As soon as the first indicator of compromise is located, the most common next step is to try to pivot from that indicator to find additional indicators or evidence on the network. While it is sometimes necessary to perform your own research to determine what additional indicators may be present, it is common to make use of previous research when looking for new indicators to hunt for.
This is especially true when dealing with an indicator of malicious software. Perhaps you have found a host communicating with an IP address known to be associated with a particular malware variant; the logical next step would be to search for communication with other IPs, domains and URLs the malware may be associated with, along with looking for the host-based activity the malware is known to use.
For example, suppose an IDS alerted on the IP address 144.202.87[.]106. A quick search on VirusTotal indicates that this IP address may be malicious, however, it does not provide much information which could be used to pivot to other indicators. So where does every good analyst turn at this point? Google, of course! A quick Google search for the IP address returns several results, including a blog post from MalwareBytes on the Hidden Bee miner.
Along with a detailed analysis of the Hidden Bee miner, the post also includes several other IP addresses and URLs which analysts observed in this attack. Now we have some data to pivot and hunt with!
This entire analysis from the MalwareBytes team can easily be added into DFLabs’ IncMan SOAR platform by copying and pasting the blog into the Additional Info section of the incident. In addition to allowing this information to be accessed by the working on this incident, adding this text to the Additional Info field has an additional advantage we have not yet discussed; Automatic Observable Harvesting.
When text is added to a field such as the Additional Info fields in IncMan, Automatic Observable Harvesting will automatically parse through the text and attempt to harvest observables from the unstructured text.
In the case of the Hidden Bee analysis from MalwareBytes, Automatic Observable Harvesting automatically harvested four IP addresses, a URL and a domain from the unstructured text and added them to the observables section.
While six observables may not take long to manually enter into the platform, it is not uncommon to find detailed malware analysis that contains dozens of IP addresses, hash values, domains, and other observables. Entering this many observables into IncMan manually in order to take advantage of IncMan’s automation and orchestration features on the new observables would be a time-consuming process. Automatic Observable Harvesting performs this task automatically.
Once these new observables are added into IncMan, analysts can take advantage of IncMan’s automation and orchestration features to begin performing additional enrichment on the observables, as well as searching across any internal data sources for evidence of the observables and blocking them if needed.
As malware attacks continue, attackers are going to great lengths to obfuscate both the intent and capabilities of their malicious payloads to evade detection and analysis. In addition, the rate at which new malware is being developed has reached staggering new levels. Zero-day malware is increasingly common in all environments and signature analysis is becoming less effective.
As a result, malware has become increasingly difficult to detect using more traditional detection mechanisms. Once detection occurs, it is often difficult to successfully analyze the malicious file to determine the potential impact and extract indicators. To successfully respond to a potential malware incident and minimize the impact, early detection and analysis are critical.
In this blog, we will briefly discuss how a security operations team can detect, analyze and respond to advanced, evasive malware by utilizing McAfee Advanced Threat Defense (ATD) with DFLabs IncMan SOAR platform, and present a simple use case example.
Utilizing McAfee ATD with DFLabs IncMan SOAR Platform
Early detection, analysis, and extraction of indicators are critical in successfully responding to and remediating a security incident involving malware. McAfee ATD enables organizations to detect advanced, evasive malware and convert threat information into immediate action and protection. Unlike traditional sandboxes, it includes additional inspection capabilities that broaden detection and expose evasive threats. Tight integration between security solutions enables instant sharing of threat information across the environment, enhancing protection and investigation.
DFLabs IncMan and McAfee ATD together solve two specific challenges including; 1) How can I reliably detect malicious files? and 2) How can I determine capabilities and extract indicators from malicious files? Utilizing DFLabs IncMan’s integration with McAfee ATD and with the use of IncMan’s R3 Rapid Response Runbooks, organizations can automate and orchestrate the detection and analysis of suspected advanced and evasive malware, allowing faster and more effective response to malware incidents. In addition, ATD also provides users with critical insights into the capabilities of suspicious files, as well as indicators which may be further enriched through additional automated actions.
