Using Incident Correlation to Reduce Cyber Threat Dwell Time

Attackers spend a considerable amount of time conducting reconnaissance on compromised networks to gain the information that they need to complete their objectives for criminal activity, including fraud and intellectual property theft. Dwell time, the amount of time an attacker is present in an enterprise is currently measured in the hundreds of days.

One of the most effective technologies available to incident response teams to help to reduce the threat actor dwell time and limit the loss of confidential data and damage, are Security Automation and Orchestration platforms. Security Automation and Orchestration technologies process alerts and correlates these with threat actors’ Tactics, Techniques, and Procedures. The ability to determine not only the initial ingress point of the attacker but any lateral movement inside the enterprise significantly reduces the time to deploy containment actions. In this scenario, the incident correlation engine is utilized not only as a mechanism for responding and orchestrating the response but also to proactively search for related IoC’s and artefacts. The synergy of response, automation and correlation provide organizations with a holistic approach to reducing cyber incident dwell time. In more mature organizations, these measures are leveraged frequently by IR responders to transition from being threat gatherers to threat hunters.

incman dwell time
Figure 1DFLabs IncMan Observables Hunter and Correlation Engine

When Incident correlation is available within the SAO platform, cyber threat dwell time is reduced through 3 separate but complementary capabilities:

  1. Category based correlation – Correlating incidents by type.
  2.  Asset based correlation – Contextualizing the criticality and function of an asset
  3. Temporal correlation -Providing insight into suspicious activity or anomalous access

Defense in Depth strategies is designed so that high-value targets, such as privileged accounts, are monitored for increased or suspicious activity (Marcu et al. 5). The incident correlation engine not only visualizes this but also provides information to help determine the source of an incident by identifying the points of entry into the affected infrastructure.

“Patient Zero” identification is accomplished through tracking the movement from a source to an end user, and assists responders in determining the epidemiology of the attack, and also possible intruder motives. The correlation engine can achieve this objective through correlating similar TTP amongst incidents and visualizing associational link analysis between hosts. This comparison produces a topology of the lateral movement and can easily identify and visualize the path of an intrusion and the nature of an attack. This permits incident responders to initiate containment actions in real time, as the intentions and objectives of hackers are readily determined.

Dwell time of cyber threats can be significantly reduced from the industry average length, currently measured in the 100s of days, to only a few hours by providing a system capable of identifying not only the magnitude of the attack but by providing a roadmap to successfully hunt the incident genesis point to prevent further proliferation.

A Weekend in Incident Response #35: The Most Common Cyber security Threats Today

Companies across different industries around the globe, along with government institutions, cite cyber attacks as one of the biggest security threats to their existence. As a matter of fact, in a recent Forbes survey of over 700 companies from 79 countries, 88 percent of respondents said that they are “extremely concerned” or “concerned” by the risk of getting attacked by hackers.

This fact is a clear indication that organizations have to ramp up efforts for enhancing their cyber resilience, but to do that successfully and in the most effective manner, they need to have a clear understanding of where the biggest cyber threats come from nowadays so that they can shape their cyber defenses accordingly. We take a look at the most common cybersecurity threats today, ranging from internal threats, cyber criminals looking for financial gains, and nation states.

Internal Threats

When talking about cyber security, some of the first things that usually come to mind are freelance hackers and state-sponsored attacks between hostile nations. But, many cyber security incidents actually come from within organizations, or to be more specific, from their own employees.

Pretty much all experts agree that employees are some of the weakest links in the cyber defense of every organization, in part due to low cyber security awareness, and sometimes due to criminal intent.

Employees often put their companies at risk of getting hacked without meaning to, by opening phishing emails or sharing confidential files through insecure channels, which is why organizations should make sure their staff knows the basics of cyber security and how to avoid the common cyber scams and protect data.

Connected Devices

With so many devices connected to the Internet nowadays, including video cameras, smart phones, tablets, sensors, POS terminals, medical devices, printers, scanners, among others, organizations are at an increased risk of falling victim of a data breach. The Internet of Things is a real and ever-increasing cyber threat to businesses and institutions, deteriorating their vulnerability to cyber attacks by adding more endpoints that hackers can use to gain access to networks, and by making it easier for hackers to spread malicious software throughout networks at a faster rate.

The Internet of Things is one of the factors that make DDoS attacks more possible and more easily conducted, and these types of attacks can have a significant and long-lasting impact on organizations, both in terms of financial losses and reputation damage.

Nation-State Attacks

Private entities and government institutions that are part of the critical infrastructure in their countries are under a constant threat of different types of attacks by hostile nations. As the number of channels and methods that stand at the disposal of hackers aiming to gain access to computer networks grows, organizations in the public and private sector are facing a growing risk of cyber attacks sponsored by nation-states that might have an interest in damaging the critical infrastructure of other countries, hurting their economies, obtaining top-secret information, or getting the upper hand in diplomatic disputes.

Most commonly, nation-state-sponsored cyber attacks use malware, such as ransomware and spyware, to access computer networks of organizations, as a means of gaining control over certain aspects of the critical infrastructure of another country.

No matter what types of attacks are common today, the number and level of sophistication of cyber threats to organizations are certainly going to grow in the future, which is why they have to constantly update and adjust their cyber defenses accordingly.

