It is no secret that today’s society relies heavily on their mobile devices. From tracking your calorie count and fitness progress to paying for your groceries with a swipe of your finger, our mobile devices have essentially become an extension of ourselves. In many ways, these devices bring a new age of simplicity to a complex world, but this simplicity can come at a high price. This blog will shed light on mobile cyber attacks, and ways to overcome them.
The movement towards a more mobile workforce has forced organizations to adapt their business practices to extend far beyond the safety and security of their networked environments. The evolution from company-issued Blackberrys to BYOD (Bring Your Own Device) has created an expansive attack surface for an organization’s security team to manage and protect.
Since an organization’s attack surface has grown to include networked space that is not under their control, how can they keep their users safe when on the go? As with everything that makes up the security space there is no “one-size fits all” solution. However, one of the most important actions an organization can take to combat this security risk is to create informed users.
Informed users are an organization’s first line of defense. The more informed their user-base is, the less likely they will become a victim of a mobile attack. Many organizations may already have or are working to create policies and procedures around BYOD to convey the rules and best practices to keep not only their users safe, but to keep the company data and integrity protected. Just like any policy or procedure implemented within an organization, these mobile device policies should be regularly reviewed and updated as new threats or features are introduced. Let’s take a look at some of the threats our users face, and ways to help them reduce their risk when they’re on the go.
It seems no matter who you are, CEO or a regular everyday user, you run the risk of falling victim to a phishing attack. In a phishing attack, attackers present themselves as a legitimate person or firm to try and trick unsuspecting users into handing over valuable data about themselves or their organization. Most times these unsolicited attempts will be presented over email, but this trend is now spreading to mobile and social media. It is human nature to want to trust in others, especially if the source seems like a legitimate request or offer, but how do overcome this urge to trust?
- First things first: If the source is not trusted or it seems suspicious, DO NOT CLICK! This practice may seem simple, but people fall victim to this scheme more times than you would expect. So, when in doubt, exit out.
- If you suspect that the email may be legitimate, but because of your training you are still suspicious, perform some investigative work. Most phones will allow you to preview which site the link will direct you to by holding your finger over the link (without clicking it). Look for small spelling errors that may normally be overlooked. If you have never used this feature before, test it out by emailing a trusted link to yourself and practice using it before attempting it on a potentially malicious email.
- Research the sender’s email domain against their legitimate site. If there are any one-offs, do not trust it.
- Legitimate companies will never ask you to provide your username, pin, password, or will they ask you to pay them via a prepaid credit card. If you receive an email asking you to verify these items or any other personal information, do not respond. Contact the institution in question to provide them with the details of the email received. By doing this, you can alert them to this scheme and they can provide their users with a warning against this attempt.
Unsecured Wireless “Hotspots”
Our need to be constantly connected can pose an unintended risk to our mobile safety. Many establishments try to fulfill this need by providing free WiFi access to their patrons. Everywhere from your local coffee shop to Disney World, WiFi access has become a common and necessary service for companies to provide to its customers. However, this service may provide you with more than a free way of staying connected.
- Never connect to an unsecured WiFi network. An unsecured WiFi network or hotspot is one that a user does not need to provide a password to connect. These networks are a prime target for attackers to snoop or spy on a user’s online activity. Attackers can steal information such as login credentials, credit card data, or personal data which can leave them vulnerable to identity theft or theft of proprietary information.
- Many mobile providers offer personal hotspots to their users for a small monthly fee. This service can provide a user a secure way of connecting on the go. As long as you have a mobile data connection, you have a secure communication path.
- However, if you are forced to connect to one of these unsecured networks, invest in a VPN service. Some organizations may have the ability to provide their mobile workforce VPN connectivity, but for those who do not have access to this, it is a highly recommended investment. VPNs (Virtual Private Network) protect its users by encrypting their Internet connection which prevents attackers or anyone, including Internet Service Providers, from seeing the information sent over the network.
Malware continues to be a threat to organizations regardless of how their users connect. Long gone are the days where security teams had to only be concerned about their internal assets falling victim to these destructive tactics. Now as organization’s environments stretch across the nation and across the world, the need to extend their security programs are even greater.
This combination of business assets on personal devices has added an additional layer of complexity to protecting an organization’s network. To combat this issue, end users should be conditioned to follow a few simple guidelines when using their personal devices for business purposes:
- Utilize a security application to detect malware. An organization should research acceptable applications their end users can install on their devices to periodically scan for and detect malware.
- End users should be trained on application security. Educating users on how to determine if an app is legitimate will help to prevent them from inadvertently downloading an application that may contain malware.
- Some organizations may even opt to have stringent BYOD policies and procedures where certain applications cannot be downloaded of their personal devices if they are being used for business purposes.
- As simple as it sounds, educates end users on the dangers of clicking on suspicious links. Even links found on popular social media sites might lead to a malware infection. Following the same steps outlined in reducing phishing attacks, will help prevent users from falling victim to a malware attack.
The actions outlined in this article are a few simple steps, which, if consistently followed, will reduce an organization’s risk when it comes to mobile devices in their environment. Although organizations today are taking many preventative measures, all it takes is one successful attack to lead to devastating consequences and a full-blown security incident. Security teams need to be able to detect and respond immediately to any and every security alert which they face, whether from a phishing attack, malware attack or other forms. With the increasing volume of alerts, the most effective and efficient way to do this is through automation and orchestration, to ensure no alert goes undetected or untouched. Contact DFLabs today to arrange a personalized demo of its Security Orchestration, Automation and Response platform, IncMan SOAR.
