Add Context and Enrich Alert Information for a More Effective Response with DFLabs and ArcSight

Responding to a new security incident in the fastest possible time frame is critical for any security operations center (SOC) or computer security incident response team (CSIRT), but having the necessary information at your fingertips is key in order to help improve response times and appropriately deal with the threat at hand. In this blog post we’ll take a closer look at how security teams can increase the efficiency and effectiveness of their response by adding context and enrichment to the alert information directly from ArcSight, when utilizing DFLabs’ Security Orchestration, Automation and Response (SOAR) platform and its many other bidirectional integrations.

The Problem

Organizations are generating more log data than ever before and are increasingly turning to SIEM tools to help manage, correlate and alert on potential events from this large quantity of data. Once data is correlated and an alert is generated, enriching alert data is often a manual task which consumes a significant amount of analysts’ time. Pivoting from a single alert or from enriched information is often also a manual process, requiring many more custom written queries within the SIEM. Enriched and additional data must then be correlated manually by the analyst before it becomes actionable.

On a daily basis an analyst will face a number of challenges and is likely to be asking themselves the following questions:

  1. How can I use the SIEM logs to add context to a security event?
  2. How can I enrich information from the initial security alert?
  3. How can I pivot from the initial security alert to further my investigation?
The DFLabs and ArcSight Solution

DFLabs and MicroFocus ArcSight bring SOAR and SIEM together to allow rapid, informed responses to security incidents based on enriched, actionable information. DFLabs’ IncMan SOAR platform allows users to automatically query ArcSight to pivot from an initial alert to gather increase insight into the activity within the organization. IncMan also allows users to enrich information retrieved from ArcSight, such as IP addresses, hostnames and domains, using any number of IncMan’s other integrations.

About MicroFocus ArcSight

ArcSight is an industry-leading Security Information and Event Management (SIEM) solution from MicroFocus. ArcSight collects and analyzes events from across systems and security tools. It detects security threats in real time so that analysts respond quickly, and it scales to meet demanding security requirements. ArcSight’s advanced distributed correlation engine, helps security teams detect and respond to internal and external threats, reduces response time from hours or days to just minutes.

Use Case

To get a real understanding of how the two solutions work together, here is a simple use case in action.

A Web Application Firewall (WAF) has observed a potential attack against an application server in the organization’s DMZ. IncMan automatically responds by initiating an appropriate runbook for the alert. The runbook begins by performing basic enrichment on the source IP address of the malicious traffic. This basic enrichment is followed by a query for IP reputation information on the source IP address from the organization’s threat reputation service of choice.  

Following the threat reputation search, ArcSight is queried for any other events which have been recently generated by the source IP address. If ArcSight returns any other recent events generated by the source IP address, or the source IP address has a negative threat reputation, the severity of the incident is automatically upgraded to High. The analyst is then presented with a user choice decision to determine if the source IP address should be blocked at the perimeter firewall. If the analyst chooses to automatically block the source IP address, a ticket will be created in ArcSight Enterprise Security Manager (ESM) to notify the appropriate teams to follow up on the emergency change according to the organization’s policies.

These actions are followed by a second query to ArcSight, this time for any other recent events involving the web application server. If ArcSight returns any other recent events generated from the web application server, the severity of the incident is automatically upgraded to High (unless it has already previously been upgraded).  The runbook concludes by performing a query of the organization’s endpoint detection solution for all recent events from the web application server. This information will be retained for review by the analyst during the investigative process.

ArcSight

 

ArcSight Actions

In summary, here are the actions available to security analysts by using ArcSight.

Enrichment:

  • Get Active List Entries
  • Search Into Events

Containment:

  • Add Active List Entries
  • Clean Active List Entries

Notification:

  • Create Ticket
  • Get Ticket
  • Update Ticket

Integrating ArcSight with DFLabs’ IncMan SOAR allows organizations to efficiently triage the volume of alerts being generated by the SIEM, automatically prioritizing those alerts which may pose the greatest risk to the organization. By automating and orchestrating the SIEM with other security solutions, IncMan SOAR can automatically enrich the alert information, then pivot based on the enriched information as an analyst would do during a manual investigation. This ability to automatically enrich and pivot allows IncMan to more accurately prioritize incidents which may initially seem innocuous.  

