Threat hunting is defined as an iterative and focused approach to searching, understanding and identifying internal adversaries that are found in the defender’s network. It’s been shown that incident response automation tools can provide Security Operations Center (SOC) team members with additional time that can be leveraged in a more focused, threat hunting role within the SOC environment.
The SOC staff members should have some understanding of how they can use this additional time provided by incident response automation to enable them to hunt for threats, rather than spending valuable time and resources gathering threat information which could otherwise be done in an automated fashion. It’s long been established as we make the migration from threat prevention to threat discovery that malicious actors and processes are frequently well-hidden within the organizations infrastructure and in order to effectively locate and investigate them we must start by asking the 5 W’s, who, what where, when, why and perhaps most importantly, how.
SOC team members must first understand what threat hunting is to be truly effective. The staff members should channel their question on the three tenets that make up the threat triangle; capability, intent, and the opportunity. By focusing on these three tenets, threat hunters can leverage orchestration to accomplish not only the system monitoring but the automated data gathering to support this expanded role without adding additional infrastructure. Additionally, team members must understand that the threats can be human and not just, for example, malware that is directed at them. This, coupled with an understanding of the affected systems function, will help provide the insight into possible contributing factors to the incident.
As the level of automation scales upward, we’ve seen a corresponding scaling of the transition from simple incident data gatherers to data hunters. Additional time and resources will become available to teams that leverage incident automation, permitting them to forego the traditional gatherer role and begin to embrace a more proactive hunter role. The good news is both of these roles can be supported within the SOC and also within the same Security Orchestration, Automation and Response (SOAR) platform. IncMan SOAR from DFLabs provides the necessary combination of force multiplication and machine learning to ensure that not only are incidents capable of being prioritized automatically, but the necessary actions for successful resolution are available at incident inception.
If you would like to see how a SOAR platform can give your incident response team the necessary tools to make the migration from simple data gatherers to threat hunters, reach out to us for a free, no obligation demo.
Not so long ago we used to hear about a cyber-attack or a new form of vulnerability in the news perhaps on a quarterly or monthly basis. Today, they are becoming increasingly more frequent and I don’t think a day goes by that we don’t read in the headlines about the consequences an organization is having to face, due to another attack. McAfee recently reported a staggering eight new cyber threats a second in Q4 2017.
With the sophistication of attacks also continuously evolving, the modern CISO is now facing up to the fact and preparing for a “when it will happen” scenario as opposed to “if it will happen”, as cyber incidents become more inevitable. Based on this, their cybersecurity strategy is being turned on its head and instead of focusing more on how to prevent an incident from occurring in the first place, they are now heavily investing in technologies and solutions to help identify, manage and contain an incident, in order to minimize the impact to the organization when it does occur.
In larger enterprises today, it is common to have a Security Operations Center (SOC) and/or a Computer Security Incident Response Team (CSIRT) to monitor, manage and respond to incoming security alerts, but with this, there are numerous challenges that are continuously being faced. Our recent blog “How to Implement Incident Response Automation the Right Way” specifically addressed the challenge of increasing volumes of alerts, resulting in an exponential volume of mundane tasks and discussed how utilizing automation should be implemented to overcome this. In reality, the number of challenges is probably many more than what we will cover in this blog, but here are our top five, which we believe are currently having the biggest effect on SOCs and CSIRTs today.
Top 5 Challenges Faced by Security Operations Centers
1. Increasing Volumes of Security Alerts
With the snowballing number of security alerts being received, valuable analyst time is being consumed sorting through a plethora of security alerts. Most commonly, time is wasted performing a multitude of mundane tasks to triage and determine the veracity of the alerts, often resulting in alerts being missed or those of more damaging consequences slipping through the net as they are overlooked. As you can probably imagine, analysts time would be better spent working on the more sophisticated alerts that need human intervention, as well as proactively threat hunting, in order to minimize the time from breach discovery to resolution.
2. Management of Numerous Security Tools
As a wider range of security suites are being adopted by SOCs and CSIRTs, it is becoming ever more difficult to effectively monitor all of the data being generated from the multiplying number of data points and sources. A typical security operations center may use a combination of 20 or more technologies, which understandably can be difficult to monitor and manage individually. It is therefore important to be able to have a central source and single platform to summarize all of the information as it is being generated and to be able to have a helicopter view of your overall security environment to manage, monitor, and measure security operations and incident response processes effectively.
