With nearly 20,000 expected visitors, it is a huge networking opportunity for most, so don’t forget to register here.
With only 4 weeks to go, contact me to schedule a date and time in your diary now to meet with one of the DFLabs team. If you don’t like the hustle and bustle of the expo floor, not a problem, we would be happy to meet in a quieter setting outside of the conference hall.
Upcoming Events: 26-28 June, Marina Bay Sands, Singapore
ConnectTechAsia consists of three events encompassing CommunicAsia, BroadcastAsia and its latest addition NXTAsia. Covering the entire spectrum of communication, broadcast, and enterprise technology and services it is where technology ideas and business converge.
Meet DFLabs at NXTAsia where you can visit us on stand #5H2-08 to learn more about how to leverage your existing security operations tools with Security Orchestration, Automation and Response (SOAR) technology. Also listen to our VP of Engineering, Andrea Fumagalli to hear more about the benefits of utilizing a SOAR solution in the NXTAsia Theatre on 28th June at 15:15. Save the date, register now and ensure you reach out to us to arrange to meet up.
The SANS Institute is one of the most trusted and largest sources for information security training and security certification in the world, with over 165,000 members. Established in 1989 as a cooperative research and education organization, it is now home to the largest collection of research documents about various aspects of information security. Hosting a number of summits, it educates delegates on a vast number of topics including Security Awareness, Cyber Threat Intelligence, and Security Operations to name a few.
DFLabs will be sponsoring the Security Operations Summit at the end of July, where you will be able to meet with us, as well as listen to our Lunch and Learn session hosted on Day 1. John Moran, Senior Product Manager from DFLabs will also be speaking at the Threat Hunting and Incident Response Summit in September on the topic “Threat Hunting Using Live Box Forensics”, so save the dates in your diaries. More information and event details are available here.
Upcoming Events: 4-9 August – Las Vegas, US & 3-6 December – London, UK
Black Hat is one of the most technical global information security event in the world, running for 20+ years. It provides attendees with the very latest research, development, and trends driven by the needs of the security community in the form of briefings and trainings. You can meet some of the friendliest hackers here!
DFLabs has a booth at both events and will be networking on the floor throughout. Visit us in Vegas at booth #2329 within the Innovation City, or in London later in the year at booth #1010. Learn more and arrange to meet us, whichever side of the pond you are on.
There will be many other upcoming opportunities to meet up with us throughout the year, but if you are attending one of these events this summer and would like to organize something ahead of time, please do get in touch to arrange a suitable time and a place. We look forward to meeting you. Or alternatively why wait? Arrange for an informal chat and a demo today.
The cyber security industry today offers a wide variety of solutions aiming to mitigate attacks that are becoming more common and more sophisticated, making it increasingly difficult to detect, manage and respond to breaches as effectively and as efficiently as possible. But, the fact alone that there is no shortage of potential solutions out there to choose from, doesn’t make the challenge of having to deal with the overwhelmingly frequent and complex attacks less grueling. In fact, it can make the task that much more daunting, with the vast pool of tools and platforms available making it difficult for CISOs to decide which solutions to adopt, considering that there is rarely one that addresses all the different security elements required, as well as the specific organizational needs, such as affordability and ease of implementation and management.
With that in mind, it’s safe to say that a solution capable of covering as many angles of the cybersecurity spectrum as possible would serve well to organizations being faced with data breaches on a regular basis. It’s exactly that ability to cover multiple aspects of an organization’s cybersecurity defense that makes DFLabs’ IncMan stand out from the crowd, and one of the factors that helped it to achieve two highly coveted awards at the latest edition of the prestigious GSN Homeland Security Awards.
Holistic Approach to Incident Management and Response
The two platinum awards received by DFLabs were in the Best Continuous Monitoring & Mitigation, and Best Cyber Operational Risk Intelligence Solution categories, respectively. This highlights IncMan’s versatility and ability to save valuable time when responding to an incident and when helping to detect and prevent future attacks.
Computer Security Incident Response Teams (CSIRTs) can benefit immensely from features such as automated collection of threat intelligence, triage, threat containment, as well as processes that help make threat hunting and investigation more efficient. With these types of functionalities, platforms like IncMan help cut incident resolution times drastically and improve the effectiveness of CSIRTs, significantly increasing their incident handling capacity.