We’ve been witnessing the continual transformation of the cyber security ecosystem in the past few years. With cyber attacks becoming ever-more sophisticated, organizations have been forced to spend huge amounts of their budgets on improving their security programs in an attempt to protect their infrastructure, corporate assets, and their brand reputation from potential hackers.
Recent research, however, still shows that a large number of organizations are experiencing an alarming shortage of the cyber security skills and tools required to adequately detect and prevent the variety of attacks being faced by organizations. Protecting your organization today is a never-ending and complex process. I am sure, like me, you are regularly reading many cyber security articles and statistics detailing these alarming figures, which are becoming more of a daily reality.
Many organizations are now transitioning the majority of their efforts on implementing comprehensive incident response plans, processes and workflows to respond to potential incidents in the quickest and most efficient ways possible. But even with this new approach, many experts and organizations alike express concerns that we will still be faced with a shortage of skilled labor able to deal with these security incidents, with security teams struggling to fight back thousands of potential threats generated from incoming security alerts on a daily basis.
With so many mundane and repetitive tasks to complete, there’s little time for new strategies, planning, training, and knowledge transfer. To make things worse, security teams are spending far too much of their valuable time reacting to the increasing numbers of false positives, to threats that aren’t real. This results in spending hours, even days on analyzing and investigating false positives, which leaves little time for the team to focus on mitigating real, legitimate cyber threats, which could result in a serious and potentially damaging security incident. Essentially, we need to enable security operations teams to work smarter, not harder; but is this easier said than done?
How does security orchestration and automation help security teams?
With this in mind, organizations need to find new ways combat these issues, while at the same time add value to their existing security program and tools and technologies being used, to improve their overall security operations performance. The answer is in the use of Security Orchestration, Automation and Response (SOAR) technology.
Security Orchestration, Automation, and Response SOAR solutions focus on the following core functions of security operations and incident response and help security operations centers (SOCs), computer security incident response teams (CSIRTs) and managed security service providers (MSSPs) work smarter and act faster:
- Orchestration – Enables security operations to connect and coordinate complex workflows, tools and technologies, with flexible SOAR solutions supporting a vast number of integrations and APIs.
- Automation – Speeds up the entire workflow by executing actions across infrastructures in seconds, instead of hours if tasks are performed manually.
- Collaboration – Promotes more efficient communication and knowledge transfer across security teams
- Incident Management – Activities and information from a single incident are managed within a single, comprehensive platform, allowing tactical and strategic decision makers alike complete oversight of the incident management process.
- Dashboards and Reporting: Combines of core information to provide a holistic view of the organization’s security infrastructure also providing detailed information for any incident, event or case when it is required by different levels of stakeholders.
Now let’s focus on the details of these core functions and see how they improve the overall performance.
Security Orchestration is the capacity to coordinate, formalize, and automate responsive actions upon measuring risk posture and the state of affairs in the environment; more precisely, it’s the fashion in which disparate security systems are connected together to deliver larger visibility and enable automated responses; it also coordinates volumes of alert data into workflows.
With automation, multiple tasks on partial or full elements of the security process can be executed without the need for human intervention. Security operations can create sophisticated processes with automation, which can improve accuracy. While the concepts behind both security orchestration and automation are somewhat related, their aims are quite different. Automation aims to reduce the time processes take, making them more effective and efficient by automating repeatable processes and tasks. Some SOAR solutions also applying machine learning to recommend actions based on the responses to previous incidents. Automation also aims to reduce the number of mundane actions that must be completed manually by security analysts, allowing them to focus on a high level and more important actions that require human intervention.
Incident Management and Collaboration
Incident management and collaboration consist of the following activities:
- Alert processing and triage
- Journaling and evidentiary support
- Analytics and incident investigation
- Threat intelligence management
- Case and event management, and workflow
Security orchestration and automation tools are designed to facilitate all of these processes, while at the same making the process of threat identification, investigation and management significantly easier for the entire security operations team.
Dashboards and Reporting
SOAR tools generate reports and dashboards for a range of stakeholders from the day to day analysts, SOC managers, other organization departments and even C-level executives. These dashboards and reports are not only used to provide security intelligence, but they can also be used to develop analyst skills.
Human Factor Still Paramount
Security orchestration and automation solutions create a more focused and streamlined approach and methodology for detection and response to cyber threats by integrating the company’s security capacity and resources with existing experts and processes in order to automate manual tasks, orchestrate processes and workflows, and create an overall faster and more effective incident response.
Whichever security orchestration and automation solution a company chooses, it is important to remember that no one single miracle solution guarantees full protection. Human skills remain the core of every future security undertaking and the use of security orchestration and automation should not be viewed as a total replacement of a security team. Rather, it should be considered a supplement that enables the security team by easing the workload, alleviating the repetitive, time-consuming tasks, formalizing processes and workflows, while supporting and empowering the existing security team to turn into proactive threat hunters as opposed to reactive incident investigators.
Humans and machines combined can work wonders for the overall performance of an organization’s security program and in the long run allows the experts in the team to customize and tailor their actions to suit the specific business needs of the company.
Finally, by investing in a SOAR solution for threat detection and incident response, organizations can increase their capacity to detect, respond to and remediate all security incidents and alerts they are faced with in the quickest possible time frames.
Security teams are inundated with a constant barrage of alerts. Depending on the severity of each alert, it is often minutes to hours before an analyst can properly triage and investigate the alert. The manual triage and investigation process adds additional time, as analysts must determine the validity of the alert and gather additional information. While these manual processes are occurring, the potential attacker has been hard at work; likely using scripted or automated processes to probe the network, pivot to other hosts and potential begin exfiltrating data. By the time the security team has verified the threat and begun blocking the attacker, the damage is often already done.