Automatic Observable Harvesting With IncMan SOAR

As soon as the first indicator of compromise is located, the most common next step is to try to pivot from that indicator to find additional indicators or evidence on the network. While it is sometimes necessary to perform your own research to determine what additional additional indicators may be present, it is common to make use of previous research when looking for new indicators to hunt for.

This is especially true when dealing with an indicator of malicious software.  Perhaps you have found a host communicating with an IP address known to be associated with a particular malware variant; the logical next step would be to search for communication with other IPs, domains and URLs the malware may be associated with, along with looking for the host-based activity the malware is known to use.

For example, suppose an IDS alerted on the IP address 144.202.87[.]106.  A quick search on VirusTotal indicates that this IP address may be malicious, however, it does not provide much information which could be used to pivot to other indicators.  So where does every good analyst turn at this point? Google, of course! A quick Google search for the IP address returns several results, including a blog post from MalwareBytes on the Hidden Bee miner. 

Along with a detailed analysis of the Hidden Bee miner, the post also includes several other IP addresses and URLs which analysts observed in this attack.  Now we have some data to pivot and hunt with!

This entire analysis from the MalwareBytes team can easily be added into DFLabs’ IncMan SOAR platform by copying and pasting the blog into the Additional Info section of the incident.  In addition to allowing this information to be accessed by the working on this incident, adding this text to the Additional Info field has an additional advantage we have not yet discussed; Automatic Observable Harvesting.

When text is added to a field such as the Additional Info fields in IncMan, Automatic Observable Harvesting will automatically parse through the text and attempt to harvest observables from the unstructured text.

In the case of the Hidden Bee analysis from MalwareBytes, Automatic Observable Harvesting automatically harvested four IP addresses, a URL and a domain from the unstructured text and added them to the observables section.

While six observables may not take long to manually enter into the platform, it is not uncommon to find detailed malware analysis that contains dozens of IP addresses, hash values, domains, and other observables. Entering this many observables into IncMan manually in order to take advantage of IncMan’s automation and orchestration features on the new observables would be a time-consuming process. Automatic Observable Harvesting performs this task automatically.

Once these new observables are added into IncMan, analysts can take advantage of IncMan’s automation and orchestration features to begin performing additional enrichment on the observables, as well as searching across any internal data sources for evidence of the observables and blocking them if needed.

If you would like to see IncMan SOAR from DFLabs in action, including its Automatic Observable Harvesting functionality, get in touch to arrange and see one to one demo now.

9 Key Components of Incident and Forensics Management

Incident and Forensics Investigations Management

Security incidents and digital forensics investigations are complex events with many facets, all of which must be managed in parallel to ensure efficiency and effectiveness. When investigations are not managed and documented properly, processes fail, critical items are overlooked, inefficiencies develop, and key indicators are missed, all leading to increased potential risk and losses.

Investigation management can be broken down into a number of key components and it is important that an organization is able to carry out all of these elements collectively and seamlessly in order to properly handle and manage any incident they may potentially face.

This blog will briefly cover 9 key areas that I believe are the most important when it comes to incident and forensics management. Ensuring these are firmly in place within your security operations or CSIRT team will ensure more efficient and effective incident management when an incident does occur.

If you would like to learn more about each of the components in more detail and how DFLabs has incorporated them into its comprehensive and complete Security Orchestration, Automation and Response (SOAR) platform to enable organizations to improve their security program, you can download our in-depth white paper here.

Case Management

Every investigation must be organized into a logical container, commonly referred to as a case or incident. This is necessary for several reasons. Most obviously, this container is used to identify the investigation and contain information such as observables, tasks, evidence, notes and other information associated with the investigation, discussed in greater detail in the subsequent sections. Many investigations contain sensitive information which should only be accessible by those with a legitimate need to know. These containers also serve to enforce a level of access control.

Observables and Findings

Investigations generate a large volume of data, from simple observables such as IP addresses, domain names and hash values, to more complex observables such as malware and attacker TTPs, as well as findings such as those made from log analysis, forensic examination and malware analysis. All this information must be recorded and shared with all appropriate stakeholders to ensure the most effective response to a security incident.

