A Weekend in Incident Response #33: Security Awareness Training Can Help Protect Organizations Against Ransomware Attacks

With all the damage done by the WannaCry and the Petya (also known as GoldenEye) ransomware attacks over the course of the last two months in mind, it is safe to assume that organizations that are a potential target of cyber criminals should move to enhance resilience to these types of attacks. There are various actions that businesses and government institutions can take to escape unscathed from this global ransomware epidemics.

Aside from using sophisticated tools that are designed to detect and remove ransomware, employees themselves are an important piece of the puzzle when it comes to defending against targeted cyber-attacks. Raising employee awareness on cybersecurity can go a long way towards improving the ability of organizations to avoid damages caused by cyber incidents because the staff is often cited as one of the weakest links in cyber defenses.

Employees, the First Line of Defense Against Ransomware

One of the reasons why organizations need to raise cybersecurity awareness within their staff is that ransomware usually finds a way into IT systems through phishing emails opened by an employee. The main risk is a result of the fact that most employees are not very well-versed in distinguishing between legitimate emails and fake ones that aim to install malicious software onto their computers, which is done in one of two ways. One way is to include a call-to-action prompting recipients to download an attachment that contains a malware. Once that file is installed onto the computer, the malware basically disables the computer, preventing the user from accessing it, or from opening certain essential files.

The other way involves emails providing a URL that recipients are supposed to click, with the URL being created in such a manner that resembles a popular and well-known website. That way, recipients do not suspect that there is something wrong with the website they are prompted to visit by the email message, but once they click the malicious URL and go to that website, malware is instantly installed onto their computer.

After a piece of malware is installed on a computer, it has the ability to spread across other computers that it is connected to, thus infecting and blocking access to the entire network.

Tackle Social Engineering Through Education

Organizations can reduce the risk of getting hit by a ransomware attack by educating employees about the methods utilized in these scams, which involve a great deal of social engineering, taking advantage of certain psychological weaknesses. By making employees more aware of the most common ransomware schemes, as well as the fact that they have one of the key roles in the cyber defense of their organization, chances of preventing attacks can be greatly increased.

Cyber security professionals need to train all employees on how to detect ransomware scams, by pointing out to them that they need to pay extra attention to details when receiving emails from an unknown sender or containing suspicious content. The most important details that employees should pay attention to include the display name of emails, the salutation, and whether an email contains an attachment that they are not expecting.

Employee education is paramount when it comes to defending against ransomware attacks, and organizations need to invest more time and resources into this increasingly important aspect of cybersecurity.

Visual Event Correlation Is Critical in Cyber Incident Associational Analysis

I can remember sometime around late 2001 or early 2002, GREPing Snort logs for that needle in a haystack until I thought I was going to go blind. I further recall around the same time cheering the release of the Analysis Console for Intrusion Databases (ACID) tool which helped to organize the information into something that I could start using to correlate events by way of analysis of traffic patterns.

Skip ahead and the issues we faced while correlating data subtly changed from a one-off analysis to a lack of standardization for the alert formats that were available in the EDR marketplace. Each vendor was producing significant amounts of what was arguably critical information, but unfortunately all in their own proprietary format. This rendered log analysis and information tools constantly behind the 8-ball when trying to ingest all of these critical pieces of disparate event information.

We have since evolved to the point that log file information sharing can be easily facilitated through a number of industry standards, i.e., RFC 6872. Unfortunately, with the advent of the Internet of Things (IoT), we have also created new challenges that must be addressed in order to make the most effective use of data during event correlation. Specifically, how do we quickly correlate and review:

a. Large amounts of data;

b. Data delivered from a number of different resources (IoT);

c. Data which may be trickling in over an extended period of time and,

d. Data segments that, when evaluated separately, will not give insight into the “Big Picture”

How can we now ingest these large amounts of data from disparate devices and rapidly draw conclusions that allow us to make educated decisions during the incident response life cycle? I can envision success coming through the intersection of 4 coordinated activities, all facilitated through event automation:

1. Event filtering – This consists of discarding events that are deemed to be irrelevant by the event correlator. This is also important when we seek to avoid alarm fatigue due to a proliferation of nuisance alarms.