3. Competition for Skilled Analysts and Lack of Knowledge Transfer Between Analysts
With the global cybersecurity talent shortage to hit 1.2m by 2020 and to increase to 1.8m by 2022, the pool of suitable analysts will only continue to diminish over time, with the level of competition becoming more fierce for analysts that have the required skill set. As with most companies and industries, workforce comes and goes, but knowledge transfer is particularly important within a security operations center and incident response teams, in order to ensure the correct response and process takes place within the minimal amount of time, reducing the time to incident detection and time to incident resolution. This lack of knowledge transfer can inevitably lead to increased response times and wasted resources.
4. Budget Constraints with Security Incidents Becoming More Costly
As within most organizations large or small alike, budgets are always restricted in some way, shape or form. In order to authorize spending, a clear positive ROI usually needs to be forecast and/or proven. Security operations and incident response are notoriously difficult to measure, monitor and manage, (why not read our recent whitepaper entitled “KPIs for Security Operations and Incident Response” to learn more), so justifying spend is always difficult. With the increasing number of cyber-attacks, organizations are increasing the level of investment in cyber security tools, but what level of spending is necessary and what amount outweighs the benefits it will achieve? Can you put a price on the consequences of a potential incident such as a data breach, knowing you will likely face a hefty fine, as well as brand and reputation damage?
5. Legal and Regulatory Compliance
Meeting a growing number of legal and regulatory compliance such as NIST, PCI, GLBA, FISMA, HITECH (HIPPA) and GDPR to name a few, as well as industry best practices, will inherently have an impact on any organization, but can have a heavy bearing depending on the specific industry or geographical location. Using the example of the upcoming Global Data Protection Regulation, taking effect on May 25, 2018, it is even more important for security operations centers to have mandatory processes and procedures clearly in place which are conducted in a legally and policy-compliant manner. Providing sufficient incident reporting and breach notification within the required parameters (in the case of GDPR to notify the supervisory authority within 72 hrs of a breach) is going to be key, or the legal, financial and reputational impact and repercussions could be significant.
Based on these five challenges alone, enterprise SOCs and CSIRTs are struggling to remain efficient and effective and are increasingly being forced to do more with less, while striving to keep up with the current threat landscape and a plethora of security alerts.
With security incidents becoming more costly, enterprises need to find new ways to further reduce the mean time to detection and resolution. As a result, security and risk management leaders will see the business need to invest in Security Orchestration, Automation and Response (SOAR) technology and tools, such as the IncMan SOAR platform from DFLabs, to help improve their security operations proficiency, efficacy, and quality, in order to keep their cyber incident under control.
If you are interested in reading more about how SOAR technology can help to address these challenges in more detail, look out for our future blog on the topic coming soon.
At the heart of incident response, and by extension of Security Automation and Orchestration technologies, resides the Cyber Incident. A typical definition of a cyber security incident is “Any malicious act or suspicious event that compromises or attempts to compromise, or disrupts or tries to disrupt, a critical cyber asset”. Almost everything we do in a SOC or a CSIRT is based on incidents, and there are a variety of potential incident sources, for example:
- Alerts from cyber security detection technologies such as Endpoint Detection & Response or User Entity Behavior Analytics tools
- Alerts from Security Information & Event Management Systems (SIEM)
- Emails from ITSM or case management systems
- Website submissions from internal stakeholders and whistle-blowers
- Phone calls from internal users and external 3rd parties
This diversity of incident sources means that a solid SAO solution must offer a variety of different methods to create incidents. Regulatory frameworks also frequently mandate being able to originate incidents from different sources. DFLabs IncMan offers a rich set of incident creation options.
There are three primary ways to create incidents in IncMan, offering flexibility to accommodate a variety of incident response process requirements and approaches.
Option 1: Automated Incident Creation
We will feature automated incident creation in a more detail in a future post. In the meantime, I will show you the location of this feature.
Select settings menu, then head to the external sources:
You will see that under the external sources option there are 3 options available to use as sources to automate incident creation:
- Incoming events automation, for CEF/Syslog
- Incoming Mail automation, for a monitored email account
- Integrations, for all QIC integration components.