Data gathered from previous incidents can be an invaluable tool in responding more effectively to future security incidents. As individual data points are associated with each other, this information is transformed from simple data into actionable threat intelligence which can inform future decisions and responses.

Phase, Expectation and Task Management

Investigations generally progress through a series of phases, each of which will contain a series of management expectations and a set of tasks required to meet those expectations. As the complexity of an investigation increases the tracking of these phases, expectations and tasks become both more critical and more difficult to manage. Failing to properly track and manage investigation phases, expectations and tasks can lead to duplicated efforts, overlooked items and other inefficiencies which lead to an increase in both cost and time to successfully complete an investigation.

Evidence and Chain of Custody

Documenting evidence and tracking chain of custody can be a complex process during an investigation of any size. Documentation using older paper-based or spreadsheet systems does not scale to larger investigations, is prone to error and is time-consuming. Failing to maintain a full list of evidence or maintain chain of custody can result in lost evidence, duplication of efforts and inability to use critical evidence during legal processes.

Forensic Tool Integration

Security operations use a multitude of tools and technologies on a daily basis with different ones being utilized for varying types of investigations. Logging into several platforms individually to collect data is often a manual process and can be tiresome and painful, as well as extremely time-consuming, and time is always of the essence. It is critical that security tools are connected and integrated to improve efficiencies and to fuse intelligence seamlessly together so that all data can be analyzed and documented in a single location and immediately shared with relevant stakeholders.

Reporting and Management

Reporting and the management of reports is a vital function during any investigation. Once information is documented, it must be able to be accessed easily and in multiple formats appropriate for a wide variety of audiences. As the scale of an investigation grows, so does the number of individual reports which will be generated. This can result in many complexities, including sharing logistics, proper access controls and managing different versions of reports. To reduce the impact of these complexities, a single report management platform should be used to act as the authoritative source for all reports.

Activity Tracking and Auditing

Tracking actions taken during an investigation is important to ensure a consistent response, identify areas where process improvements are needed, and to prove that the actions taken were appropriate. Not only must actions be documented, but it is also crucial to ensure that the integrity of this documentation cannot be called into question later. However, documenting activity during an investigation can be time-consuming, taking analysts attention away from the tasks at hand, and is often an afterthought.

Information Security

Investigative data can be extremely sensitive, and it is crucial that the confidentiality of such data be maintained at all times. Confidentiality must be maintained not only for those outside of the organization but also for those internal users who may not be authorized to access some or all of the incident information.

Asset Management

No matter the specific roles a team is tasked with, the team will require many different physical and logical internal assets to accomplish their tasks. This may include workstations, storage media, license dongles, software and other hardware. Regardless of the asset, an organization must be able to track that asset throughout its life, ensuring that they (and the money spent on them) do not go to waste.  As the team grows, managing the tracking of these assets, who they are issued, their expiration dates and more can become a full-time task.

Final Thoughts

These core components combined enable security teams to work more efficiently throughout the entire investigative lifecycle, reducing both cost and risk posed by the wide variety of events facing organizations today. Providing a holistic view of the security landscape and the organization’s broad infrastructure allows for better use of existing tools and technologies to minimize the time team members must spend on the administrative portions of investigations, allowing them to focus on the more important tasks that will ultimately impact the outcome of the response.

Learn more about the topic by downloading our latest Whitepaper titled “DFLabs IncMan SOAR: For Incident and Forensics Management“.

Sharing Critical Security Information Using DFLabs SOAR and McAfee OpenDXL

In security, information is power. Having actionable information available at the touch of a button can be the difference between stopping a threat in its tracks and becoming the victim of the next big breach. However, the many disparate security products deployed in most organizations make information sharing and integration difficult, if not impossible.

Lack of information sharing and integrations between security products leads to a time consuming and disjointed response to a security incident; an environment ripe for mistakes to be made.

Information sharing and security product integration and orchestration have always been at the core of the many values provided by DFLabs. By designing a solution that is OpenDXL compatible, DFLabs has provided joint DFLabs and McAfee customers with yet another way to streamline their security processes.

