DFLabs integration with Recorded Future enables automated information gathering from one of the industry’s leading intelligence solutions to provide investigators with crucial details and context surrounding a potential incident. By automating the information gathering stage, investigators will be able to better utilize their time investigating an incident rather than focusing this valuable time and effort performing manual information gathering and the data correlation necessary to prioritize an event. The cooperation between Recorded Future and DFLabs now enables simplified intelligence gathering.
Cyber security attacks continue to evolve and the security community has taken great strides to provide investigators with valuable information about their adversaries. However, this valuable information is often times scattered across many tools with varying degrees of confidence and little to no context. This leaves investigators without a full understanding of the risk posed to their organization which prevents confident decision making at the most critical time in an investigation.
Three of the most commons problems faced by security teams are as follows:
- Actionable threat intelligence is critical to efficient and effective response
- Information gathering is a time-consuming process
- Threat intelligence must be orchestrated into the rest of the response process
The DFLabs and Recorded Future Solution
Recorded Future is an industry leading Threat Intelligence solution which aims to empower its customers with contextualized threat intelligence in real time, enabling organizations to defend against threats at the speed and scale of the Internet.
With billions of indexed facts, and more added every day, Recorded Future’s Threat Intelligence Machine makes use of machine learning and natural language processing (NLP), to continuously analyze threat data from a massive range of sources to deliver contextualized intelligence to organizations in real-time.
According to recent research conducted by Recorded Future, more than a third of security incidents take weeks to detect and even months to remediate. The majority of the cost associated with a breach can be drastically reduced by improving the speed and efficiency with which an organization responds to a threat.
DFLabs’ partnership with Recorded Future combines this industry leading threat intelligence data with the orchestration and automation capability necessary to quickly identify and remediate potential incidents before they can become a breach.
A WAF alert for a suspicious redirect is received and automatically triggers a new incident inside of IncMan. Utilizing IncMan’s integration with Recorded Future, the R3 Runbook begins to gather all the important information surrounding the redirected traffic. The domain reputation is checked against Recorded Future’s extensive threat database while also being evaluated against its Threat Intelligence search capability. This capability allows for the domain to be simultaneously checked across multiple threat intelligence platforms such as STIX and MISP.
While the domain is being evaluated the R3 Runbook also issues an IP reputation check to gather further information on our suspicious actor. Once all three of these reputation checks have been completed, the R3 Runbook encounters its first conditional action where the results of the information gathered can be evaluated together providing a broader picture of the malicious nature of this communication.
If any of the reputation checks report a threat score of 50 or above, the R3 Runbook will automatically change the priority of the incident to critical and will proceed to block the IP/Domain at the firewall and gather system information from the affected host. The system information is then checked against an EDR solution for any additional events which may have been observed involving that host over a predefined amount of time. If the affected host has been observed within any additional alerts, the R3 Runbook will pull all running processes on the host and will automatically quarantine it from the network. In the event the host must be quarantined, an email notification is sent out to the responsible team to indicate further action is necessary.
If the host has not been observed within any prior events, the R3 Runbook will issue a User Choice condition. This condition will temporarily pause the R3 Runbook and allow for an investigator to analyze the information gathered and determine whether the host should be quarantined or segmented for further observation.
Recorded Future enables five key data enrichment actions:
- Threat Intelligence Search
- IP Reputation
- URL Reputation
- Domain Reputation
- File Reputation
Combined with IncMan SOAR from DFLabs, security analysts are able to collate important threat intelligence provided by Recorded Future, simplifying the information gathering process and automate data enrichment actions, identifying and responding to threats, while remediating potential incidents before they can become a breach.
If you would like to see IncMan SOAR and Recorded Future in action, we will be holding a joint webinar called “Utilizing Recorded Future Threat Intelligence within DFLabs SOAR Solution” on 14th November at 1pm PST / 4pm EST. Register here.
What Organizations Need to Know and How to Utilize Vital Information Sharing to Reduce an Environment’s ATT&CK Surface
What is MITRE?
The MITRE Corporation is a non-profit organization which operates multiple federally funded research and development centers across the United States. Their mission is to help overcome problems which challenge the nation’s security and its overall stability. For the last 60 years, MITRE has helped to provide solutions to the complex problems faced by key government sectors such as the Department of Homeland Security and Cyber Counterintelligence. Their work in the cyber security sector has provided countless innovative solutions which stretch far beyond its government application.