Automating incident creation supports a variety of filters to support a rules-based approach. In addition, it is also possible to create incidents using our SOAP API. Certified 3rd party applications use this mechanism to create incidents within IncMan, for example, Splunk.
Option 2: Manual Incident Creation
Click the incidents menu option, then click the + symbol selecting the incidents screen
Fill out all mandatory fields (these can be defined in the custom fields screen) then step through and complete the incident wizard to create the incident:
Once all relevant fields have been completed, click save and this incident will then appear in the incident view and apart of the queue you assigned in the details screen.
Option 3: Incident creation from source
Select an incident source for the incident you want to create, for example, a Syslog or CEF message, an Email, or a Threat intelligence source (STIX/TAXI, ThreatConnect):
In this screen, you can then convert this source item to an incident, or link the source to an existing incident.
Today, we will talk about our dashboards in IncMan. We will see how to add, delete and generally organize the dashboard widgets. IncMan widgets can display charts, graphs and tables to display and track Key Performance Indicators. IncMan supports role-based dashboards. This is a key requirement for any SOC, facilitating that the right information is available to the right person based on their role, duties, and needs. Which information is required for any individual or team will differ from organization to organization, so we support customization to create unique and dedicated dashboards for every persona.
How to use IncMan Dashboards and Widgets
This default screen displays a number of out of the box charts to get you started. But you will want to customize the dashboard with the widgets you need for your role.
1. To begin creating your unique dashboard, select “Customize” to open the menu.
2. The dashboard screen is split into 4 distinct parts: top, left, right and bottom. By selecting the “+” symbol, you can add an additional widget from a number of pre-defined templates. For this example, let’s add the “Incident Overview” widget:
3. You can change the name of the widget in the configuration screen, for example, “GDPR” or “Urgent Incidents”. You can also specify the applicable timeframe for the widget, and the refresh rate, to determine how often the widget will be updated.
4. Next, we will configure the widget filters to determine the data that the widget displays.
We can apply search filters to narrow down the displayed incidents. You can filter by a variety of attributes, including tags, incident priority, the Incident Response process stage, and any custom fields you have defined. Every filter that is selected will also need a corresponding value assigned to it in the values tab.
5. Once you’ve selected the values you want to add into the table, the final step allows you to define which columns will be displayed in the widget.
In incident response, protecting against a targeted attack is like slaying the hydra. For those not familiar with what a hydra is, it is a multi-headed serpent from Greek mythology, that grows two new heads for every head you chop off. A determined attacker will try again and again until they succeed, targeting different attack vectors and using a variety of tactics, techniques, and procedures.
The Snowden and Shadowbroker leaks really drove this home, giving partial insight into the toolkit of nation state actors. What really stuck out to me was the sheer variety of utilities, frameworks, and techniques to infiltrate and gain persistence in a target. Without the leak, would it be possible to reliably determine that all of those hacking tools belonged to a single entity? Would a large organization with thousands of alerts and hundreds of incidents every day be able to identify that these different attacks belonged to a single, concerted effort to breach their defenses, or would they come to the conclusion that these were all separate, unrelated attempts?
Our colleagues in the Threat Intelligence and Forensic analysis industries have a much better chance to correlate these tools and their footprint in the wild – they may discover that some of these tools share a command and control infrastructure for example. A few did have at least an outline of the threat actor, but judging by the spate of advisories and reports that were released after the leaks, not very many actually appear to have achieved this to a great degree. The majority were only able to piece the puzzle together once equipped with a concise list of Indicators of Compromise (IoC) and TTP’s to begin hunting with.
“How does this affect me? We are not important enough to attract the attention of a nation state actor”
Some readers may now be thinking, “How does this affect me? We are not important enough to attract the attention of a nation state actor”. I would urge caution in placing too much faith in that belief.