The above capabilities that IncMan boasts are in large part a result of the background in law enforcement and intelligence of the people who were involved in creating the platform. These experiences have allowed them to better understand the challenges security teams face when trying to resolve an incident and address their needs in terms of dealing with continuously increasing number of alerts, underlining the necessity of automating certain tasks and adopting an orchestrated approach to incident response. As the nature of cyber security attacks continues to evolve over time, so does the sophistication and capabilities of the platform to ensure organizations always remain one step ahead.
According to Verizon’s Data Breach Investigations report 2017, social engineering was a factor in 43% of breaches, with Phishing accounting for 93% of social attacks.
Our premise is that an incident appears to be a Spear Phishing attempt has been forwarded to the SOC. The SOC team must qualify the incident and determine what needs to be done to mitigate the attack.
We begin our investigation with an incident observable, a fully qualified domain name (FQDN).
We will correlate the FQDN with several external threat intelligence services to assess whether this is truly an ongoing Phishing attempt or a benign false positive. We have used VirusTotal and Cisco Umbrella in this example, but other threat intelligence and malware services could be used instead.
We have 3 different potential outcomes and associated decision paths:
The R3 Runbook
1. The FQDN is automatically extracted from the incident alert and then sent to Cisco Umbrella Investigate for a classification.
2. Depending on the outcome – whether Cisco Umbrella Investigate classifies the FQDN as benign or malicious – we can take one of two different paths.
3. The FQDN will be rechecked with VirusTotal to verify the result. We do this whether the first classification was malicious or benign. At this point we do not know whether one of the two services is returning a false positive or a false negative, so we do a double check.
4. IF both external 3rd party queries confirm that the FQDN is malicious, we have a high degree of certainty that this is a harmful Phishing attempt and can step through automatically to containment. In our example, we automatically block the domain on a web gateway.
5. Alternatively, if only one of the two queries returns a malicious classification, we need to hand the runbook off to a security analyst to conduct a manual investigation. At this point, we cannot determine in an automated manner where the misclassification resides. It could be that one of the services has stale data, or doesn’t include the FQDN in its database. With the ambiguous result, we lack the degree of confidence in the detection to trust executing fully automated containment.
6. If both VirusTotal and Cisco Umbrella Investigate return a non-malicious classification, no further action will be necessary at this point. We will notify the relevant users that the incident has been resolved as a false positive and can close the case for now.
This R3 Phishing Runbook demonstrates the flexibility and efficiency of automating incident response . Incident Qualification is automated as much as is feasible but keeps a human in the loop when cognitive skills are required. It only automates containment when the degree of confidence is sufficient. It eliminates false positives without requiring human intervention.
The EU GDPR will be enforced from May 25th next year. GDPR mandates a wide variety of requirements on how data processors must manage customer and 3rd party data. Although it is not primarily focused on cybersecurity, it does contain vague requirements on security monitoring. This includes that data processors must establish a breach notification procedure, that include incident identification systems, and must be able to demonstrate that they have established an incident response plan.
Further, there is a requirement to be able to notify the supervisory authority of a data breach within 72 hours of becoming aware of a data breach or face a stiff financial penalty. This last requirement is of special interest beyond the impact on data processors. Because it means that for the first time, we will begin having reliable data on European breaches.
Historically, European companies have had no external requirement to be transparent about being affected by a breach. This has had the consequence that we have not had good data or an awareness of how well or badly European organizations are doing when it comes to preventing or responding to security breaches.
I am sure that if like myself, you have worked in forensics and incident response in Europe over the years, you are aware of far more breaches that are publicly disclosed. The only information available is when a breach is disclosed due to the press and law enforcement, or the impact is so great that it can’t be ignored. We also have some anonymized reports from some vendors and MSSP’s, but these are really no more than samples. While not without benefit, these also do not provide a reliable indicator, as the samples are not necessarily statistically representative This provides a false sense of how European organizations are faring compared to other regions and presents a skewed image of European security in general.
The true state of European security is an unknown and has been difficult to quantify. I have seen German articles for example that have claimed that German Security is better than the rest of the world because there are less known breaches. The absence of evidence is of course not evidence of absence. Something that has not been quantified cannot be said to be good or bad. More importantly, if you do not measure something, it cannot be improved.
It will be interesting to see whether GDPR will force European organizations to place more focus on Incident Detection and Response, and give us insight into the true state of European security.
Let me start by saying that total prevention is not attainable with today’s technology. Whether through negligence or ignorance, any data stored on a network is subject to unauthorized access by 3rd parties. Instead, we must combine Prevention with Detect and Respond. We know we are going to get breached, so we must focus on the how we deal with that.