DFLabs IncMan SOAR and McAfee OpenDXL solve these specific challenges:
  • How can I share security information between my security products?
  • How can I quickly integrate my security products without the need for time-consuming custom integrations?

McAfee’s OpenDXL allows compatible security applications to seamlessly share security information without the need for complicated custom integrations. DFLabs IncMan OpenDXL implementation is now certified as McAfee compatible. All integrations between DFLabs IncMan platform and McAfee, including ePO, ATD and TIE, have been enhanced to include OpenDXL, significantly reducing the complexity gathering actionable enrichment information from these solutions.

OpenDXL lets developers join an adaptive system of interconnected services that communicate and share information to make real-time accurate security decisions. OpenDXL leverages the Data Exchange Layer (DXL), which many vendors and enterprises already utilize, and delivers a simple, open path for integrating security technologies regardless of vendor.

Together, this integration enables the ability to share information seamlessly between IncMan SOAR and McAfee products using OpenDXL, which leverages the power of OpenDXL for easy to use, feature rich integrations between products.

One of the most common and versatile use cases for OpenDXL within IncMan is integration with McAfee Threat Intelligence Exchange (TIE). McAfee TIE is a reputation broker which combines threat intelligence from imported global sources, such as McAfee Global Threat Intelligence (McAfee GTI) and third-party threat information (such as VirusTotal) with intelligence from local sources, including endpoints, gateways, and advanced analysis solutions. Using Data Exchange Layer (DXL), it instantly shares this collective intelligence across your security ecosystem, allowing security solutions to operate as one to enhance protection throughout the organization.

McAfee TIE makes it possible for administrators to easily tailor threat intelligence. Security administrators are empowered to assemble, override, augment, and tune the comprehensive intelligence information to customize protection for their environment and organization. This locally prioritized and tuned threat information provides instant response to any future encounters. Threat intelligence from McAfee TIE can be used to enrich indicators, such as file hashes, using IncMan’s R3 Rapid Response Runbooks to enable intelligent automated or manual decisions during the incident response process.

DFLabs IncMan also integrates with other McAfee tools. You can learn more about our integration with McAfee ATD and ePO in our previous blog posts.

Detect, Analyze and Respond to Advanced Malware with DFLabs SOAR Platform and McAfee ATD
Full Lifecycle Threat Management by Integrating DFLabs SOAR with McAfee ePO

Full Lifecycle Threat Management by Integrating DFLabs SOAR with McAfee ePO

The escalation in the cyber threat environment, a growing attack surface, increased regulatory cyber security requirements and a shortfall in skilled cyber security professionals have converged to create a nexus of forces that is challenging enterprises to manage their threat management and their overall security posture to succeed in business in the 21st century. Machine learning and security automation are key critical capabilities to surmount these challenges and will enable organizations to thrive amidst adversity.

Security operations teams struggle to gain visibility of threats and rapidly respond to incidents due to the sheer number of different security technologies they must maintain and manage and the resulting flood of cyber alerts. Challenges they face include but are not limited to:

  • How can I aggregate and correlate disparate security sources to increase my visibility of threats and effectively investigate alerts and incidents?
  • How can I prioritize my response to security incidents at volume and at scale across a growing attack surface?
  • How can I rapidly respond to security incidents with limited resources to contain the damage and limit legal exposure?
DFLabs and McAfee are key partners in delivering full lifecycle threat management.

McAfee ePolicy Orchestrator (McAfee ePO) is the most advanced, extensible, and scalable centralized security management software in the industry. Unifying security management through an open platform, McAfee ePO makes risk and compliance management simpler and more successful for organizations of all sizes. As the foundation of McAfee Security Management Platform, McAfee ePO enables customers to connect industry-leading security solutions to their enterprise infrastructure to increase visibility, gain efficiencies, and strengthen protection.

Aggregating these alerts into a single pane of glass to prioritize what is critical and needs immediate attention, requires a platform that can consolidate disparate technologies and alerts, and provides a cohesive and comprehensive capability set to orchestrate incident response efforts.

By integrating with McAfee ePO, DFLabs IncMan SOAR platform extends these capabilities to McAfee customers, enabling them to execute full lifecycle incident response management.