A Weekend in Incident Response #29: Doxing Incidents Emerging as an Increasingly Common Cyber Threat to Organizations

The WannaCry ransomware attack sent shockwaves through businesses and governments all around the globe by bringing day-to-day activities in hospitals, banks, telecommunication operators, and local and state agencies to a grinding halt. Undoubtedly, this attack put a big spotlight on ransomware, highlighting it as a powerful, dangerous, and potentially life-threatening attack methodology exploited by cyber criminals as a means for quickly making significant financial gain. Recently, however, another method has emerged as an increasingly common tool for cyber extortion, one that is expected to gain much more traction in the near future.

The emerging threat in question is doxing and involves attackers obtaining confidential, proprietary, sensitive, or private information via social media or hacking, and threatening to publicly share that information if ransom is not paid. There have been a few notable doxing events in recent years involving hacker attempts to extort large corporations, with Walt Disney Pictures emerging as the latest victim. In another high profile case involving cyber extortion, hackers are today threatening to release a stolen upcoming blockbuster film, in advance of its premiere, unless they receive a pirate-like ransom  of bitcoins in return. With doxing becoming a go-to modus operandi for an increasing number of cyber criminals, organizations seeking to safeguard their proprietary information need to become more aware of the threat doxing represents and implement solutions to protect against these extortion attacks.

Improve the Ability to Identify Doxing Attacks Quickly

Beyond implementing layered preventative and detective security controls, efforts for defending against doxing attacks should include devising a proper cyber incident response plan, preferably one established within the framework of a cyber-security automation and orchestration platform. Through the adoption of such a platform, organizations would address the first and most important part of the process for tackling doxing threats – being prepared to quickly and effectively respond to the attack.

A cyber incident response platform provides organizations with automation and orchestration capabilities through integration with existing security infrastructure and structured response playbooks. This level of preparedness vastly improves their ability to detect, track, and recover from doxing attacks. By providing a consistent and repeatable response strategy, a better prepared organization can reduce or even completely avoid the potentially substantial and damaging impact of a successful extortion attempt.

This platform allows cyber-security teams to detect, predict, and track breaches in their organizations’ computer systems, and to respond quickly and inline by leveraging integrations with existing security infrastructure. The inline response reduces overall reaction times and allows for quick containment and eradication of the threat.

The platform dramatically accelerates the incident triage and response process to improve efficiency, and can even integrate with an organization’s forensic systems, allowing for fast and efficient gathering of digital evidence to help identify attackers and support subsequent law enforcement efforts.

By leveraging the full capabilities of a cyber-security automation and orchestration platform, organizations would be able to more quickly determine the scope and impact of extortion attacks, respond accordingly, and provide authorities with the information necessary to accelerate their investigation. Collectively, leveraging these capabilities would ensure an increased chance for resolving and recovering from  the incident without succumbing to  ransom demands.

A Weekend in Incident Response #23: Lengthy Cyber Attack Recovery Periods Lead to Creation of “Mean Blind Spots”, Increasing Risk of Future Attacks on Organizations, Study Shows

The greatest challenge for every organization that deals with cyber security threats is how to reduce its reaction time when responding to an incident and recover as soon as possible in order to minimize the consequences and contain the damage.

A new study that was recently published by the University of Portsmouth states that the fact that it takes a long time for organizations to recover from an incident makes them that much more vulnerable to future attacks soon thereafter. The study was conducted by researchers with the University of Portsmouth’s School of Computing, who have found that many organizations across different industries are faced with a serious issue threatening their cyber security, caused by long recovery times from cyber attacks and data breaches they had already suffered. The researchers call the recovery time between two cyber attacks increases an organization’s susceptibility to more attacks, dubbing that period “mean blind spot”.

After analyzing the VERIS Community Database – a dataset of cyber incident reports collected through various information sharing initiatives, researchers found that organizations often take days to recover from an attack, rather than hours, which increases the risk of getting breached between attacks. This suggests that reducing reaction times when responding to an incident can play an important role in preventing future cyber attacks.

Available Solutions for Reducing Reaction Times

The results of the University of Portsmouth’s study unequivocally point to the need for organizations to adopt a solution that would allow them to recover from cyber attacks much faster than today’s current speeds. Considering that there are a lot of actions that should be taken simultaneously by cyber security teams after their organization is breached, as they try to resolve the incident, a solution that would take care of some of those actions for them would be of great help to them and would accelerate the recovery process.

There are various solutions that can provide this type of help, and automation-and-orchestration cyber incident response platforms are what cyber security professionals need in their efforts for resolving incidents quickly and effectively. Those types of platforms allow you to execute a previously devised incident response plan in the most effective manner and save precious time while working on recovery.

One capability that these platforms provide that can be crucial for the mitigation of the problem at hand, is the fact that they allow you to analyze and respond to incidents in real time. They can automatically perform time-consuming tasks such as analysis of the reasons and origin of an incident, allowing you to quickly figure out where an attack is originating from and understand the methods and channels that were used by the attackers. Through automated playbooks, an incident response platform helps cyber security teams to prioritize their response, providing them with the key risk indicators so that they will know the current status of an incident and react accordingly.

Also, these platforms have the capability to create automated incident reports, run predictive analysis, and collect digital evidence for forensics purposes, which reduces reaction times even further.

In summation, the “mean blind spot” issue pointed out by the University of Portsmouth study could be best addressed by organizations by employing an incident response platform that is capable of automating some of the key processes that are part of a typical incident response plan.