So, how can security operations temporarily contain a possible threat and/or permanently block a known threat? This blog will explain how by utilizing the IncMan SOAR technology from DFLabs with its integration with McAfee Web Gateway, including a use case example in action.
DFLabs and McAfee Web Gateway Integration
McAfee Web Gateway delivers comprehensive security for all aspects of web traffic in one high-performance appliance software architecture. For user-initiated web requests, McAfee Web Gateway first enforces an organization’s internet use policy. For all allowed traffic, it then uses local and global techniques to analyze the nature and intent of all content and active code, providing immediate protection. McAfee Web Gateway can examine the secure sockets layer (SSL) traffic to provide in-depth protection against malicious code or control applications.
Attackers are scripting and automating their attacks, meaning that additional infections and data exfiltration can occur in mere seconds. Security teams must find new ways to keep pace with attackers in order to minimize the impact from even a moderately skilled threat. Utilizing DFLabs IncMan’s integration with McAfee Web Gateway, IncMan’s R3 Rapid Response Runbooks automate and orchestrate the response to newly detected threats on the network, enabling organizations to immediately take containment actions on verified malicious IPs and ports, as well as temporarily preventing additional damage while further investigation is performed on suspicious IP addresses and ports.
Use Case in Action
McAfee Web Gateway has generated an alert based on potentially malicious traffic originating from a host inside the network to an unknown host on the Internet. Based on a predefined Incident Template, IncMan has automatically generated an Incident and notified the Security Operations Team. As part of the Incident Template, the following R3 Runbook has been automatically added to the Incident and executed.
Data exfiltration can occur in mere seconds. By the time a security team has validated the threat and blocked the malicious traffic, it is often too late. DFLabs integration with McAfee Web Gateway allows organizations to automatically contain the threat and stop the bleeding until further action can be taken.
The Runbook begins by performing several basic Enrichment actions, such as gathering WHOIS and reverse DNS information on the destination IP address. Following these basic Enrichment actions, the Runbook continues by querying two separate threat reputation services for the destination IP address. If either threat reputation service returns threat data above a certain user-defined threshold the Runbook will continue along a path which takes additional action. Otherwise, the Runbook will record all previously gathered data, then end.
If either threat reputation service has deemed the destination IP address to be potentially malicious, the Runbook will continue by using an additional Enrichment action to query the organization’s IT asset inventory. Although this information will not be utilized by the automated Runbook, it will play an important role in the process shortly.
Next, the Runbook will query a database of known-good hosts for the destination IP address. In this use case, it is assumed that this external database has been preconfigured by the organization and contains a list of all known-good, whitelisted, external hosts by IP address, hostname and domain. If the destination IP address does not exist in the known-good hosts’ database, the security analyst will be prompted with a User Choice decision. This optional special condition within IncMan will pause the automatic execution of the Runbook, allow the security analyst to review the previously gathered Enrichment information and allow the security analyst to make a conditional flow decision. In this case, the User Choice decision asks the security analyst if they wish to block the destination IP address. If the analyst chooses to block the destination IP address, a Containment action will utilize McAfee Web Gateway to block the IP until further investigation and remediation can be conducted.
If you want to learn more about how to contain threats, block malicious traffic and halt data exfiltration utilizing Security Orchestration, Automation and Response (SOAR) technology, get in touch with one of the team today to request your live one to one demo.
Nowadays, businesses face the fact that cyber attacks are part of the overall picture, and will happen at any given moment. Nobody is in doubt about this, and the question has shifted from ‘if they happen’, to ‘when they happen’. Along with this, cybercriminals have become much more sophisticated, raising the costs of fighting back on all industry levels.
Managing cyber security issues can pose a real challenge within a company. The new and complex networks, business requirements for innovation and new ways of delivery of services require new methods and approaches to the way security is handled. Traditional security management methods no longer work. Today, cyber security management should aim towards efficiency when it comes to possible future threats.
Serious data breaches can cost a company hundreds of millions of dollars. Often, what makes a breach serious is the effectiveness and speed of the incident response process.
This being said, creating an incident response program is of utmost importance. It has to excel in the following areas: visibility, incident management, workflows, threat intelligence, and collaboration/information-sharing. Below we’ll take a closer look at each of these areas and discover their importance from a systems level perspective.
Having in mind the number of security products in an average company, visibility should be the core of any incident response system – this means aggregating data feeds from commercial and open-source products. When setting up an incident response system, specialists should consider platforms that offer support for security products out of the box. Although not all of them support everything by default, the one you choose should be flexible to add bi-directional integrations with security products not supported by default. But even though bi-directional integrations are important for the support of full automation and orchestration, these are not always necessary for each technology. For example, with simple detection and alerting technologies, unidirectional event forwarding integration will do the work. Just check that common methods of event forwarding and data transfer (such as syslog, database connections, APIs, email and online forms) are supported.
A well-structured incident response program should enable orchestration and automation of the security products that the organization uses. Above everything else, it should include the ability to manage the entire incident response process, starting from the basics, such as tracking cases, recording actions during the incident, as well as reporting on critical metrics and KPIs.
Furthermore, a more advanced incident response system should provide the following:
- Phase and objective tracking
- Detailed task tracking, including assignment, time spent and status
- Asset management — tracking all physical and virtual assets involved in the incident
- Evidence and chain of custody management
- Indicator and sample tracking, correlation and sharing
- Document and report management
- Time and monetary effort tracking
One of the key capabilities that should part of the incident response system is the automation and orchestration workflows. The result is more efficient processes and heavy reduction in repetitive tasks for analysts.