DFLabs IncMan R3 Rapid Response Runbooks automate and orchestrate end to end threat containment by integrating with McAfee ePO. Security Operations teams can enrich security incidents with asset context and quarantine compromised systems based conditional and logical decision paths that can be fully and semi-automated, acting as a force multiplier, reducing the time from threat discovery to containment, and increasing operational efficiency. DFLabs’ machine learning driven Automated Responder Knowledge guides security analysts in identifying the most effective course of action using McAfee ePO.

DFLabs SOAR and McAfee ePO Use Case in Action

An alert based on a malicious file detected by AV has automatically generated an Incident within IncMan. This alert is automatically categorized as a Malware incident within IncMan based on the organizations’ policies, which initiates the organization’s Malware Alert runbook, shown below.

threat management incman_1

 

IncMan automatically queries the hash value provided by the organization’s AV solution against VirusTotal. If VirusTotal indicates that five or more AV vendors have identified the hash value as malicious, IncMan will us an Enrichment action to automatically query McAfee ePO for the host information and send this information to the appropriate analysts.

Next, using a Containment action, IncMan will automatically tag the host which generated the AV alert with the tag “quarantine” in McAfee ePO. Finally, IncMan will notify the appropriate analysts that the host has been appropriately tagged in IncMan.

 

threat management incman_2

 

The automated workflow of IncMan’s R3 Runbooks means that an incident will have been automatically generated, and these enrichment and containment actions through the Quick Integration Connector with McAfee ePO will have already been committed before an analyst is even aware that an incident has occurred.

Harnessing the power of McAfee ePolicy Orchestrator, along with the additional Security Orchestration, Automation, and Response of DFLab’s IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective incident response and reduced risk across the entire organization.

Using Incident Correlation to Reduce Cyber Threat Dwell Time

Attackers spend a considerable amount of time conducting reconnaissance on compromised networks to gain the information that they need to complete their objectives for criminal activity, including fraud and intellectual property theft. Dwell time, the amount of time an attacker is present in an enterprise is currently measured in the hundreds of days.

One of the most effective technologies available to incident response teams to help to reduce the threat actor dwell time and limit the loss of confidential data and damage, are Security Automation and Orchestration platforms. Security Automation and Orchestration technologies process alerts and correlates these with threat actors’ Tactics, Techniques, and Procedures. The ability to determine not only the initial ingress point of the attacker but any lateral movement inside the enterprise significantly reduces the time to deploy containment actions. In this scenario, the incident correlation engine is utilized not only as a mechanism for responding and orchestrating the response but also to proactively search for related IoC’s and artefacts. The synergy of response, automation and correlation provide organizations with a holistic approach to reducing cyber incident dwell time. In more mature organizations, these measures are leveraged frequently by IR responders to transition from being threat gatherers to threat hunters.

incman dwell time
Figure 1DFLabs IncMan Observables Hunter and Correlation Engine

When Incident correlation is available within the SAO platform, cyber threat dwell time is reduced through 3 separate but complementary capabilities:

  1. Category based correlation – Correlating incidents by type.
  2.  Asset based correlation – Contextualizing the criticality and function of an asset
  3. Temporal correlation -Providing insight into suspicious activity or anomalous access

Defense in Depth strategies is designed so that high-value targets, such as privileged accounts, are monitored for increased or suspicious activity (Marcu et al. 5). The incident correlation engine not only visualizes this but also provides information to help determine the source of an incident by identifying the points of entry into the affected infrastructure.

“Patient Zero” identification is accomplished through tracking the movement from a source to an end user, and assists responders in determining the epidemiology of the attack, and also possible intruder motives. The correlation engine can achieve this objective through correlating similar TTP amongst incidents and visualizing associational link analysis between hosts. This comparison produces a topology of the lateral movement and can easily identify and visualize the path of an intrusion and the nature of an attack. This permits incident responders to initiate containment actions in real time, as the intentions and objectives of hackers are readily determined.

Dwell time of cyber threats can be significantly reduced from the industry average length, currently measured in the 100s of days, to only a few hours by providing a system capable of identifying not only the magnitude of the attack but by providing a roadmap to successfully hunt the incident genesis point to prevent further proliferation.