One significant activity that can improve cyber incident response and enable the timely mitigation of threats is the transfer of knowledge after an incident as part of a formalized “Lessons Learned” phase of the incident response life cycle. Integrating successful processes and procedures from previously successful incident response activities can play a critical role in determining whether a business will suffer in terms of operational integrity, reputation and legal liability. A publicized security breach will lower customer confidence in the services offered by an organization as well as call into question the safety of their sensitive 3rd party information. This impacts a business credibility and translates directly into lost revenue.
In regulated industries, increased regulatory scrutiny is an additional consequence of a breach. This involves evaluating if the tools and procedures used in responding to security threats were sufficient. Integrating lessons learned into existing and future incident response playbooks ensures that the proper technologies and processes are deployed, and avoids accusations of gross negligence, expensive and time-consuming investigations and regulatory demands.
Procedural improvements can be incorporated into incident workflows via incident playbooks and ensure that all stages of the incident response process have been acknowledged and addressed. It also ensures that required security measures and procedures are documented and relevant stakeholders informed of their roles in case of an incident.
This process can be augmented through machine learning. Applying machine learning to this problem requires that all relevant data associated with incidents are analyzed and automatically applied to future incidents. DFLabs recently released DF-ARK machine learning capability to do precisely this. Our patent-pending Automated Responder Knowledge (DF-ARK) module applies machine learning to historical responses to threats and recommends relevant runbooks and paths of action to manage and mitigate them. DF-ARK requires sufficient training data – it begins with no knowledge, but learns from the experience and actions of your security team, becoming more effective over time. DF-ARK implements supervised case-based reasoning machine learning.
It also involves combining automated workflows and manual procedures to keep a human in the loop. This can be constantly improved by applying new observations and data, to fine tune existing methods and procedures identified in the lessons learned phase.
IncMan offers the R3 Rapid Response Runbook engine and Dual Mode playbooks to facilitate this. R3 Runbooks are created using a visual editor and support granular, stateful and conditional workflows to orchestrate and automate incident response activities such as incident triage, stakeholder notification, data and context enrichment and threat containment. Dual Mode Playbooks support manual, semi-automated and automated actions, meaning that users can automate the action without automating the decision.
Adding all of this together, here are 5 best practices for increasing the effectiveness of incident response via lessons learned:
- Encourage feedback from responders at every level. First, second and third line SOC operators and incident handlers each have a unique perspective that must be incorporated into future response playbooks.
- Review all relevant documentation to ensure compliance. This includes organizational policies or regulatory mandates to ensure any disparities are addressed in future playbooks.
- Chronicle any unanticipated or unusual events to extend procedures to mitigate similar occurrences in the future
- Annotate enhancements to existing processes that were identified during the incident response cycle.
- Designate a business unit or individual to be responsible for making necessary changes to existing playbooks, processes or procedures and to distribute these to stakeholders.
Capitalizing on lessons learned during incident response provides immediate and long-term benefits that contribute crucial time savings necessary to successfully mitigate future threats. Deploying a platform designed to facilitate the rapid inclusion of identified improvements to the incident workflow, such as DFLabs’ IncMan, can not only reduce the time it takes to fully investigate an incident but also reduces the overheads required to do so. If you want more information please contact us at DFLabs for a no obligation demonstration of exactly how we can improve your response time, workflows and remediation activities.
A collaborative environment between IT and security groups is critical. The number of cyber security incidents currently impacting networks and customers is increasing exponentially and mitigating security incidents and risks is more complex than ever before. Timely and effective communication are keys to improved collaboration between all parties involved in the cyber incident response process. One of the simplest and most effective methods to improve communication between all relevant IT and security groups is to deploy a common, shared platform where stakeholders can review and analyze incidents across the entire cyber landscape. A cross-departmental platform enables them to focus on correlating cyber incidents and risks with contextual information relevant to their role and responsibilities plays a significant part in organizational success in this regard.
Incorporating knowledge transfer between disparate business entities often separated both geographically and functionally is essential to facilitate a better understanding of the current IT and security challenges. The preferred method to provide this collaborative environment is via electronic based communication mediums and devices. To tie all of these channels together, an organization should consider deploying a cyber incident response platform, and the platform must be able to integrate these technologies, be it SMS, email or other messaging medium, to cover the broadest range of communication channels to transmit critical information to stake holders.
Another successful strategy that focuses on effectively communicating timely, critical information to relevant stakeholders is via the creation of an incident notification group. IncMan supports the creation of groups of Watchers that are appraised of incidents and activities automatically via SMS, email or an integrated communications system. A Watcher group can ensure that information is properly communicated to the appropriate stakeholder(s). This provides differing stakeholders with the capability of monitoring incidents that may impact business continuity. Additionally, IncMan has integrated communications capabilities comply with industry best practices which recommend having a separate, secure and hardened communications channel if email or other internal communication channels are compromised. This independent messaging capability also provides additional benefits such as asymmetric encryption capabilities.