These are the core methods for a codification of process workflows: linear-style playbooks or flow-controlled workflows or runbooks.
Both methods have advantages and disadvantages, and as each is suitable for different use cases, they both should be supported by the incident response system. In both cases, workflows should be flexible and support almost any process, and should support the use of built-in and custom integrations, and creating manual tasks that should be completed by an analyst.
The capability of incorporating threat intelligence feeds is one of the most basic requirements for an incident response system. Moreover, with the ability to correlate threat intelligence, it’s easier to discover attack patterns, vulnerabilities, and other current risks without manual analysis. Adding the automated correlation also helps identify whether an ongoing incident shares common factors with any previous incidents. But even though automated correlation is crucial for analysts to make decisions, visual correlation is also important. Visualizations of threat intelligence and correlated events are particularly useful for threat hunting and detecting attacks/patterns that could not have been detected using other methods.
Collaboration and Information-Sharing
Incident response is never a one-person show. Generally, it requires the participation of many people, and often of multiple teams. To be highly effective in such an environment, an incident response system should support seamless collaboration and information-sharing between all stakeholders and team members.
This means that authorized staff members should have access to the status of the incident and other generated information, including team members actions. Also, all staff members should communicate in a secure fashion, using out-of-band communications mechanism.
Furthermore, information-sharing and cooperation should be a regular practice with external entities, especially with law-enforcement agencies. Information-sharing, such as threat intelligence reports, is vital in the fight against cybercrime.
Most companies will experience data breach sooner or later, and how they respond will affect the future of the business. These essential components will help ensure that an organization’s incident response program can detect, contain and mitigate a breach before it can reach more serious status.
Forensic incidents can be complex and difficult to manage. Large-scale forensic investigations involve dozens or even hundreds of assets, and this information must be recorded, managed and correlated to be effective. DFLabs and OpenText are key partners in delivering these capabilities. This blog post will outline some of the key challenges that security operations are tackling when it comes to effective forensics management, how they can be resolved and briefly present a use case of the integration in action.
Acquiring forensic data from dozens, even hundreds of potentially impacted hosts across an enterprise can pose a real challenge. This is especially true when these hosts span across continents. Once this data is acquired, it must be organized, enriched and correlated before effective analysis can begin. This results in potentially hundreds of analyst hours lost performing these repetitive tasks before any actual investigative work can take place, during which time, potential attackers could be continuing to further compromise the network or exfiltrate data.
DFLabs integration with EnCase via its IncMan SOAR platform, allows users to more quickly gather critical asset data, manage this data and further enrich this data using IncMan’s orchestration and automation capabilities. It helps to solve these specific security operations challenges often faced by analysts on a daily basis:
- How can I quickly gather host information from endpoints across my infrastructure?
- How can I correlate and enrich data collected from across the different hosts in my infrastructure?
- How can I track my evidence, including acquisition information, location and chain of custody?
- How can I manage all the findings from my forensic examination in one location, correlate and enrich them?
Complete Forensic and Evidence Management
EnCase from OpenText is the premier digital investigation platform for both law enforcement and private industry. EnCase allows acquisition of data from the greatest variety of devices, including over 25 types of mobile devices such as smartphones, tablets, and GPS devices. EnCase enables a comprehensive, forensically sound investigation and produces extensive reports on findings while maintaining the evidence integrity. EnCase Enterprise, built specifically for large enterprise clients, allows forensic analysts to reach across the enterprise network, gathering critical forensic data from hosts across a campus or across the world.
By integrating with OpenText EnCase, DFLabs IncMan SOAR can harness the power of EnCase Enterprise Snapshots, making gathering critical forensic artifacts from hosts around the globe a seamless task. Once this information has been collected by EnCase, IncMan automatically organizes this data by host, performs correlation, and allows a user to harness the power of IncMan’s other integrations to further enrich this information.
In addition to Snapshot information, IncMan is also able to ingest EnCase bookmarks, correlating forensic tools and findings between EnCase cases, as well as acquisition information, making the tracking of forensic clones easier than ever before.
Use Case in Action
An IDS alert for suspicious activity on a host has automatically generated an Incident within IncMan, triggering an investigation. Utilizing IncMan’s EnCase Snapshot EnScript, an analyst performs a snapshot of the host in question, gathering critical process, network and handle information.
Using IncMan’s enrichment capabilities on the newly acquired snapshot information, a suspicious process and several suspicious network connections have been identified, prompting the need for a more detailed forensic investigation.
Utilizing several of IncMan’s containment integrations, traffic from the suspicious IP addresses has been temporarily blocked and the process’s hash value has been banned from running across the environment.
A forensic clone of the host is created to permit a more detailed forensics and root cause analysis. Once the forensic clone is created, IncMan’s Bookmarks and Clones EnScript is used to transfer information regarding the clone from EnCase to IncMan, making tracking the clone’s location and verification simple and easy.
Based on the forensic analysis of the host, a suspicious executable and configuration files have been identified and bookmarked for further analysis. Utilizing IncMan’s Bookmarks and Clones EnScript, these EnCase bookmarks are imported in to IncMan to permit improved tracking and information sharing between analysis.
Making use of one of IncMan’s several integrations with various sandboxing technologies, the executable bookmarked in EnCase is identified as a variant of known malware. Further research on this known malware variant leads to a remediation strategy for the infection of this host.
If you currently use EnCase from OpenText and would like to learn more, request a bespoke one to one demonstration of the integration with DFLabs’ SOAR platform. See for yourself how we can help you to free up valuable analyst time and improve the overall performance of your security program by automating host data acquisitions, tracking and managing important information, while storing all forensic artifacts in a single location for easier use and correlation.