A Weekend in Incident Response #35: The Most Common Cyber security Threats Today

Companies across different industries around the globe, along with government institutions, cite cyber attacks as one of the biggest security threats to their existence. As a matter of fact, in a recent Forbes survey of over 700 companies from 79 countries, 88 percent of respondents said that they are “extremely concerned” or “concerned” by the risk of getting attacked by hackers.

This fact is a clear indication that organizations have to ramp up efforts for enhancing their cyber resilience, but to do that successfully and in the most effective manner, they need to have a clear understanding of where the biggest cyber threats come from nowadays so that they can shape their cyber defenses accordingly. We take a look at the most common cybersecurity threats today, ranging from internal threats, cyber criminals looking for financial gains, and nation states.

Internal Threats

When talking about cyber security, some of the first things that usually come to mind are freelance hackers and state-sponsored attacks between hostile nations. But, many cyber security incidents actually come from within organizations, or to be more specific, from their own employees.

Pretty much all experts agree that employees are some of the weakest links in the cyber defense of every organization, in part due to low cyber security awareness, and sometimes due to criminal intent.

Employees often put their companies at risk of getting hacked without meaning to, by opening phishing emails or sharing confidential files through insecure channels, which is why organizations should make sure their staff knows the basics of cyber security and how to avoid the common cyber scams and protect data.

Connected Devices

With so many devices connected to the Internet nowadays, including video cameras, smart phones, tablets, sensors, POS terminals, medical devices, printers, scanners, among others, organizations are at an increased risk of falling victim of a data breach. The Internet of Things is a real and ever-increasing cyber threat to businesses and institutions, deteriorating their vulnerability to cyber attacks by adding more endpoints that hackers can use to gain access to networks, and by making it easier for hackers to spread malicious software throughout networks at a faster rate.

The Internet of Things is one of the factors that make DDoS attacks more possible and more easily conducted, and these types of attacks can have a significant and long-lasting impact on organizations, both in terms of financial losses and reputation damage.

Nation-State Attacks

Private entities and government institutions that are part of the critical infrastructure in their countries are under a constant threat of different types of attacks by hostile nations. As the number of channels and methods that stand at the disposal of hackers aiming to gain access to computer networks grows, organizations in the public and private sector are facing a growing risk of cyber attacks sponsored by nation-states that might have an interest in damaging the critical infrastructure of other countries, hurting their economies, obtaining top-secret information, or getting the upper hand in diplomatic disputes.

Most commonly, nation-state-sponsored cyber attacks use malware, such as ransomware and spyware, to access computer networks of organizations, as a means of gaining control over certain aspects of the critical infrastructure of another country.

No matter what types of attacks are common today, the number and level of sophistication of cyber threats to organizations are certainly going to grow in the future, which is why they have to constantly update and adjust their cyber defenses accordingly.

A Weekend in Incident Response #29: Doxing Incidents Emerging as an Increasingly Common Cyber Threat to Organizations

The WannaCry ransomware attack sent shockwaves through businesses and governments all around the globe by bringing day-to-day activities in hospitals, banks, telecommunication operators, and local and state agencies to a grinding halt. Undoubtedly, this attack put a big spotlight on ransomware, highlighting it as a powerful, dangerous, and potentially life-threatening attack methodology exploited by cyber criminals as a means for quickly making significant financial gain. Recently, however, another method has emerged as an increasingly common tool for cyber extortion, one that is expected to gain much more traction in the near future.

The emerging threat in question is doxing and involves attackers obtaining confidential, proprietary, sensitive, or private information via social media or hacking, and threatening to publicly share that information if ransom is not paid. There have been a few notable doxing events in recent years involving hacker attempts to extort large corporations, with Walt Disney Pictures emerging as the latest victim. In another high profile case involving cyber extortion, hackers are today threatening to release a stolen upcoming blockbuster film, in advance of its premiere, unless they receive a pirate-like ransom  of bitcoins in return. With doxing becoming a go-to modus operandi for an increasing number of cyber criminals, organizations seeking to safeguard their proprietary information need to become more aware of the threat doxing represents and implement solutions to protect against these extortion attacks.