Leveraging a dedicated solution that can orchestrate the communications to stakeholders standardizes the process of cyber incident response and mitigation and is the key to ensuring a more effective response. If you would like more information or a free no obligation demonstration of how IncMan from DFLabs can more effectively automate and orchestrate your incidents please contact us at [email protected]
The DNA sequence for each human is 99.5% similar to any other human. Yet when it comes to incident response and the manner in which individual analysts may interpret the details of a given scenario, our near-total similarity seems to all but vanish. Where one analyst might characterize an incident as the result of a successful social engineering attack, another may instead identify it as a generic malware infection. Similarly, a service outage may be labeled as a denial of service by some, while others will choose to attribute the root cause to an improper procedure carried out by a systems administrator. Root cause and impact, or incident outcome, are just a couple of the many considerations that, unless properly accounted for in a case management process, will otherwise play havoc on a security team’s reporting metrics.
Poor Key Performance Indicators can blind decision makers
What is the impact of poor KPI’s? All too often the end result leads to equally poor strategic decisions. Money and effort may be assigned to the wrong measures, for example into more ineffective prevention controls instead of improved response capability. In a worst case scenario, poor KPI’s can blind decision makers to the most pertinent security issues of their enterprise, and the necessary funding for additional security may be withheld altogether.
Three best practices are required to address this all too common problem of attaining accurate reporting:
- A coherent incident management process is necessary in order to properly categorize incident activity. Its definitions must be clear, taking into account outliers, clarifying how root causes and impacts are to be tracked, and providing a workflow to assist analysts in accurately and consistently determining incident categorization.
- The process must be enforced to guarantee uniform results in support of coherent KPI’s. Training, quality assurance, and reinforcement are all necessary to ensure total stakeholder buy-in.
- Security teams must have the technologies to support effective incident response and proper categorization of incidents.
There are several ways that the IncMan platform supports the three best practices:
First, IncMan provides a platform to act as the foundation for an incident management program. It provides customizable incident forms allowing for complete tailoring to an organization and the details it must collect in support of its unique reporting requirements. Custom fields specific to distinct incident types allow for detailed data collection and categorization. These custom fields can be coupled with common attributes to track specific data, thereby providing a high level of flexibility for security teams in maintaining absolute reporting consistency across the team’s individual members.
Next, playbooks can be associated with specific incident types, providing step-by-step instructions for specialized incident response activities. Playbooks enforce consistency and can further reinforce reporting requirements. However, playbooks are not completely static, and while they certainly provide structure, IncMan’s playbooks also offer the ability to improvise, add, remove or substitute actions on the fly.
The platform’s Knowledge Base offers a repository for reference material to further supplement playbook instructions. Information collection requirements defined within playbook steps can be linked to Knowledge Base references, arming analysts with added information, for example with standard operating procedures pertaining to individual enterprise security tools, or checklists for applicable industry reporting requirements.
IncMan also includes Automated Responder Knowledge (ARK), a machine learning driven approach that learns from past incidents and the response to them, to suggest suitable playbooks for new or related incident types. This is not only useful for helping to identify specific campaigns and otherwise connected incident activity but can also highlight historical cases that can serve as examples for new or novice analysts.
Finally, the platform’s API and KPI export capabilities enable the extraction of raw incident data, allowing for data mining of valuable reporting information using external analytics tools. This information can then be used to paint a much clearer picture of an enterprise’s security posture and allow for fully-informed strategic decision-making.
Collectively, the IncMan features detailed above empower an organization with the means to support consistency in incident categorization, response, and reporting. For more information, please visit us at https://www.dflabs.com
In incident response, protecting against a targeted attack is like slaying the hydra. For those not familiar with what a hydra is, it is a multi-headed serpent from Greek mythology, that grows two new heads for every head you chop off. A determined attacker will try again and again until they succeed, targeting different attack vectors and using a variety of tactics, techniques, and procedures.
The Snowden and Shadowbroker leaks really drove this home, giving partial insight into the toolkit of nation state actors. What really stuck out to me was the sheer variety of utilities, frameworks, and techniques to infiltrate and gain persistence in a target. Without the leak, would it be possible to reliably determine that all of those hacking tools belonged to a single entity? Would a large organization with thousands of alerts and hundreds of incidents every day be able to identify that these different attacks belonged to a single, concerted effort to breach their defenses, or would they come to the conclusion that these were all separate, unrelated attempts?