Also for further reading, check out our white paper titled “DFLabs IncMan SOAR: For Incident and Forensics Management”.
Attending face-to-face events does wonders for career networking and acquiring knowledge, plus it’s always incredibly helpful to see the latest advancements in technology first-hand, view a new tool in action, or simply get some answers to questions you have from industry experts.
This becomes even more important if your organization wants to stay up to date with the latest security trends and ahead of the ever-evolving cyber threats, especially with such a quickly evolving threat-landscape we are faced with today. If this is the case, then attending these top-notch cyber security conferences in the months ahead should be a priority for you and your security team, whether you are a C-level executive, a security operations manager or security analyst, there will be something there to benefit you.
There are a growing number of events taking place around the globe with cyber security as its main focus this fall. These gather tech enthusiasts, developers, pioneers, security experts, and many other masterminds, all at the same venue with a single goal in mind – to improve their cyber security ecosystem. Picking the conferences and summits a company should attend may be a real challenge as there are so many to choose from and this is exactly why we prepared a quick guide on some of the most exciting events to be at, large and small alike. It’s not too late to plan your travel!
So, here’s the lineup of our top-rated cyber security events where DFLabs will be present, that will give you the opportunity to chat with your peers, attend presentations and hear keynotes, engage in discussions about the dark web, cyber espionage, malware and more importantly, incident response and how to detect, respond to and remediate potential security incidents, as well as many other topics.
6-7 September 2018, New Orleans, US
This two-day in-depth summit is focused on the latest in threat hunting and incident response techniques that can be used to successfully identify, contain and eliminate adversaries targeting your networks. The summit will put special focus on the effectiveness of threat hunting in reducing the dwell time of adversaries, providing actionable threat hunting strategies, as well as tools, tactics, and techniques that can be used to improve the defense of companies’ organization. Our Senior Product Manager, John Moran, will also be speaking on the subject of “Threat Hunting Using Live Box Forensics”.
13-14 September, 2018, Warsaw, Poland
The SCS conference consists of presentations from leading world authorities in the cyber security realm. This conference gathers leading international companies with presentations focused on cyber security, as well as guests from all around the globe, while maintaining a large Polish presence. DFLabs, along with its Polish based partner, Orion Instruments Polska, will be engaging with the audience during live presentations, as well as on the exhibition floor during this 2-day event.
18-19 September, Copenhagen, Denmark
DFLabs is a proud sponsor of Think In 2018, LogPoint’s first ever customers and partners conference. With the recent integration of LogPoint’s SIEM with DFLabs’ SOAR solution, this conference will provide a unique opportunity to connect with both organizations in one place and enable you to ask important questions in relation to how this joint solution can support your business needs. See first-hand a comprehensive joint demonstration during the live briefing sessions regarding how to integrate an effective incident response program combining the power of SIEM and SOAR technology.
18-20 September, Singapore
GovWare is into its 27th year and is the cornerstone event for the Singapore International Cyber Week featuring the latest trends in all things cybersecurity, focused around the Government sector. DFLabs with its partner PCS Security will be showcasing its solutions to “Control Your Cloud”, where you can learn how to create a more efficient and effective response to cyber security incidents.
18-19 September, London, UK
SINET is dedicated to building a cohesive, worldwide cybersecurity community with the goal of accelerating innovation through collaboration. SINET is a catalyst that connects senior level private and government security professionals with solution providers, buyers, researchers and investors. DFLabs is delighted to be participating in and sponsoring this London event to share knowledge and broaden the awareness and adoption of innovative cybersecurity technologies.
9-11 October, Nuremberg, Germany
it-sa is Europe’s largest exhibition for IT security and one of the most important worldwide events where experts will be providing information on current issues, strategies and technical solutions. In partnership with Softshell, DFLabs will be showcasing its latest solution features to enable organizations to transform their security operations, acting as a force multiplier for their security team to decrease the time to detect and resolve incidents.
14-18 October, Dubai, UAE
If you’re talking technology within the Middle East, Africa and Asia, GITEX is the place to be. Right from world-famous industry names to Silicon Valley’s hottest startups, everyone heads to GITEX in anticipation of big business partnerships, future-ready gear and booming success. As the largest technology event in the Middle East, Africa and South Asia, see new technologies and innovation come alive. During GITEX Technology Week, DFLabs will be available with our partner RAS Infotech at booth G02.
If you are attending one or more of these events, or even if your aren’t able to attend and would like to learn more about our ever-evolving Security Orchestration, Automation and Response platform and to improve the performance of your security program, do make sure to get in touch, whether for an informal chat, a more formal discussion or to see a live demo.
We look forward to hearing from you and seeing you there!
Incident and Forensics Investigations Management
Security incidents and digital forensics investigations are complex events with many facets, all of which must be managed in parallel to ensure efficiency and effectiveness. When investigations are not managed and documented properly, processes fail, critical items are overlooked, inefficiencies develop, and key indicators are missed, all leading to increased potential risk and losses.
Investigation management can be broken down into a number of key components and it is important that an organization is able to carry out all of these elements collectively and seamlessly in order to properly handle and manage any incident they may potentially face.
This blog will briefly cover 9 key areas that I believe are the most important when it comes to incident and forensics management. Ensuring these are firmly in place within your security operations or CSIRT team will ensure more efficient and effective incident management when an incident does occur.
If you would like to learn more about each of the components in more detail and how DFLabs has incorporated them into its comprehensive and complete Security Orchestration, Automation and Response (SOAR) platform to enable organizations to improve their security program, you can download our in-depth white paper here.