What is the ATT&CK Matrix?
One of these innovative solutions is MITRE’s ATT&CK Matrix. The ATT&CK Matrix (Adversarial Tactics, Techniques, and Common Knowledge) is a carefully comprised knowledge base used to describe how adversaries penetrate networks and move laterally across them by escalating privileges, and often evade an organization’s defenses for extended periods of time.
The ATT&CK Matrix looks at these actions from the perspective of an adversary, the goals they may look to achieve, and the methods they may use to achieve them. These methods are broken down by techniques, tactics, and procedures (TTPs) observed during MITRE’s research as well as penetration testing and red team engagements. The information gathered during these engagements provides a model for network defenders to use to better categorize and understand post-exploitation activities.
The organization of the TTPs found within the ATT&CK Matrix may be familiar to most as they coincide with the later stages of the Lockheed Martin Cyber Kill Chain.
Why is the ATT&CK Matrix Important?
Cybersecurity is a “game of inches” and every inch covered has proved to be no small feat for network defenders. As adversaries evolve their tactics and techniques, the security community works tirelessly to evolve their detection and remediation methods to bring their organizations and the community one step closer to closing the gap faced when battling these elusive actors.
One of the detection and remediation methods that has gained a lot of momentum is Cyber Threat Intelligence (CTI). Since its conception, some of the mysticism surrounding its definition and applicable use has begun to reveal itself. However, as with any new school of thought, there is still a lot of knowledge to be gained and work to be done.
The traditional approach to CTI has proven to be a cumbersome process. The ways and means of collecting threat intelligence data is oftentimes delivered through thorough reporting efforts which can leave analysts scrambling to extract meaningful information, and in turn, they must also be able to apply this information in a manner that proves to be an effective means of defense.
Other unforeseen obstacles organizations face are the overwhelming number of indicators these reports produce. These indicators, more times than not, provide a little context and must be vetted before they can be consumed. This can be a daunting process which if not done correctly, can contaminate an organization’s intelligence data causing an even greater increase of false positives than are already being observed. To make matters worse, even if the above-mentioned obstacles are overcome, these indicators are constantly evolving creating stale data in their wake which must be continuously reviewed and re-prioritized.
Now that we have stated some of the obvious issues, what can be done about it? That is where the ATT&CK Matrix comes in. ATT&CK provides structure to this chaos by allowing analysts and network defenders to gather greater context around adversary groups, how they compare to other groups, and what TTPs they are using. This invaluable information will help organizations begin to gain value from their threat intelligence while remaining sane in the process.
How to Utilize the ATT&CK Matrix
While researching how to best utilize ATT&CK, I came across a beautifully written article by Katie Nickles, a lead cybersecurity engineer with MITRE Corporation. In her two-part article she describes the best methods of utilization of the ATT&CK Matrix, how it came about, and who contributes to its success. She also referenced an ideology from David Bianco, called the Pyramid of Pain. The original article was published in 2013, but still stands true today. In the article David outlines the value and priority of the different threat indicators organizations will encounter. He describes how these different indicators can be used to disrupt or completely dismantle an adversaries TTPs, finally giving security teams and network defenders the upper hand.
If you are one of many network defenders who are struggling to make your threat intelligence data work for you, or if you are not familiar with ATT&CK and the incredible work they are providing to the community, I highly recommend spending some time reading Katie’s article and exploring how ATT&CK can help close the gap and reduce your ATT&CK surface.
The integration between DFLabs’ IncMan R3 Rapid Response Runbooks and Carbon Black Defense’s next-generation antivirus and EDR solution allows companies to automate evidence gathering and threat containment efforts, and cut dwell times down to a manageable level.
Equipped with strong evidence data gathered from Carbon Black Defense, analysts and security teams can quickly disposition and act to remediate an incident. Carbon Black Defense uses their award-winning Streaming Prevention technology to take a holistic approach to an organization’s critical infrastructure.