On the one hand, for businesses in some countries the risk of economic espionage by-nation state hacking has decreased. As I wrote on Securityweek in July, China has signed agreements with the USA, Canada, Australia, Germany and the UK limiting hacking for the purpose of stealing trade secrets and economic espionage. However, this does not affect hacking for national security purposes, and it will have little impact on privately conducted hacking. These are also bilateral agreements, and none exist in other nations, for example, Russia or North Korea. For militarily and economically weaker nation states, offensive cyber security is a cheap, asymmetric method of gaining a competitive or strategic advantage. As we have seen, offensive cyber activity can target civilian entities for political rather than economic reasons, and hackers are increasingly targeting the weakest link in the supply chain. This means that the potential probability of being targeted is today based more on your customer, partner, and supply chain network, and not just on what your organization does in detail. Security through obscurity has never been a true replacement for actual security, but it has lost its effectiveness as targeted attacks have moved beyond only focusing on the most prominent and obvious victims. It has become much easier to suffer from collateral damage.
Cyber criminals are becoming more organized and professional
On the other hand, cyber criminals are becoming more organized and professional, with individual threat actors selling their services to a wide customer base. A single small group of hackers like LulzSec may have a limited toolbox and selection of TTP’s, but professional cybercrime groups have access to numerous hackers, supporting services and purpose-built solutions. If they are targeting an organization directly and are persistent and not opportunistic, it will be as difficult to discern that a single concerted attack by one determined threat actor is taking place.
What this means in practical reality for any organization that may become the target of a sophisticated threat actor, is that you have to be on constant alert. Identifying, responding to and containing a threat is not a process to be stepped through with a final resolution step – instead, cyber security incident response is an ongoing, continuous and cyclical process. Advanced and persistent attacks unfold in stages and waves, and like a war consist of a series of skirmishes and battles that continue until one side loses the will to carry on the conflict or succeeds in their objectives. Like trying to slay the hydra, each incident that you resolve means that the attacker will change their approach and that the next attempt may be more difficult to spot. Two new heads have grown instead of one.
To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT
To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT – but we must do this without creating a perpetual state of alarm. The former means that your team of analysts is always aware and alert, looking at individual incidents as potentially just one hostile act of many that together could constitute a concerted effort to exfiltrate your most valuable data, disrupt your operational capacity, or abuse your organization to do this to your partners or customers. In the latter case, your analysts will suffer from alert fatigue, a lack of true visibility of threats, and a lack of energy and time to be able to see the bigger picture.
The hydra will have too many heads to defeat.
In the Greek legend of Heracles, the titular hero eventually defeats the Hydra by cauterizing each decapitated stump with fire to prevent any new heads from forming. Treating an incident in isolation is the Security Incident Response equivalent of chopping off the head of the hydra without burning the stump. Applied to our problem, burning the stump means that we have to conduct the response to each incident thoroughly and effectively, and continue the process well beyond containment.
We must invest more time in hunting and investigating, and we have to correlate and analyze the relationship between disparate incidents. We must use threat intelligence more strategically to derive situational awareness, and not just tactically as a machine-readable list of IoC’s. This also requires gathering sufficient forensic evidence and context data about an incident and related assets and entities during the incident response process, so that we can conduct post event analysis and continuous threat assessment after containment and mitigation have been carried out. This way we can better anticipate the level of threat that we are exposed to, and make more informed decisions about where to focus our resources, add mitigating controls and improve our defenses. In Incident Response “burning the stump” means making it more difficult for threat actors to succeed in the future by presenting them with a hardened attack surface, reducing their reside time in our infrastructure, and reducing the time we need to discover and contain them. To do this we need to learn from every incident we manage.
I have often talked about the benefits of employing flexible playbooks to deal with evolving cyber incidents and unique threat scenarios, and in these series of blogs, I am going to explore some of the points of emphasis when creating a new playbook.
The advantage to Security Orchestration, Automation and Response (SOAR) platforms, and in particular our IncMan platform, is the ability it provides to tailor playbooks or runbooks to deal with all manner of cyber incidents. These Playbooks are defined by three key factors:
1.Phases: Determine the number of phases for the response process based on the incident scenario. The phases are really a placeholder for what you are trying to achieve in your response.
2.Automation: How much automation will benefit the given scenario without hindering or otherwise adversely impacting your business.
3.Actions: What actions apply to each phase and what is the benefit to each action.
Wash, Rinse, Re-playbook.
Play books, or runbooks, should never be static and hard-coded for a fixed set of events. Ultimately, incidents will differ and you should always remain in control, ready to adapt and adjust the response workflow. This flexibility is vital should a Plan B need to be executed. The approach of IncMan to security playbooks & runbooks support both mature and emerging SOC teams by providing multi-flow advanced runbooks to the former, and for the less mature, a simplified playbook containing a dual mode where automation and manual actions can co-exist.