Every investigation must be organized into a logical container, commonly referred to as a case or incident. This is necessary for several reasons. Most obviously, this container is used to identify the investigation and contain information such as observables, tasks, evidence, notes and other information associated with the investigation, discussed in greater detail in the subsequent sections. Many investigations contain sensitive information which should only be accessible by those with a legitimate need to know. These containers also serve to enforce a level of access control.
Observables and Findings
Investigations generate a large volume of data, from simple observables such as IP addresses, domain names and hash values, to more complex observables such as malware and attacker TTPs, as well as findings such as those made from log analysis, forensic examination and malware analysis. All this information must be recorded and shared with all appropriate stakeholders to ensure the most effective response to a security incident.
Data gathered from previous incidents can be an invaluable tool in responding more effectively to future security incidents. As individual data points are associated with each other, this information is transformed from simple data into actionable threat intelligence which can inform future decisions and responses.
Phase, Expectation and Task Management
Investigations generally progress through a series of phases, each of which will contain a series of management expectations and a set of tasks required to meet those expectations. As the complexity of an investigation increases the tracking of these phases, expectations and tasks become both more critical and more difficult to manage. Failing to properly track and manage investigation phases, expectations and tasks can lead to duplicated efforts, overlooked items and other inefficiencies which lead to an increase in both cost and time to successfully complete an investigation.
Evidence and Chain of Custody
Documenting evidence and tracking chain of custody can be a complex process during an investigation of any size. Documentation using older paper-based or spreadsheet systems does not scale to larger investigations, is prone to error and is time-consuming. Failing to maintain a full list of evidence or maintain chain of custody can result in lost evidence, duplication of efforts and inability to use critical evidence during legal processes.
Forensic Tool Integration
Security operations use a multitude of tools and technologies on a daily basis with different ones being utilized for varying types of investigations. Logging into several platforms individually to collect data is often a manual process and can be tiresome and painful, as well as extremely time-consuming, and time is always of the essence. It is critical that security tools are connected and integrated to improve efficiencies and to fuse intelligence seamlessly together so that all data can be analyzed and documented in a single location and immediately shared with relevant stakeholders.
Reporting and Management
Reporting and the management of reports is a vital function during any investigation. Once information is documented, it must be able to be accessed easily and in multiple formats appropriate for a wide variety of audiences. As the scale of an investigation grows, so does the number of individual reports which will be generated. This can result in many complexities, including sharing logistics, proper access controls and managing different versions of reports. To reduce the impact of these complexities, a single report management platform should be used to act as the authoritative source for all reports.
Activity Tracking and Auditing
Tracking actions taken during an investigation is important to ensure a consistent response, identify areas where process improvements are needed, and to prove that the actions taken were appropriate. Not only must actions be documented, but it is also crucial to ensure that the integrity of this documentation cannot be called into question later. However, documenting activity during an investigation can be time-consuming, taking analysts attention away from the tasks at hand, and is often an afterthought.
Investigative data can be extremely sensitive, and it is crucial that the confidentiality of such data be maintained at all times. Confidentiality must be maintained not only for those outside of the organization but also for those internal users who may not be authorized to access some or all of the incident information.
No matter the specific roles a team is tasked with, the team will require many different physical and logical internal assets to accomplish their tasks. This may include workstations, storage media, license dongles, software and other hardware. Regardless of the asset, an organization must be able to track that asset throughout its life, ensuring that they (and the money spent on them) do not go to waste. As the team grows, managing the tracking of these assets, who they are issued, their expiration dates and more can become a full-time task.
These core components combined enable security teams to work more efficiently throughout the entire investigative lifecycle, reducing both cost and risk posed by the wide variety of events facing organizations today. Providing a holistic view of the security landscape and the organization’s broad infrastructure allows for better use of existing tools and technologies to minimize the time team members must spend on the administrative portions of investigations, allowing them to focus on the more important tasks that will ultimately impact the outcome of the response.
Learn more about the topic by downloading our latest Whitepaper titled “DFLabs IncMan SOAR: For Incident and Forensics Management“.
Enterprise networks are complex environments, with numerous components often under the control of teams outside the security team. During an incident, it is critical that respondents understand the network topology and have the most current network policy and device information available to them. Network documentation is often incomplete and out-of-date; security teams need a way to quickly and efficiently gather actionable network intelligence to effectively respond to a security incident.
This blog will cover some of the current challenges faced by security operations teams and how they can harness the vast amounts of network intelligence available, such as device, policy and path information, using Tufin as a case study. By integrating with Tufin Orchestration Suite, DFLab’s IncMan SOAR platform can utilize its R3 Rapid Response Runbooks to enable the collection of actionable network intelligence, along with its automation, orchestration, and measurement power to respond faster and more efficiently to security incidents.
There are three specific challenges that are common within any security operations center and analysts need to be able to find an effective and efficient way to solve them and obtain the information they need as quickly as possible.
- How can I get a current list of network devices?
- How can I get a current list of rules and policies?
- How can I determine the network path from source to destination?
The DFLabs and Tufin Solution
Tufin Orchestration Suite takes a policy-centric approach to security to provide visibility across heterogeneous and hybrid IT environments, enable end-to-end change automation for network and application connectivity and orchestrate a unified policy baseline across the next generation network. The result is that organizations can make changes in minutes, reduce the attack surface and provide continuous compliance with internal and external/industry regulations. The ultimate effect is greater business continuity, improved agility and reduced exposure to cyber security risk and non-compliance.