Use Case in Action
A potentially malicious file has been detected on a workstation, causing the security operations team to initiate the incident response process. The malicious file has been extracted from the workstation and included in the IncMan Incident as an Artifact. Next, the R3 Runbook predetermined for malware alerts and incidents will be used to scan the file, perform additional enrichment, then block the infected host, if necessary.
To begin, McAfee ATD is used to detonate the potentially malicious file. Once detonation has completed McAfee ATD will return information about the executable, including the determined severity level. Next, a condition is set to determine if the severity returned by McAfee ATD is greater than 0, indicating that the file is likely malicious.
If it is determined by McAfee ATD that the file is likely malicious, an additional enrichment action is utilized to gather additional information from McAfee ePolicy Orchestrator (ePO) regarding the host that the malicious file was detected on. Following this, McAfee ePO is also used to tag the host with the appropriate tags indicating that it may be infected with malware.
Following the additional enrichment actions, a user choice decision point is reached. This user choice decision will prompt the analyst to make a manual decision regarding whether or not the workstation which generated the malware alert should be temporarily blocked from communicating outside the network. All of the enrichment information from the previous actions, including the information from McAfee ATD and ePO will be available to the analyst to assist in the decision-making process.
If the analyst chooses to block this workstation at the perimeter, a containment action will utilize McAfee Web Gateway to block the IP of the workstation until further investigation and remediation can be conducted.
By harnessing the power of McAfee ATD, along with the additional orchestration, automation and response features of DFLabs’ IncMan SOAR platform, organizations can elevate their incident response process, leading to faster and more effective response and reduced risk across the entire organization. With malware continuing to be one of the top cyber attacks, it is critical that security operations have a streamlined process in place in order to be able to detect and respond to such security alerts.
If you would like to see a more in-depth demo of this use case in action, or other use cases within IncMan, please get in touch.
Companies across different industries around the globe, along with government institutions, cite cyber attacks as one of the biggest security threats to their existence. As a matter of fact, in a recent Forbes survey of over 700 companies from 79 countries, 88 percent of respondents said that they are “extremely concerned” or “concerned” by the risk of getting attacked by hackers.
This fact is a clear indication that organizations have to ramp up efforts for enhancing their cyber resilience, but to do that successfully and in the most effective manner, they need to have a clear understanding of where the biggest cyber threats come from nowadays so that they can shape their cyber defenses accordingly. We take a look at the most common cybersecurity threats today, ranging from internal threats, cyber criminals looking for financial gains, and nation states.
When talking about cyber security, some of the first things that usually come to mind are freelance hackers and state-sponsored attacks between hostile nations. But, many cyber security incidents actually come from within organizations, or to be more specific, from their own employees.
Pretty much all experts agree that employees are some of the weakest links in the cyber defense of every organization, in part due to low cyber security awareness, and sometimes due to criminal intent.
Employees often put their companies at risk of getting hacked without meaning to, by opening phishing emails or sharing confidential files through insecure channels, which is why organizations should make sure their staff knows the basics of cyber security and how to avoid the common cyber scams and protect data.
With so many devices connected to the Internet nowadays, including video cameras, smart phones, tablets, sensors, POS terminals, medical devices, printers, scanners, among others, organizations are at an increased risk of falling victim of a data breach. The Internet of Things is a real and ever-increasing cyber threat to businesses and institutions, deteriorating their vulnerability to cyber attacks by adding more endpoints that hackers can use to gain access to networks, and by making it easier for hackers to spread malicious software throughout networks at a faster rate.
The Internet of Things is one of the factors that make DDoS attacks more possible and more easily conducted, and these types of attacks can have a significant and long-lasting impact on organizations, both in terms of financial losses and reputation damage.
Private entities and government institutions that are part of the critical infrastructure in their countries are under a constant threat of different types of attacks by hostile nations. As the number of channels and methods that stand at the disposal of hackers aiming to gain access to computer networks grows, organizations in the public and private sector are facing a growing risk of cyber attacks sponsored by nation-states that might have an interest in damaging the critical infrastructure of other countries, hurting their economies, obtaining top-secret information, or getting the upper hand in diplomatic disputes.
