How To Expedite DDoS Attacks With SOAR Technology

Worldwide infrastructure outages caused by DDoS attacks are continuing to be a growing threat to today’s organizations as attackers find new ways to bypass existing mitigation technologies. According to a recent report by Kaspersky, DDoS attacks in Q1 2018 were at an all-time high in terms of both volume and duration. In addition to these growing numbers of attacks, organizations are experiencing a shortage of experienced cybersecurity professionals, making it more difficult to effectively defend their infrastructure and quickly remediate such attacks.

How SOAR Tools Can Help Expedite DDoS Incident Response

Manual data collection is time-consuming and requires an individual to manually access each tool to get the specific information they require, then export the data and manually perform data correlation. Depending on the organization’s workflow, the information may also need to be added to the incident management ticketing system in order to be shared with other teams within the organization. This process requires a skillful analyst to spend a significant amount of time performing mundane and repetitive tasks which can easily be automated, greatly reducing their value to the organization.

A security orchestration, automation, and response (SOAR) platform, properly integrated into the security program, can help maximize the value of these skilled analysts. The IncMan SOAR platform from DFLabs allows security program administrators to create automated, conditional workflows to respond to incidents such as a DDoS attack though IncMan’s R3 Rapid Response Runbooks. These runbooks allow the automation of mundane, repetitive tasks, while IncMan’s Dual Mode Orchestration technology allows security program administrators to ensure that human intervention, oversight or approval is required when necessary. This allows security analysts to focus solely on the tasks which require human input, allowing organizations to maximize the efficiency of their security teams, as well as speed up the mean time to detection (MTTD) and mean time to resolution (MTTR).  

IncMan SOAR is able to collect data from sources such as email, syslogs, database queries, as well as custom scripts and an assortment of bi-directional integrations with third-party solutions. With the right SOAR solution in place, it is possible to expedite data collection, collect threat intelligence and acquire forensic information from automatically triggered actions, notify the appropriate stakeholders and conduct supervised containment actions when appropriate. The use of the platform will heavily reduce the number of manual and mundane tasks that the analyst needs to perform, freeing up their time to complete more in-depth analysis and incident mitigation.

How Can Threat Intelligence Prevent DDoS Attacks?

A vast amount of threat data is being generated from a number of security tools and other data sources on an ongoing basis. It is critical that this information is accurately collected, stored and applied in order for the intelligence to be actionable and provide benefit to the organization.  

Using the analogy of cooking, there is little value in having all of the ingredients for a recipe without the proper context regarding how each ingredient is used.  Simply throwing all of the ingredients into a single pot will not create a culinary masterpiece and will not produce the desired results. The same concept applies to threat intelligence data. The vast amount of threat data is of little value to a security team without the proper context. The right SOAR platform should assist the security team in correlating this threat data, turning a list of ingredients into a proper dish, or threat data into actionable threat intelligence.  

Accurately correlated threat intelligence can provide critical insight to inform decisions as well as to contain and mitigate present and future attacks. Intelligence data should be made available in multiple forms, including visualizations, to assist security analysts in correctly understanding the full context of the information. Correlation graphs and search capabilities can also be utilized to enable threat hunting, allowing security analysts to proactively seek out threats which may be looming or have gone undetected by automated detection technologies.

The Best Approach to Prevent DDoS Attacks

A layered approach of defense is the best method to prevent, or at the very least minimize the impact of a DDoS attack, while eliminating any single points of failure. Maintaining network baseline information, monitoring the network for any anomalies and ensuring all systems remain patched are all critical components of DDoS mitigation.

For critical systems which cannot tolerate any downtime, it is important to have a documented DDoS mitigation strategy in place. DDoS mitigation strategies may vary depending on the type of network being protected and the maximum tolerable downtime, however, may include high availability or redundant systems, backup connections or DDoS scrubbing services.

In Summary

DDoS attacks represent a dominant threat and often target organizations that provide a service to a wide customer base, area or network in order to have the largest impact. DDoS attacks are also continuing to become more complex and larger in size, as recently seen in the attacks on GitHub in early March which generated 1.3 Tbs of traffic, shortly to be followed by another attack of 1.7 Tbs two weeks later.  

Some organizations are now experiencing over 10,000 threat events weekly; an overwhelming number of events to be manually investigated and mitigated by incident responders. A SOAR solution will act as a force multiplier, enabling security teams to do more with fewer resources, and will help reduce the MTTD and MTTR, proactively helping to respond to future alerts and even preventing incidents from occurring in the first instance. Historical event and data correlation is critical and can be used to identify security gaps, harden networks and allow for early detection of potential security incidents, further increasing the ROI of a SOAR platform.

A Weekend in Incident Response #35: The Most Common Cyber security Threats Today

Companies across different industries around the globe, along with government institutions, cite cyber attacks as one of the biggest security threats to their existence. As a matter of fact, in a recent Forbes survey of over 700 companies from 79 countries, 88 percent of respondents said that they are “extremely concerned” or “concerned” by the risk of getting attacked by hackers.

This fact is a clear indication that organizations have to ramp up efforts for enhancing their cyber resilience, but to do that successfully and in the most effective manner, they need to have a clear understanding of where the biggest cyber threats come from nowadays so that they can shape their cyber defenses accordingly. We take a look at the most common cybersecurity threats today, ranging from internal threats, cyber criminals looking for financial gains, and nation states.

Internal Threats

When talking about cyber security, some of the first things that usually come to mind are freelance hackers and state-sponsored attacks between hostile nations. But, many cyber security incidents actually come from within organizations, or to be more specific, from their own employees.

Pretty much all experts agree that employees are some of the weakest links in the cyber defense of every organization, in part due to low cyber security awareness, and sometimes due to criminal intent.

Employees often put their companies at risk of getting hacked without meaning to, by opening phishing emails or sharing confidential files through insecure channels, which is why organizations should make sure their staff knows the basics of cyber security and how to avoid the common cyber scams and protect data.

Connected Devices

With so many devices connected to the Internet nowadays, including video cameras, smart phones, tablets, sensors, POS terminals, medical devices, printers, scanners, among others, organizations are at an increased risk of falling victim of a data breach. The Internet of Things is a real and ever-increasing cyber threat to businesses and institutions, deteriorating their vulnerability to cyber attacks by adding more endpoints that hackers can use to gain access to networks, and by making it easier for hackers to spread malicious software throughout networks at a faster rate.

The Internet of Things is one of the factors that make DDoS attacks more possible and more easily conducted, and these types of attacks can have a significant and long-lasting impact on organizations, both in terms of financial losses and reputation damage.

Nation-State Attacks

Private entities and government institutions that are part of the critical infrastructure in their countries are under a constant threat of different types of attacks by hostile nations. As the number of channels and methods that stand at the disposal of hackers aiming to gain access to computer networks grows, organizations in the public and private sector are facing a growing risk of cyber attacks sponsored by nation-states that might have an interest in damaging the critical infrastructure of other countries, hurting their economies, obtaining top-secret information, or getting the upper hand in diplomatic disputes.

Most commonly, nation-state-sponsored cyber attacks use malware, such as ransomware and spyware, to access computer networks of organizations, as a means of gaining control over certain aspects of the critical infrastructure of another country.

No matter what types of attacks are common today, the number and level of sophistication of cyber threats to organizations are certainly going to grow in the future, which is why they have to constantly update and adjust their cyber defenses accordingly.