Tufin Orchestration Suite together with DFLabs IncMan SOAR platform provides joint customers with an automated means to gather actionable network intelligence, a task which would otherwise need to be performed manually, taking up valuable analyst time when every minute counts. This results in an overall decrease in the mean time to respond (MTTR) to a computer security incident, saving the organization both time and potential financial and reputation loss.
It provides a list of current network devices based on any number of criteria, a list of current rules and policies for any number of devices and is able to simulate network traffic from source to destination, including path and associated rules. Here is a use case in action to see exactly how!
Network traffic between a workstation and a domain controller has been identified as potentially malicious by the organization’s UBA platform. The UBA platform generated an alert which was forwarded to IncMan SOAR, causing an incident to be automatically generated. Based on the IncMan Incident Template, the following R3 Runbook was automatically assigned and executed to gather additional network intelligence.
The information gathering begins by simulating the network path between the source address and destination address of the potentially malicious network traffic. This information is gathered by two separate Enrichment actions, one which will display this information in a table format, and another which will display the same information in a graphic network path which can be exported and shared or added to reports.
As with information from any other IncMan Enrichment action, each network device on the path between the source address and the destination address is stored within an array which can be used by subsequent actions.
After the path information has been retrieved, an additional Enrichment action is used to retrieve information about each device along the path. This includes information such as device vendor, model, name and IP addresses.
Following the acquisition of the device information, two additional Enrichment actions are utilized to gather additional network intelligence. The first action will retrieve all rules for each network device along the path. Detailed information on each matching rule will be displayed for the analyst, allowing the analyst to assess why the traffic was permitted or denied, what additional traffic may be permitted from the source to the destination, and what rule changes may be appropriate. The second action will retrieve all policies for each network device along the path. Similar to the previous rule information, this information will allow the analyst to assess the configured network policies and determine what, if any, policy changes should be made to contain the potential threat.
Harnessing the power of Tufin Orchestration Suite, along with the additional orchestration, automation and response features of DFLab’s IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective response and reduced risk across the entire organization.
To see the integration in action, request a demo of our IncMan SOAR platform today.
Within any organization’s security operations center (SOC), regardless of the level of role undertaken (security analyst, engineer or manager), when it comes to the security program at hand, the overall high level goal is to ensure that potential security risks from the alerts generated are dealt with in the most efficient and effective way possible, keeping the threat and potential incident under control, resulting in minimal impact to the day to day operations of the business.
As more and more security alerts are being triggered, potentially with increasing veracity as hackers get more sophisticated, the mean time to detection and mean time to resolution (MTTR) is vital. This is when it becomes critical to make sure your security operation center and incident response teams are fully utilizing the tools and resources they have available to them, to detect, orchestrate, automate and measure their security operations and incident response processes and tasks.
With security incidents becoming more costly, organizations must find new ways to further reduce the mean time to detection and the mean time to resolution. At the same time, they face pressure from being heavily monitored based on a number of security program KPIs to accurately measure (and improve) performance, which will inevitably be reported back to varying levels of stakeholders, including security management, c-level executives, and even board level. (For more information about KPIs for security operations and incident response, download our recent whitepaper here). While some members of the SOC team such as the analysts will solely be focused on the incidents at hand, KPIs and questions surrounding service level agreements (SLAs), mean time to resolution (MTTR) and the overall return on investment (ROI) of security tools and technologies are bound to be at the forefront of the agenda of perhaps the SOC manager, but in particularly the CISO.
In this blog we will briefly discuss how a SOC can enhance its security operations program SLAs, MTTR and ROI, by investing in a Security Orchestration, Automation and Response tool, such as the IncMan SOAR platform from DFLabs and we will run through a basic scenario of what happens when a security alert is detected and triggered using IncMan SOAR.
Many large organizations already use a number of third-party solutions, including security information and event management (SIEM) and endpoint detection and response (EDR) tools, but the question is…is all of the information being generated by these tools and technologies being utilized and fused together providing meaningful aggregated, correlated and analyzed security intelligence? The answer is most probably no and the likelihood is the SOC team is being overwhelmed with the number of alerts and information that it is receiving, therefore not easily being able to identify which is a high level vs. low level threat, or know exactly which process should initially be taken to start putting a playbook or runbook into action to contain the specific threat alert they are dealing with.
How IncMan Tackles an Alert with Security Orchestration and Automation
An incident was automatically triggered in IncMan SOAR when the organization’s vulnerability management systems found that one of the critical servers reported non-compliance due to missing patches. The security analyst on duty assessed that the problem needed an immediate remediation. An incident management record was created to assign the correction of the problem to the system administrator in charge of the server. Automated actions triggered email notifications to the system administrator and to the security architecture and governance team, who manage the organization’s compliance.
Earlier in the year, the CISO mandated that changes within the large organization were monitored end to end through the system development lifecycle (SDLC). This would try to ensure that there were no security gaps in the infrastructure, as non-compliance within servers can create a security gap that can easily be exploited and misused by a hacker.
This is just one example of an alert that an organization could receive and in this case, it is quite a simple one. Imagine hundreds of alerts coming in per day related to suspected phishing attempts, malware injections, ransomware attacks and data breaches etc. to name a few, that are more complex. Analysts often get overwhelmed with the number of alerts they receive but need to be able to respond quickly to all of them, while also prioritizing them at the same time. The key is to transform the resource intensive and manual tasks into an effective and efficient automated and orchestrated process, where dual actions (automated and manual) can occur side by side as needed. Automating the process with the use of tools such as the IncMan SOAR platform will cut down the time to gather the data manually and the number of resources needed to complete the several stages of the process.