Most commonly, nation-state-sponsored cyber attacks use malware, such as ransomware and spyware, to access computer networks of organizations, as a means of gaining control over certain aspects of the critical infrastructure of another country.
No matter what types of attacks are common today, the number and level of sophistication of cyber threats to organizations are certainly going to grow in the future, which is why they have to constantly update and adjust their cyber defenses accordingly.
We have recently experienced a devastating wave of ransomware attacks such as Wannacry or ‘WannCrypt’ which spread to more than 200 countries across the globe. While Russia was hit hard, Spain and the United Kingdom saw significant damage to their National Health Services. Hospitals were forced to unplug their computers to stop the malware from spreading even further. This is just one of the security threats posed by special malware that encrypts computer files, network file shares, and even databases thereby preventing user access (Green 18-19). It happens in spite of heavy investments in a wide array of security automation and orchestration solutions and staff required to triage, investigate and resolve threats.
The primary problem is that organizations seem to be losing the battle against cyber attackers (Radichel, 2). The security administrators are overburdened and compelled to manually perform time-consuming and repetitive tasks to identify, track, and resolve security concerns across various security platforms. Notwithstanding the time and effort, it is difficult to analyze and adequately prioritize the security events and alerts necessary to protect their networks. Still, the inadequate visibility into the present activities of the security teams, metrics and performance leave security managers struggling to justify additional resources. It has long been accepted that the organizational efficiency depends heavily on the ability of the security system to reduce false positives so that analysts can focus on the critical events along with indicators of compromise.
Security event automation and orchestration ensures that an organization detects a compromise in real time. A rapid incident response ensures a quick containment of the threat. Through the automation of common investigation enrichment and response actions, as well as the use of a centralized workflow for performing incident response, it is possible to minimize response times and thus make the organization more secure. Security events automation and orchestration expedites workflows across the threat life-cycle in various phases. However, for the security team to deploy security automation and orchestration of event-driven security, there must be access to data concerning events occurring in the environment that warrant a response. To effectively employ event-driven security, automation should be embedded into processes that could introduce new threats to the environment (Goutam, Kamal and Ingle, 431). The approach requires that there be a way to audit the environment securely and trigger event based on data patterns that indicate security threat or intrusion. Of particular importance, continuous fine tuning of processes is required to make certain the events automation and orchestration being deployed is not merely automating the process, but providing long-term value in the form of machine learning and automated application of incident response workflows that have previously resolved incidents successfully.
At a time of increased cybersecurity threats, a structured approach can expedite the entire response management process from event notification to remediation and closure through automated orchestration and workflow. An automatic gathering of key information, the building of decision cases and the execution of critical actions to prevent and/or remediate cyber threats based on logical incident response processes are enabled. With security orchestration and event automation, various benefits are realized such as cost effectiveness, mitigation of security incidents and improved speed and effectiveness of the response. Hence, security event automation and orchestration is the real deal in containing security threats before real damage takes place.
With all the damage done by the WannaCry and the Petya (also known as GoldenEye) ransomware attacks over the course of the last two months in mind, it is safe to assume that organizations that are a potential target of cyber criminals should move to enhance resilience to these types of attacks. There are various actions that businesses and government institutions can take to escape unscathed from this global ransomware epidemics.
Aside from using sophisticated tools that are designed to detect and remove ransomware, employees themselves are an important piece of the puzzle when it comes to defending against targeted cyber-attacks. Raising employee awareness on cybersecurity can go a long way towards improving the ability of organizations to avoid damages caused by cyber incidents because the staff is often cited as one of the weakest links in cyber defenses.
Employees, the First Line of Defense Against Ransomware
One of the reasons why organizations need to raise cybersecurity awareness within their staff is that ransomware usually finds a way into IT systems through phishing emails opened by an employee. The main risk is a result of the fact that most employees are not very well-versed in distinguishing between legitimate emails and fake ones that aim to install malicious software onto their computers, which is done in one of two ways. One way is to include a call-to-action prompting recipients to download an attachment that contains a malware. Once that file is installed onto the computer, the malware basically disables the computer, preventing the user from accessing it, or from opening certain essential files.