Sophisticated attacks that organizations have been experiencing cause traditional antivirus to become ineffective. Signature-based detection mechanisms can still detect known threats, but the new generation of non-malware attacks are going undetected in our networks and lying dormant for extended periods of time, enabling attackers to use our environments as their own personal playground.
To manage these deficiencies, Security Operation Centers are employing a wider range of tools to close the gap created by their antivirus solution. Evidence gathering across these tools have added to an analyst’s investigational times, which are allowing our adversaries ample time to secure their foothold in our networks.
Three common problems include:
- Attack vectors have morphed from file to file-less tactics which have caused traditional, signature-based antivirus to no longer be an effective detection mechanism
- Dwell time is being measured in days which have exceeded triple-digit figures
- Manual evidence gathering costs Security Operations teams valuable time when investigating possible incidents
DFLabs and Carbon Black Solution
An incident can turn into a breach in a few minutes, and this makes early detection and remediation a crucial aspect of an organization’s security program. Utilizing IncMan’s integration with Carbon Black Defense allows organizations to automate evidence gathering at their endpoints and present their analysts with critical information such as running processes, system information, and historical event detail to accelerate their decision-making ability to quickly remediate an issue.
These remediation tasks range from terminating processes on a victim machine to completely removing it from the network to allow for hands-on investigation and recovery.
About Carbon Black Defense
Carbon Black Defense is a next-generation antivirus and endpoint detection and remediation solution which utilizes Carbon Black’s proprietary Streaming Prevention technology to protect organizations from the full spectrum of malware and non-malware attacks.
By leveraging event stream processing, Streaming Prevention in Carbon Black Defense continuously updates risk profiles made from endpoint activity and when multiple potentially malicious events are observed, Carbon Black Defense will take action to block the would-be attack. This next-generation antivirus solution is proving why Carbon Black Defense will be the industry’s de facto standard in the following years.
An IDS alert is received and triggers an incident in IncMan. Through an R3 Rapid Response Runbook, enrichment actions are initiated by first querying IP reputation services for the source of the suspicious activity. A second IP reputation service is then queried to verify the results of the first query. Once the reputation checks have been completed, the priority of the incident is set according to the results of the reputation checks and a ticket is opened in the organization’s ticket management system.
IncMan continues to process the runbook by gathering additional enrichment data for the incident handler. User account information is pulled from Active Directory and Carbon Black Defense is queried to collect system information, including all running processes on the victim machine. In addition to system information, IncMan also queries Carbon Black Defense events from the victim machine observed in the last 30 days.
Once the enrichment information is gathered, the incident handler will receive notification of the incident. The incident handler will be prompted with a User Choice decision to determine if containment actions may be appropriate. The incident handler can review the information gathered up to this point to determine if automated containment actions should be performed at this point. If the incident handler determines the activity is malicious and automated containment actions are appropriate, the machine will be quarantined from the network and the source address will be blocked at the firewall.
Carbon Black Defense Actions
- Directory Listing
- Download File
- Event Details
- List Processes
- Memory Dump
- Policies List
- Search Into Events
- Search Process
- System Info
- Change Device Status
- Delete File
- Terminate Process
Carbon Black Defense is an extremely powerful endpoint solution, capable of detecting advanced threats, supporting detail data enrichment, and enabling rapid incident response. Orchestrating actions between Carbon Black Defense and other third-party solutions through IncMan integrations allows organizations to harness the power of Carbon Black Defense at any stage of the incident response process, providing a more efficient and effective response process.
The latest ransomware attack that broke out last Friday, affecting more than 200,000 computers across 150 countries by Sunday, once again highlighted the need for improved preparedness to respond to large-scale cyber incidents by implementing advanced security automation and orchestration solutions capable of containing the damage from such events. In this case, the attackers exploited a vulnerability in Windows Server Message Block (SMB) protocol, which had been discovered and kept quiet for exclusive use by the National Security Agency (NSA).
WannaCry, as the virus is called, is delivered via an email attachment and when executed, paralyzes computers running vulnerable Windows operating systems by encrypting their files. Once it encrypts a computer’s hard disk, WannaCry then spreads to vulnerable computers connected to the same network, and also beyond, via the Internet. This is in many ways a typical ransomware attack, infecting computers with a virus that has the ability to spread quickly to other vulnerable systems; however, the infection in this instance, and the speed at which it spread, was more intense than any other such attack in recent memory. The consensus among cyber security experts around the world is that the damage from this attack could have been reduced to a minimum, and more serious consequences could have been avoided, if organizations had been better prepared and had more effective cyber incident response plans and solutions in place.
