Threat actors are increasingly adopting security automation and machine learning – security teams will have to follow suit, or risk falling behind.
Many organizations still conduct incident response based on manual processes. Many playbooks that we have seen in our customer base, for example, hand off to other stakeholders within the organization to wait for additional forensic data, and to execute remediation and containment actions.
While this may seem like good practice to avoid inadvertent negative consequences such as accidentally shutting down critical systems or locking out innocent users, it also means that many attacks are not contained in a sufficiently short time to avoid the worst of their consequences.
Manual Processes Cannot Compete with Automation
Reports are mounting about threat actors and hackers leveraging security automation and machine learning to increase the scale and volume, as well as the velocity of attacks. The implications for organizations should be cause for concern, considering that we have been challenged to effectively respond to less sophisticated attacks in the past.
Ransomware is a case in point. In its most simple form, a ransomware attack does not require the full cyber kill chain to be successful. A user receives an email attachment, executes it, the data is encrypted and the damage is done. At that point, incident response turns into disaster recovery.
Automated attacks have been with us for a long time. Worms and Autorooters have been around since the beginning of hacking, with WannaCry and its worming capability only the most recent example. But these have only automated some aspects of the attack, still permitting timely and successful threat containment further along the kill chain.
Threat actors have also leveraged automated command and control infrastructure for many years. DDoS Zombie Botnets, for example, are almost fully automated. To sum it up, the bad guys have automated, the defenders have not. Manual processes cannot compete with automation.
With the increase in the adoption of automation and machine learning by cyber criminals, enterprises will find that they will have to automate as well. The future mantra will be “Automate or Die”.
Making the Cure More Palatable Than the Disease
But automating containment actions is still a challenging topic. Here at DFLabs we still encounter a lot of resistance to the idea by our customers. Security teams understand that the escalating sophistication and velocity of cyber-attacks means that they must become more agile to rapidly respond to cyber incidents. But the risk of detrimentally impacting operations means that they are reluctant to do so, and rarely have the political backing and clout even if they want to.
Security teams will find themselves having to rationalize the automation of incident response to other stakeholders in their organization more and more in the future. This will require being able to build a business case to justify the risk of automating containment. They will have to explain why the cure is not worse than the disease.
There are three questions that are decisive in evaluating whether to automate containment actions:
- How reliable are the detection and identification?
- What is the potential detrimental impact if the automation goes wrong?
- What is the potential risk if this is not automated?
Our approach at DFLabs to this is to carefully evaluate what to automate, and how to do this safely. We support organizations in selectively applying automation through our R3 Rapid Response Runbooks. Incident Responders can apply dual-mode actions that combine manual, semi-automated and fully automated steps to provide granular control over what is automated. R3 Runbooks can also include conditional statements that apply full automation when it is safe to do so but request that a human vet’s the decision in critical environments or where it may have a detrimental impact on operational integrity.
While many institutions and businesses from various industries were still reeling from the WannaCry attack that took the world by storm back in May, cyber criminals launched another crippling ransomware attack earlier this week, catching a lot of cyber security professionals across 60 countries by surprise and bringing essential business operations to a halt.This latest high-profile attack, called Petya ransomware, bears many of the hallmarks of WannaCry, in that it is a typical ransomware scheme, paralyzing computers and spreading through internal networks after infecting one machine.
Another important similarity is that just like WannaCry, Petya exploited the same Microsoft Windows vulnerability – Eternal Blue, to spread within networks. On the other hand, there is one significant difference between the two attacks – Petya, unlike WannaCry, was not aimed at extorting money, but rather incurring serious damage to computer networks, with researchers saying that Petya was just disguised as ransomware, but its main goal was to spread throughout networks as fast as possible and cause the biggest infrastructural damages possible.
Containing the Damage
Petya ransomware was primarily designed to infect computers in order to prevent organizations from continuing their day-to-day operations, rather than gaining financial benefit, and the attack did affect business operations of many companies, inflicting severe financial and reputation damage upon them. Ransomware attacks are extremely difficult to prevent, and the best thing organizations can do to avoid serious long-term consequences in case they get hit by one, is to make sure they have the tools to respond to it and contain the damage as fast as possible.
That can be best done with the help of an incident response platform with automation and orchestration capabilities. These types of platforms can help security teams reduce their reaction time when responding to an incident, which is crucial when attacks such as Petya occur. With a set of playbook actions specific to ransomware attacks, an incident response platform will allow your team to detect and analyze the attack faster, and it will suggest a specific list of actions that can help contain the damage in the most effective way possible. When it comes to ransomware attacks, recommended containment actions include isolating compromised machines, blocking communication over ports, and disconnecting shared drives, among other things.
Once you have taken the suggested containment actions, the platform will help you accelerate the recovery and remediation processes, and perform the appropriate post-incident procedure. The post-incident reactions are particularly important when dealing with ransomware attacks, as they play a major role in ensuring compliance with breach notification rules covering these types of cybersecurity incidents, such as the HIPAA Breach Notification Rule in the US.
To conclude, even though preventing ransomware attacks is a major challenge and there is not much that organizations can do in that regard, there are a lot of things they can do to reduce the impact of such incidents and avoid long-lasting consequences, which are usually associated with these types of cybersecurity events.