IncMan SOAR provided this customer with a real-time alert that was responded to and remediated almost immediately. Automated processes were followed, reducing the amount of human manual interaction required, including data collection, enrichment, containment and remediation, all in a more efficient, standardized and timely manner. IncMan SOAR facilitated the enrichment of information via the integration tools that the security team was already using and this helped to provide additional intelligence to the investigation, that triggered the original security alert, helping to validate its severity.
With a vast amount of information being generated, having the ability to provide this information in an easy to use and understand format, then facilitated the communication among different IT team members and departments, allowing them to share the visualized information via dashboards and detailed reports that standardize the information sharing process.
Utilizing Playbooks and Runbooks
So how does a SOAR solution like IncMan know which actions to automate when a security alert is triggered? A security operations center can maximize its incident response process by utilizing a range of already predefined automation and orchestration processes via playbooks and runbooks that expedite activities based on the type of security alert. You could have specific ones for ransomware or a phishing attack for example that have been written, trialed and tested a number of times, over and over again to ensure the correct actions are taken.
IncMan’s SOAR powerful engine provides an assortment of automation and actions that within second of being triggered can enrich, contain, remediate and notify stakeholders faster than a human being can react, to gather diverse information from different data sources. The process is flexible and can be used fully automated or in hybrid mode with human interaction to approve certain actions, for example, to block an IP-address or quarantine a compromised asset.
In summary, the above example would have been a mundane and manual process without the use of orchestration and automation, that would depend on human resources collecting information from different data sources, actioning a number of activities and writing a manual report.
The power of the correlation engine in IncMan SOAR cuts down the time by facilitating the collection of the threat information via the integrated third-party vendors’ data sources. With the help of playbooks and automated runbooks meaningful threat intelligence can be easily gathered enriched and correlated to produce a visualization of the incidents, that can be displayed in an automated standard report. The information is quickly available, easily shared to make available to all teams as necessary, without having to wait for dependencies to obtain additional information about the incident from the project teams.
IncMan SOAR maximizes the SLAs for security availability and MTTR, by delivering key details expeditiously via digital computation from multiple data sources of information and delivering it in a visual or readable detailed report format to multiple stakeholders, leadership team or anyone that needs them. The data can subsequently be kept, helping to build and identify historical trending, analysis, patterns, type of attacks to name a few, facilitating the automation actions of future alerts, creating a better security defense system.
Overall the benefits of using a Security Orchestration, Automation and Response platform outweigh the negatives and such a solution can increases the efficiency of your security operations center, enabling it to become more effective, focused on incident response management, proactively threat hunting while minimizing cybersecurity vulnerabilities, as opposed to carrying out the multitude of mundane, repetitive and time consuming basic tasks.
Automation and orchestration reduces the MTTR, as well as aiding the organization’s management team with standard visualization and focused detailed written reports, that helps to contribute to better meeting compliance such as breach notification requirements, while meeting the organization mission to operate in a secure infrastructure in an efficient manner, by increasing cybersecurity governance SLAs and ROI, ultimately maximizing the company resources by doing more with less.
Instead of a technical topic, this week I wanted to discuss an interaction I had with another Information Security professional recently because I believe it exemplifies how we as professionals can interact and share ideas in a way that furthers the security industry.
A couple of weeks ago, DFLabs released a whitepaper titled: “Increasing the Effectiveness of Incident Management“, which I authored discussing how the Incident Command System utilized for decades by emergency services in the US and across the world could be applied to streamline security incident management in the enterprise. Weeks later, Adam (whose last name I will not use since I did not ask his permission) reached out to me to express a problem with one of the premises of that whitepaper. What I want to highlight here is not that someone disagreed with me on a point (it happens often), or who is right (I don’t think there is any right or wrong in this case), but how the interaction itself occurred because I think it exemplifies how we can work together to further ideas in our industry.
First, I would like to thank Adam for reaching out at all. As an author of papers such as this, it lets me know that people are actually reading the content and taking the time to give it some thought. Many of us in the security industry (and I am guilty of this as well) are great consumers of information, but often do not take the time to contribute our own thoughts. You don’t need to write blogs, whitepapers or speak at conferences to contribute. Providing meaningful feedback and collaboration is what turns good ideas into great ideas that can revolutionize the security industry.
It is common to receive positive feedback regarding a certain point or the content as a whole. While positive feedback is beneficial in letting you know you are on the right track, I would argue that constructive criticism is equally, if not more important. Perhaps it is a resistance to what we might perceive as confrontation, or just not taking the time to put our thoughts to words to share with others, but I would also argue that constructive criticism is often even more beneficial than positive feedback.
Notice that I said constructive criticism and not negative feedback. I think there is an important differentiation here. If you have a Twitter account, you know what I mean by negative feedback. Negative feedback is very seldom the spark for new ideas and creates more divides than bridges. What I really appreciated about Adam’s feedback was the way in which he provided it. Adam was not negative, he was not attempting to poke holes in my premise or tell me why I was wrong. Instead, Adam provided an alternate view in a professional and constructive manner. This lead to additional dialogue which broadened my understanding of the topic and allowed me to consider a viewpoint that I had not previously considered.
Based on my conversation with Adam, I now have a better understanding of a different viewpoint, and the topic as a whole, which will help me continue to evolve my ideas and apply them to a wider array of situations. We are all very busy, but taking 10 minutes from your day to share your thoughts and constructive criticism with someone else is a tremendous way to contribute to the community. Please, be like Adam!
If you are interested in reading the whitepaper “Increasing the Effectiveness of Incident Management” is it still available to download.