Early Detection and Damage Containment via Automation and Orchestration
When affected by an attack such as WannaCry, after an organization’s computer system has been breached, the best thing that the organization can do is try to keep the incident under control by preventing the infection from spreading. There are various security solutions designed to achieve this end, but an automation and orchestration platform is arguably the best suited for the task. When an infected computer is detected, this platform can quickly isolate it in the early stages of an attack, blocking traffic to and from it to contain its spread, and thus reduce the business impact to a minimum.
Recovery and Remediation
Once containment is achieved, the platform provides organizations with the ability to quickly remediate the incident by guiding cybersecurity professionals through the entire process, using pre-defined playbook actions for a faster and more effective execution. The playbook actions can suggest the best remediation and recovery methods, and how to enforce them in the most effective manner. For instance, how to restore files and update the appropriate firewall rules.
All of the above is only a fraction of the capabilities of a typical automation and orchestration platform, a security tool that has become critical for any organization seeking to avoid the immense cost and long-lasting consequences of cyber-attacks such as WannaCry.
Cyber-attacks such as this one are only expected to become more common and more sophisticated in the future, and for this reason WannaCry should serve as an example of why now is the time for organizations serious about cyber security to focus on improving preparedness and containment capabilities through investment in advanced security automation and orchestration.
According to an October 2016 Fortune Tech article by Jonathan Vanian, entitled Here’s How Much Businesses Worldwide Will Spend on Cybersecurity by 2020, organizations will be spending approximately $73.3 billion in 2016 on network security with a projected 36% increase totaling $101.6 billion in 2020. Stake holders know all too well that the pennies you save today may equate to dollars in lost revenue and fines tomorrow following a significant breach or personal information leak. Finding the balance between risk and ROI is the type of thing that keeps CISO’s and CTO’s sleepless at nights.
This becomes even more critical for multinational corporations as we approach the May 25, 2018 General Data Protection Regulation (GDPR) implementation date. Post GDPR implementation, failing to protect the data of EU citizens could result not only in lost reputation and accompanying revenue, but hefty fines totaling more than some information security budgets.
This brings into sharp focus the need to make the best use of the resources we have while ensuring that we invest in the strategies that provide us the best return. Striking a balance between technology and personnel allows us to leverage each one in a coordinated effort that makes each one a force multiplier for the other.
One of the true pleasures I get here at DFLabs is speaking to our customers, listening to their pain points and discussing how they are dealing with them both on a strategic and tactical level. It never ceases to amaze me how creative the solutions are and I’ve been blown away more than once by some truly outside of the box thinking on their part.
ESG Research recently published a whitepaper entitled Next Generation Cyber Security Analytics and Operations Survey where in one of the (many) takeaways is that the top 5 challenges for security analytics and operations consist of:
- Total cost of operations
- Volume of alerts don’t allow time for strategy and process improvement
- Time to remediate incidents
- Lack of tools and processes to operationalize threat intelligence
- Lack of staff and/or skill set to properly address each task associated with an alert
These 5 pain points come as no surprise and while there is certainly no “silver bullet” there are some steps we can take to lessen the severity and improve our cyber incident response position significantly.
Total Cost of Operations
Addressing the total cost of operations can be the biggest factor in building a solid security analytics and operations capability. The key here is to leverage the resources you currently possess to their maximum potential, be it personnel, processes or technological solutions. Automation and incident orchestration allows the blending of human to machine or machine to machine activities in a real-time incident response. This not only makes the best use of existing resources, but provides you the much-needed insight to determine where your funds are best spent going forward.
Volume of alerts don’t allow time for strategy and process improvement
In the whitepaper entitled Automation as a Force Multiplier in Cyber Incident Response I address the alert fatigue phenomenon and discuss ways to address it within your organization. The strategy discussed, including automatically addressing lesser priority or “nuisance” alerts will provide your operations team with additional time for strategizing and process evaluation.