In talking with CSIRT/SOC managers, I have learned that they have typically aligned themselves with a particular standard. Most organizations follow the likes of ISO for Incident Response, NIST
800-62 or alternatives along the lines of CREST or NISA. Structured incident handling processes based on these standards are a great baseline, but how about also having actions and reactions pre-prepared and ready to respond immediately according to the threat you face? Can you see the instant advantage in having smaller, simpler playbooks and runbooks specific to an adversary or threat scenario?
Dealing with incidents with tailored playbooks will ultimately provide better threat coverage as each has enrichment and containment actions that are concentrated on the tasks specific to a given scenario. Additionally, allowing your SOAR product to tie the dots to bring enrichment to the observables and the indicators encountered in incidents will bring measurable value to the increased speed of the incident response process. Allowing analysts dynamic interaction at all phases of the workflow will help also help your reactions become more efficient. This mix of structured playbooks and dynamic response capability can also help push the CSIRT teams into a more pro-active mindset, allowing system and network-level security policy and infrastructure configuration changes to be handled on the fly while leveraging current and accurate information, and all from a single response console.
“Noise” is a prevalent term in the cyber security industry. DFLabs consistently receives feedback from vendor partners and clients that one of the major issues they face daily is the ability to sift through noise in order to understand and differentiate an actual critical problem from a wild goose chase.
Noise is vast amount of information passed from security products that can have little or no meaning to the person receiving this information. Typically, lots of products are not tuned or adapted for certain environments and therefore would present more information than needed or required.
Noise is a problem to all of us in the security industry, as there are meanings within these messages that are many times simply ignored or passed over for higher priorities. For example, having policies and procedures that are incorrectly identified or adapted or the product is not properly aligned within the network topology.
There is no one security product that can deal with every attack vector that businesses experience today. What’s more disturbing about this paradigm is that the products do not talk to each other natively, yet all these products have intelligence data that can overlay to enrich security and incident response teams.
Cyber incident investigative teams spending a vast number of hours doing simple administration that can be relieved by introducing an effective case management system. Given the sheer volume we can see from SIEM products on a day to day basis we can execute all of the human to machine actions and follow best practice per type of incident and company guidelines through automated playbooks.
Re-thinking about what information is being presented and how we deal with it is the biggest question. There are several ways to manage this:
• Fully automating the noise worthy tasks. If these are consistently coming into your Security Operations Center (SOC) causing you to spend more time on administration than investigation, it may be prudent to schedule the tasks in this manner.
• Semi-Automation of tasks can give your SOC teams more control of how to deal with huge numbers. Automating 95% of the task and then giving this last sign off a manual look over can heavily reduce time if your organisation is against completely automating the process.
• Leverage all your existing products to provide better insight into the incident. For example, leverage an existing active directory to lock out or suspend a user account if they log in outside of normal business hours. Additionally it’s possible to sandbox and snapshot that machine to understand what is happening. A key consideration here is to make sure not to disrupt work at every opportunity. It really is a balancing act, however depending on their privilege you may want to act faster for some users than others.
In 2017, the readiness and capability to respond to a variety of cyber incidents will continue to be at the top of every C-level agenda.
By leveraging the orchestration and automation capabilities afforded by IncMan™, stake holders can provide 360-degree visibility during each stage of the incident response life cycle. This provides not only consistency across investigations for personnel, but encourages the implementation of Supervised Active Intelligence™ across the entire incident response spectrum.
At DFLabs we showcase our capacity to reduce investigative time, incident dwell time all while increasing incident handling consistency and reducing liability. Arming your SOC teams with information prior to the start of their incident investigation will help to drive focus purely on the incidents that need attention rather than the noise.
If you’re interested in seeing how we can work together to grow your incident response capabilities, visit us at https://www.DFLabs.com and schedule a demonstration of how we can utilize what you already have and make it better.
In my role as VP of Services at DFLabs, I get the opportunity to speak to stakeholders at every level pertaining to concerns they have about their current cyber incident response processes and how they are currently dealing with the challenges. From the analyst who deals with an ever-increasing number of alerts to the CISO who is constantly evaluating how best to apply limited funds and personnel, they all have one overwhelming concern; how best to build what they have into what is needed to successfully handle the evolving threats to data security.