Improve the Ability to Identify Doxing Attacks Quickly

Beyond implementing layered preventative and detective security controls, efforts for defending against doxing attacks should include devising a proper cyber incident response plan, preferably one established within the framework of a cyber-security automation and orchestration platform. Through the adoption of such a platform, organizations would address the first and most important part of the process for tackling doxing threats – being prepared to quickly and effectively respond to the attack.

A cyber incident response platform provides organizations with automation and orchestration capabilities through integration with existing security infrastructure and structured response playbooks. This level of preparedness vastly improves their ability to detect, track, and recover from doxing attacks. By providing a consistent and repeatable response strategy, a better prepared organization can reduce or even completely avoid the potentially substantial and damaging impact of a successful extortion attempt.

This platform allows cyber-security teams to detect, predict, and track breaches in their organizations’ computer systems, and to respond quickly and inline by leveraging integrations with existing security infrastructure. The inline response reduces overall reaction times and allows for quick containment and eradication of the threat.

The platform dramatically accelerates the incident triage and response process to improve efficiency, and can even integrate with an organization’s forensic systems, allowing for fast and efficient gathering of digital evidence to help identify attackers and support subsequent law enforcement efforts.

By leveraging the full capabilities of a cyber-security automation and orchestration platform, organizations would be able to more quickly determine the scope and impact of extortion attacks, respond accordingly, and provide authorities with the information necessary to accelerate their investigation. Collectively, leveraging these capabilities would ensure an increased chance for resolving and recovering from  the incident without succumbing to  ransom demands.

A Weekend in Incident Response #23: Lengthy Cyber Attack Recovery Periods Lead to Creation of “Mean Blind Spots”, Increasing Risk of Future Attacks on Organizations, Study Shows

The greatest challenge for every organization that deals with cyber security threats is how to reduce its reaction time when responding to an incident and recover as soon as possible in order to minimize the consequences and contain the damage.

A new study that was recently published by the University of Portsmouth states that the fact that it takes a long time for organizations to recover from an incident makes them that much more vulnerable to future attacks soon thereafter. The study was conducted by researchers with the University of Portsmouth’s School of Computing, who have found that many organizations across different industries are faced with a serious issue threatening their cyber security, caused by long recovery times from cyber attacks and data breaches they had already suffered. The researchers call the recovery time between two cyber attacks increases an organization’s susceptibility to more attacks, dubbing that period “mean blind spot”.

After analyzing the VERIS Community Database – a dataset of cyber incident reports collected through various information sharing initiatives, researchers found that organizations often take days to recover from an attack, rather than hours, which increases the risk of getting breached between attacks. This suggests that reducing reaction times when responding to an incident can play an important role in preventing future cyber attacks.

Available Solutions for Reducing Reaction Times

The results of the University of Portsmouth’s study unequivocally point to the need for organizations to adopt a solution that would allow them to recover from cyber attacks much faster than today’s current speeds. Considering that there are a lot of actions that should be taken simultaneously by cyber security teams after their organization is breached, as they try to resolve the incident, a solution that would take care of some of those actions for them would be of great help to them and would accelerate the recovery process.

There are various solutions that can provide this type of help, and automation-and-orchestration cyber incident response platforms are what cyber security professionals need in their efforts for resolving incidents quickly and effectively. Those types of platforms allow you to execute a previously devised incident response plan in the most effective manner and save precious time while working on recovery.

One capability that these platforms provide that can be crucial for the mitigation of the problem at hand, is the fact that they allow you to analyze and respond to incidents in real time. They can automatically perform time-consuming tasks such as analysis of the reasons and origin of an incident, allowing you to quickly figure out where an attack is originating from and understand the methods and channels that were used by the attackers. Through automated playbooks, an incident response platform helps cyber security teams to prioritize their response, providing them with the key risk indicators so that they will know the current status of an incident and react accordingly.

Also, these platforms have the capability to create automated incident reports, run predictive analysis, and collect digital evidence for forensics purposes, which reduces reaction times even further.

In summation, the “mean blind spot” issue pointed out by the University of Portsmouth study could be best addressed by organizations by employing an incident response platform that is capable of automating some of the key processes that are part of a typical incident response plan.