Our colleagues in the Threat Intelligence and Forensic analysis industries have a much better chance to correlate these tools and their footprint in the wild – they may discover that some of these tools share a command and control infrastructure for example. A few did have at least an outline of the threat actor, but judging by the spate of advisories and reports that were released after the leaks, not very many actually appear to have achieved this to a great degree. The majority were only able to piece the puzzle together once equipped with a concise list of Indicators of Compromise (IoC) and TTP’s to begin hunting with.
“How does this affect me? We are not important enough to attract the attention of a nation state actor”
Some readers may now be thinking, “How does this affect me? We are not important enough to attract the attention of a nation state actor”. I would urge caution in placing too much faith in that belief.
On the one hand, for businesses in some countries the risk of economic espionage by-nation state hacking has decreased. As I wrote on Securityweek in July, China has signed agreements with the USA, Canada, Australia, Germany and the UK limiting hacking for the purpose of stealing trade secrets and economic espionage. However, this does not affect hacking for national security purposes, and it will have little impact on privately conducted hacking. These are also bilateral agreements, and none exist in other nations, for example, Russia or North Korea. For militarily and economically weaker nation states, offensive cyber security is a cheap, asymmetric method of gaining a competitive or strategic advantage. As we have seen, offensive cyber activity can target civilian entities for political rather than economic reasons, and hackers are increasingly targeting the weakest link in the supply chain. This means that the potential probability of being targeted is today based more on your customer, partner, and supply chain network, and not just on what your organization does in detail. Security through obscurity has never been a true replacement for actual security, but it has lost its effectiveness as targeted attacks have moved beyond only focusing on the most prominent and obvious victims. It has become much easier to suffer from collateral damage.
Cyber criminals are becoming more organized and professional
On the other hand, cyber criminals are becoming more organized and professional, with individual threat actors selling their services to a wide customer base. A single small group of hackers like LulzSec may have a limited toolbox and selection of TTP’s, but professional cybercrime groups have access to numerous hackers, supporting services and purpose-built solutions. If they are targeting an organization directly and are persistent and not opportunistic, it will be as difficult to discern that a single concerted attack by one determined threat actor is taking place.
What this means in practical reality for any organization that may become the target of a sophisticated threat actor, is that you have to be on constant alert. Identifying, responding to and containing a threat is not a process to be stepped through with a final resolution step – instead, cyber security incident response is an ongoing, continuous and cyclical process. Advanced and persistent attacks unfold in stages and waves, and like a war consist of a series of skirmishes and battles that continue until one side loses the will to carry on the conflict or succeeds in their objectives. Like trying to slay the hydra, each incident that you resolve means that the attacker will change their approach and that the next attempt may be more difficult to spot. Two new heads have grown instead of one.
To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT
To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT – but we must do this without creating a perpetual state of alarm. The former means that your team of analysts is always aware and alert, looking at individual incidents as potentially just one hostile act of many that together could constitute a concerted effort to exfiltrate your most valuable data, disrupt your operational capacity, or abuse your organization to do this to your partners or customers. In the latter case, your analysts will suffer from alert fatigue, a lack of true visibility of threats, and a lack of energy and time to be able to see the bigger picture.
The hydra will have too many heads to defeat.
In the Greek legend of Heracles, the titular hero eventually defeats the Hydra by cauterizing each decapitated stump with fire to prevent any new heads from forming. Treating an incident in isolation is the Security Incident Response equivalent of chopping off the head of the hydra without burning the stump. Applied to our problem, burning the stump means that we have to conduct the response to each incident thoroughly and effectively, and continue the process well beyond containment.
We must invest more time in hunting and investigating, and we have to correlate and analyze the relationship between disparate incidents. We must use threat intelligence more strategically to derive situational awareness, and not just tactically as a machine-readable list of IoC’s. This also requires gathering sufficient forensic evidence and context data about an incident and related assets and entities during the incident response process, so that we can conduct post event analysis and continuous threat assessment after containment and mitigation have been carried out. This way we can better anticipate the level of threat that we are exposed to, and make more informed decisions about where to focus our resources, add mitigating controls and improve our defenses. In Incident Response “burning the stump” means making it more difficult for threat actors to succeed in the future by presenting them with a hardened attack surface, reducing their reside time in our infrastructure, and reducing the time we need to discover and contain them. To do this we need to learn from every incident we manage.