Time to Remediate Incidents
We are certainly familiar with the term dwell time as it applies to InfoSec. One of the 5 focus areas outlined in Joshua Douglas’ paper entitled Cyber Dwell Time and Lateral Movement is granulated visibility and correlated intelligence. This requires a centralized orchestration platform for incident review and processing that provides not only automated response, but the ability to leverage intelligence feeds to orchestrate that response. Given this capability, that single pane of glass now becomes a fully functional orchestration and automation platform. Now we can see correlated data across multiple systems incidents providing us the capability to locate, contain and remediate incidents faster than we thought possible and reduce dwell time exponentially.
Lack of tools and processes to operationalize threat intelligence
The ability to integrate threat intelligence feeds into existing incidents to enrich the data or alternately to create incidents based on threat intelligence to proactively seek out these threats is integral to your security analytics and operations capabilities. This could be a centralized mechanism in your strategic response and an integral part of your orchestration and automation platform. The ability to coordinate this activity is referred to as Supervised Active Intelligence (SAI)™ and provides the ability to scale the response using the most appropriate methods based on fact-based and intelligence driven data. This coordination should enhance your existing infrastructure making use of your current (and future) security tools.
Lack of staff and/or skillset to properly address each task associated with an alert
Of all the pain points in security analytics and operations, this is the one I hear about most frequently. The ability to leverage the knowledge veterans possess to help grow less experienced team members is an age-old issue. Fortunately, this may be the easiest to solve given the capabilities and amount of data we have available and the process by which we can communicate these practices. Orchestration and automation platforms must include not only a Knowledge Base capable of educating new team members of the latest in IR techniques, but incident workflows (commonly called “Playbooks”) that provide the incident responder on his first day the same structured response utilized by the organizations veterans. This workflow doesn’t require the veteran to be present as the tactics, techniques and procedures have already been laid out to guide less experienced employees.
We’ve seen that there are some significant pain points when developing a structured security analytics and operations capability. However I hope you’ve also seen that each of those points can be addressed via orchestration and automation directed toward prioritizing the improvement of your existing resources, with an eye toward the future.
Cyber-attackers never stop inventing new and more creative methods and techniques that are supposed to be more difficult to prevent. One of the most common types of attacks nowadays are the DDoS attacks (Distributed Denial of Service attacks) , which are on the rise recently, unlike data breaches, according to the 2017 Cyber Incident & Breach Response Guide issued by the Online Trust Alliance.
Mitigating DDoS attacks is complicated and time-consuming. They often last several days and even weeks, bringing an organization’s operations to a complete halt for prolonged periods of time. It takes a coordinated effort from an organization’s CSIRT, C-level and its Internet Service Provider (ISP). Since it can take a lot of time to recover from a DDoS attack, it’s essential to have a response plan in place that is specifically designed to respond to these types of cybersecurity incidents. This will help reduce the team’s response time, contain the damage, and resume operations as soon as possible.
DDoS Attack Playbooks
In order to prepare for a future DDoS attack, it’s recommended that organizations utilize a cyber incident response platform, which has the ability todetect, predict and respond to various types of cybersecurity incidents. These platforms provide specialized automated playbooks for the different types of incident, allowing organizations to automate the immediate response to a cybersecurity event and give their SOC and CSIRT the time to focus on recovery and making the organization’s systems fully functional as soon as possible.
Effective Containment and Recovery
A typical DDoS attack playbook includes the key aspects of a cyber incident response, such as analysis, containment, remediation, recovery, and post-incident actions. By employing such a playbook, the organization can quickly determine the specific part of the infrastructure that has been affected by the attack, so that the team can know the necessary actions required to take in order to resolve the incident. A pre-defined playbook will help organizations contain the damage by notifying the SOC and CSIRT on how to block the DDoS attack based on the analysis performed by the incident response platform.
After you have taken the proposed actions to contain the incident, the playbook will guide you through the remediation process. It will involve contacting your ISP and notifying law enforcement, which is where a cyber incident response platform’s capability to create automated incident reports comes in handy, too.
Finally, if you are utilizing a cyber incident response platform, you will have the possibility to enhance your preparedness for future cybersecurity events, by creating statistical reports that contain all the necessary metrics, which you can use to adjust your response to different types of attacks.