Organizations typically will leverage the resources they currently possess. Spreadsheets become incident trackers. Ticketing and project management applications become investigation coordination repositories. Governance, risk and compliance software becomes the reporting platform. While the ROI for leveraging existing resources can’t be understated, the issue quickly becomes one of scalability. These systems comprised of patchwork applications that are unable to work together symbiotically are quickly outgrown.
We can all agree that no single solution is the magic bullet that will solve all incident response challenges. Any progress will begin with a centralized incident response orchestration platform that acts as a force multiplier for your existing personnel and resources. You wouldn’t use a spoon to dig a 6-foot hole when there are tools designed to dig the hole that are more efficient and effective. This platform should include at a minimum:
- A solid platform of cyber incident management –A cost-effective incident management platform designed for each stage of the incident response life cycle is the foundation for immediate and long-term success and organizational expansion. A successful platform will be able to incorporate your existing infrastructure and personnel and increase their capabilities. It should not require hiring new personnel or expensive professional services to be effective.
- Actionable intelligence – Intelligence feeds such as TAXII or other feeds that support STIX can add additional information that promotes informed decision making during each stage of the incident response life cycle.
- Seamless integration with existing and future technologies – To expand with customer and infrastructure needs, an orchestration platform must be able to not only leverage existing technologies but offer the capability to expand for future integrations as needed.
- True incident orchestration – Provides the ability to utilize Supervised Active Intelligence™ (SAI), to make informed decisions at each stage of the incident response life cycle while providing a 360-degree view of the incident. This includes critical incident enrichment data with a choice of Human to Machine and/or Machine to Machine actions with consistent, defendable, results across a variety of incident response scenarios.
At DFLabs we have integrated these features and more to give stakeholders the tools they require, built on a platform that gives them the confidence they need. DFLabs’ IncMan® is ranked as one of the most innovated incident response orchestration platform that provides the same unparalleled value to the incident responder as it does to the CISO. Our advanced technology empowers our customers to receive, respond and remediate cyber incidents at a total cost of ownership unavailable elsewhere.
If you’re interested in seeing how we can work together to grow your incident response capabilities while keeping an eye on the ROI bottom line, visit us at https://www.DFLabs.com and schedule a demonstration of how we can utilize what you already have and make it better.
Considering that we live and work in an increasingly connected world, it can be said that nowadays there is no organization that is immune to cyber attacks and data breaches. No matter how sophisticated your cyber defense is, you always need to be prepared for all eventualities that might arise from potential vulnerabilities within your computer networks or systems. That is why having a proper cyber incident response plan in place is crucial to the security of every organization since it enables you to detect and respond to cyber security breaches as quickly and efficiently as possible. For a cyber incident response plan to be successful, it should rely on automated incident response playbooks that can provide an automated response to any cyber attack, reducing the time it takes to solve an incident and allowing your organization to resume operations as soon as possible.
Automated Computer Forensics and Remediation
By using a platform that incorporates automated playbooks, organizations streamline their cybersecurity. As the playbooks provide automated digital forensics and remediation of the target, in addition to prioritized workflows that help when responding to all threats in the most effective manner.
To put it briefly, automated cyber incident response playbooks replace several time-consuming and often very costly processes and tasks that need to be completed following an advanced cyber attack. Tasks like tracking and gathering evidence that usually takes a lot of time to complete which only prevents investigators from spending more time trying to solve the problem. With a platform that offers automated playbooks, your cyber security team can focus on analyzing an incident, instead of collecting information.
Quick Response to Every Specific Incident
Security incident response playbooks help cyber security teams select the workflow that’s best suited for a specific threat. This allows them to prioritize their response, as well as choose the right tools that are required to solve a problem. These kinds of playbooks are a paramount part of an automated and orchestrated incident response, which is a key requirement for every SOC and CSIRT.
In conclusion, businesses and organizations are searching for a solution that enables a quick recovery from cyber attacks and helps prevent future potential threats. Investing in a complete platform that includes automated playbooks is one of the wisest investments they can make to protect proprietary and critically valuable information.