2. Event aggregation – This is a technique where a collection of many similar events (not necessarily identical) are combined into an aggregate that represents the underlying event data.

3. Event Masking – This consists of ignoring events pertaining to systems that are downstream of a failed system.

4. Root cause analysis – This is the last and quite possibly the most complex step of event correlation. Through root cause analysis, we can visualize data juxtapositions to identify similarities or matches between events to detect, determine whether some events can be explained by others, or identify causational factors between security events.

The results of these 4 event activities will promote the identification and correlation of similar cyber security incidents, events and epidemiologies.

According to psychology experts, up to 90% of information is transmitted to the human brain visually. Taking that into consideration, when we are seeking to construct an associational link between large amounts of data we, therefore, must be able to process the information utilizing a visual model. DFLabs IncMan™ provides a feature rich correlation engine that is able to extrapolate information from cyber incidents in order to present the analyst with a contextualized representation of current and historical cyber incident data.

As we can see from the correlation graph above, IncMan has helped simplify and speed up a comprehensive response to identifying the original infection point of entry into the network and then visual representing the network nodes that were subsequently affected, denoted by their associational links.

The ability to ingest large amounts of data and conduct associational link analysis and correlation, while critical, does not have to be overly complicated, provided of course that you have the right tools. If you’re interested in seeing additional capabilities available to simplify your cyber incident response processes, please contact us for a demo at [email protected]

Improving the Alignment between Cyber Security and IT Service Management Processes

I frequently marvel at the solutions our customers implement in order to walk the fine line where security operations and IT governance converge. The capability to simultaneously engage the needs of IT service management and cyber security requirements frequently requires a creative approach to effectively align business objectives, priorities and a variety of risk postures. One common denominator I have observed is that the most effective cyber security plans address these 4 points of effective security and IT management policy:

1. Create the right policy
This involves a collaborative approach that leverages the stakeholders from not only the IT and Security Operations groups but Legal, HR and Operations as well to ensure that their needs are also being addressed. Policies are only as good as our ability to monitor and enforce. A policy that detrimentally affects the ability of any one organization to perform their duties will quickly be discarded, opening the door to a domino effect of security issues. Additionally, this collaboration should address organizational dynamics including core services, internal customers and, when applicable, external or business partners that may require access.

2. Perform a risk assessment and analysis
Industry requirements aside, performing a cyber security risk assessment and analysis is critical to building processes that address our most vulnerable systems and processes. We can subsequently formulate a corrective action plan that addresses not only current needs but anticipates future requirements. As part of a greater Business Continuity Planning program, a risk assessment provides the insight to avoid security and governance concerns before they truly become “issues”. An example of this is the development of your Disaster Recovery Plan. Determining the critical systems and the need for warm and cold site requirements as the result of a detailed risk analysis will save your teams hours of work when trying to rebuild critical system data.

3. Define appropriate procedures
If actionable processes and procedures are the lifeblood of effective security operations and governance alignment, then a platform to ensure that these policies are available to the appropriate stakeholders in the form of actions that are vetted, repeatable and defensible should be considered the heart. Security orchestration and automation products, while typically focusing on security operations, can provide this needed heart to IT governance requirements as well. DFLabs IncMan™ provides our customers with over 100 Playbooks that outline the appropriate procedures for a broad range of incidents, delivered in a format that can be easily followed or edited as requirements change and evolve. This gives the user maximum flexibility to ensure the needs of all stakeholders are addressed consistently and with minimum delay during incident response activities when the time is often of the essence.

4. Focus on staffing
Staffing is a common issue on several fronts. Locating and retaining experienced staff is only part of the problem. Facilitating a knowledge transfer between experienced and inexperienced staff is also problematic and frequently results is a small group of individuals that handle the majority of the demanding cases. The good news is that more evolved organizations have recognized the value of utilizing the previously mentioned Playbooks. IncMan Playbooks provide a roadmap designed by the experienced staff members to guide the inexperienced members during the response process. This effectively provides these organizations with a force multiplier by not only reducing incident dwell time but providing the necessary knowledge transfer as well.

If you want more information about how DFLabs IncMan can help align your security and IT service management processes please contact us [email protected] for a no obligation demonstration.