The other way involves emails providing a URL that recipients are supposed to click, with the URL being created in such a manner that resembles a popular and well-known website. That way, recipients do not suspect that there is something wrong with the website they are prompted to visit by the email message, but once they click the malicious URL and go to that website, malware is instantly installed onto their computer.
After a piece of malware is installed on a computer, it has the ability to spread across other computers that it is connected to, thus infecting and blocking access to the entire network.
Tackle Social Engineering Through Education
Organizations can reduce the risk of getting hit by a ransomware attack by educating employees about the methods utilized in these scams, which involve a great deal of social engineering, taking advantage of certain psychological weaknesses. By making employees more aware of the most common ransomware schemes, as well as the fact that they have one of the key roles in the cyber defense of their organization, chances of preventing attacks can be greatly increased.
Cyber security professionals need to train all employees on how to detect ransomware scams, by pointing out to them that they need to pay extra attention to details when receiving emails from an unknown sender or containing suspicious content. The most important details that employees should pay attention to include the display name of emails, the salutation, and whether an email contains an attachment that they are not expecting.
Employee education is paramount when it comes to defending against ransomware attacks, and organizations need to invest more time and resources into this increasingly important aspect of cybersecurity.
Small businesses may not be the first thing that comes to people’s minds when talking about prime targets for cyber attackers. This is because government agencies, corporations, along with organizations and companies that are part of a country’s critical infrastructure are much more coveted targets, due to the high reward potential associated with them – both in terms of financial gains and retrieving confidential information. However, data breaches and other types of cyber incidents have recently become a common occurrence for many small businesses. Hackers are increasingly trying to gain access to the emails and acquire personal and other confidential information of their employees that are in charge of handling the companies’ finances.
One of the reasons why small businesses are seeing a rise in cyber attacks and data breaches is that cyber criminals have become increasingly aware of the fact that hacking into a small business’ computer network is fairly easy, in part due to the low cyber-security awareness of their employees. Additionally, the cyber defense programs and solutions that small businesses utilize are weak or even non-existent, thus making them easy prey despite not having a particularly high financial reward potential for cyber criminals. Lastly, small businesses have adapted to cloud services to conduct a large portion of their operations, and most cloud providers offer data encryption, making them extremely vulnerable to cyber threats.
What Criminals Are After
In most cases, the typical cyber attack on a small business’ computer network aims to retrieve a company’s financial information, employee records, customer records, as well as customer credit or debit card information, which they could later use to steal company funds, commit financial fraud, identity theft, or extortion.
The most common types of cyber security events faced by small businesses include phishing, SQL injections, malware, ransomware, DDoS attacks, and web-based attacks. The first line of defense against these attacks are a company’s employees. They need to go through cyber-security training to be able to recognize and detect a cyber threat – with statistics showing that a large part of data breaches are related to employee inattention.
Security Automation Is the Next Line of Defense
While cyber-security training for employees is something that every company needs to provide in this age of constant threat of cyber attacks, that alone is not enough to protect businesses against all potential cyber security incidents. Raising employee cyber-security awareness should be followed up by implementing appropriate solutions aimed at detecting, tracking, and eradicating cyber security incidents. In that regard, small businesses could use a security automation and orchestration platform, which can greatly reduce their reaction time following a cyber incident, and prepare them for more timely detection and prevention of future attacks.
Such a platform can help you protect customer and employee information, as well as valuable financial information, since it is capable of assessing the scope of the incident, identifying the affected device or devices, and containing the damage, by providing complete reports on the damages occurred, in addition to providing specialized rules and strategies that allow cyber-security professionals to react much more quickly and effectively to eradicate the incident. These types of platforms are the most straightforward and effective solution for small businesses’ concerns regarding cyber threats, which they are only going to see more of in the near future.
In March, the U.S. Office of Management and Budget (OMB) released a report on the cyber performance of federal agencies, revealing that a total of 30,899 cyber incidents were reported by them in fiscal 2016. The OMB states that this is an alarming figure and that it indicates that there are significant gaps in the cyber defenses of federal agencies across the country.
According to the report, federal agencies have made good progress in improving their cyber defenses last year, but are still quite vulnerable to cyber attacks and need to ramp up their efforts for protecting their networks and data. Of the almost 31,000 incidents in 2016, a total of 16 have been designated as major incidents, which means they had the potential to threaten national security, the economy, civil liberties, or relations with foreign countries. With this in mind, federal agencies need to keep stepping up their efforts for strengthening their defense against cyber attacks.
Detecting and Preventing Malware and Phishing Attacks
Given that the report states the vast majority of cyber incidents reported by federal agencies involved phishing attacks and malware infections, they are now advised to look into improving their capabilities to respond to these types of attacks and detect and prevent them in the future. There are a couple of ways this can be done. When talking about cyber incident response, one of the most cost-effective and efficient solutions is employing an automation-and-orchestration cyber incident response platform, capable of keeping cyber security events under control, mitigating risks and improving an organization’s ability to prevent future attacks.
These platforms have wide-ranging features that give Computer Security Incident Response Teams (CSIRTs) the opportunity to detect, track and predict cyber security breaches immediately. There are platforms that can help reduce reaction times when responding to an incident, through the employment of automated playbooks designed to accelerate the response to specific types of attacks – such as malware or phishing attacks, which are often faced by government agencies.
Integrated Knowledge Base to Guide You Through the Response Process
Through the use of those playbooks, as well as the available integrated knowledge base, cyber security professionals can quickly identify where an attack is coming from and determine the location of the infected or breached device or part of the network, and follow that up with the containment of the damage to prevent it from spreading.
What’s more, these types of platforms can create automatically generated reports on every incident, in addition to collecting digital evidence for forensic investigations, allowing for the quick notification of law enforcement and provide them with the necessary documentation, thus complying with data breach notification and reporting regulations.
This approach can increase cyber security teams’ ability to resolve incidents in a timely manner and prevent government agencies from losing valuable and sensitive data that could be used by attackers for ransomware or to damage the country’s critical infrastructure.
Health care institutions are facing an increasing risk of cyber attacks. There are a few reasons why organizations providing health-care services are under such a high cyber security risks, with the increase utilization of IoT devices singled out by security experts as the leading one over the last couple of years. The fact that many hospitals around the world keep adopting BYOD policies only raises the risk of cyber attacks in the health care sector.
Considering that there is more than enough statistics showing that the most common cyber attacks on health-care organizations include phishing incidents and malware attacks, it is safe to say that IoT devices and BYOD policies are exposing this sector to an ever higher and constant cyber security threat, requiring increased efforts for raising cyber security awareness among employees and implementing advanced incident response measures.
Developing an Effective Incident Response Plan
Incident response plans are one of the essential elements of any organization’s efforts for mitigating cyber security risks. Having a comprehensive and constantly updated incident response plan helps organizations be prepared for any type of cyber attack in case their cyber defense is breached, and odds for that to occur are extremely high at any given moment. While establishing an effective incident response plans, health-care organizations are advised to start by acquiring a cyber incident response platform that provides an automated and orchestrated response to all sorts of cyber attacks.
Health-care institutions could use such a platform to contain the damage and prevent the loss of confidential and sensitive patient data in the aftermath of a breach. A cyber incident response platform can provide them with automated playbooks that allow cyber incident response teams to react to different types of attacks quickly and effectively.
Phishing and Malware Incident Playbooks
There are platforms providing playbooks for phishing attacks and ransomware attacks, which health-care institutions are often facing. Those playbooks will tell cyber security teams exactly what to do when their information systems and computer networks are attacked through one of the above-mentioned methods. Playbooks help CSIRTs prepare their systems for potential phishing attacks, identify them as soon as they occur, contain the damage, and recover from any incident in a timely manner. When it comes to ransomware attacks, playbooks help you reduce the time it takes you to establish a precise diagnosis, identify the kind of malware and the infection target, and assess the range of infection. Also, they help you determine the level of impact of an attack, suggesting taking specific actions that are appropriate for any given level of impact.
With that in mind, automation and orchestration platforms with automated playbooks are one of the best solution for any health-care organization that is under a threat of getting attacked by cyber criminals.