A Weekend in Incident Response #26: Tackling Advanced Persistent Threats Through Email Parsing Rules and Information Sharing

Advanced persistent threats (APTs) have become a particularly common type of cyber attack used by cyber criminals and state-sponsored actors looking to gain continuous access to government and private organizations’ networks. These attacks are extremely difficult to defend against, due to their sophistication and precise targeting which helps successfully circumvent cyber defenses and maintain access to an organization’s network undetected for prolonged periods of time.

The severity of the damages incurred by advanced persistent attacks and the costs associated with them, will continue to rise exponentially. Organizations would be wise to invest more financial and human resources into detecting, preventing, and eradicating those attacks.

Incoming Email Automation

A fast reaction time and the ability to diagnose a cyber threat correctly as quickly as possible is key to resolving cyber incidents and containing the potential damage that can arise from them. To that end, organizations need to automate their cyber incident response processes, in order to accelerate the reaction of their cyber-security professionals and enable them to identify every threat and resolve every incident in a timely manner. An automation-and-orchestration cyber incident response platform is arguably the ideal solution for organizations that are potential targets of advanced persistent threats.

These platforms have a wide spectrum of features that are aimed at tackling advanced persistent threats, with incoming email automation being among the most effective ones. Email parsing rules within cyber incident response platforms allow your cyber-security team to detect intrusions and block potentially hazardous emails. After such rules have been created, the platform can analyse incoming emails and scan specific parameters, including the subject, the body, and the sender address, to filter out the ones with malicious content, helping to prevent advanced persistent threats attempting to access your network through phishing email messages.

Information Sharing Capabilities Also Key

Another essential feature of some cyber incident response platforms is the ability to share incident information with law enforcement and with cyber threat intelligence platforms, improving an organization’s capability to successfully defend against advanced persistent threats. For instance, if a platform supports threat intelligence exchange platforms such as STIX, you will be able to share and receive key information related to current and past cyber security events, allowing you to adjust your cyber defense program based on changing methods, tactics and channels used by advanced persistent threat attackers.

In a word, staving off advanced persistent threats requires a comprehensive approach by cyber security professionals. It should be centered around the use of a cyber incident response platform capable of threat intelligence sharing and incoming email automation, as some of the most effective tools for battling these types of sophisticated cyber attacks.

A Weekend in Incident Response #18: Sharing Threat Intelligence as One of the Crucial Components of a Strong Cyber Defense

In many aspects, cyber crimes are similar to other, more traditional types of crimes. Forensic investigation and analysis of the evidence recovered at the crime scene are among the aspects that cyber attacks have in common with other crimes. These are some of the key components of a fast and effective solution to a crime of any type, but are especially important when it comes to cyber attacks. Being able to gather evidence and various data related to a cyber security event is crucial for detecting and preventing future incidents. Considering that government agencies, organizations, and businesses across many industries around the world are facing a growing threat of cyber attacks, sharing threat intelligence is becoming an increasingly important part of the global efforts for successfully tackling cyber crime.

Incident Response Platforms with Threat Intelligence Sharing Capabilities

Threat intelligence sharing is a major part of the broader cyber-security incident response process, and organizations are advised to pay special attention to it. Among other things, this means that when they start shopping around for a cyber incident response platform, it’s recommended that they look for a platform that can provide this capability, because trying to share cyber threat intelligence through other means can add an unwanted burden to their cyber-security teams and incur substantial costs.

There are a lot of cyber-incident response platforms that support various threat intelligence sharing tools and mechanisms, including TAXIISTIXSplunk, QRadar, and ThreatConnect, presenting a fast and simple method for sharing threat information among organizations.

These types of platforms allow you to notify other organizations, cyber threat analysts, threat sharing communities, and everyone involved with cyber defense, of every cyber security incident, sharing with them very important information, such as where a given attack has come from, attack patterns, and possibly identification of the attackers, among others.

Sharing Threat Intelligence Increases Response Plan Effectiveness

Sharing intelligence often proves to be crucial to resolving cyber incidents as fast as possible and containing the damage after an incident occurs. It can also help predict and detect future incidents, allowing organizations to prepare and adjust their cyber defense accordingly and take appropriate actions to mitigate the potential risks.

Ultimately, sharing threat intelligence can help lead to the development of more advanced incident response platforms and the creation of more effective response plans, further deterring cyber attackers and preventing breaches.

A Weekend in Incident Response #17: Enhancing Your Cyber Security Efforts Through a Layered Approach

People working in cyber security nowadays face numerous challenges on a regular basis. Starting from having to deal with advanced threats, through managing third-party risk, ending with ensuring regulatory compliance, which is becoming an increasingly difficult challenge, in light of the growing regulations and mandates introduced by governments across the globe. With so many aspects to consider, cyber security professionals sometimes have trouble focusing on cyber incident response and recovery. That is why organizations should consider enhancing their cyber security efforts through a layered approach, because it would allow them to detect incidents, manage risks, and quickly respond to different types of cyber security events.

Involvement of C-Level Managers, System Administrators, and Cybersecurity Teams

In order to be effective, the layered cyber security approach needs to include an organization’s c-level management, system administrators, and cyber security teams. For starters, the users of your computer networks and systems should alert your company’s system administrators of any technical problems and suspicious behaviors within your system as soon as they detect them. To that end, all members of your organizations who use your information systems should go through some sort of cyber security awareness training, so that they can recognize when something is wrong and notify your cyber security incident response team in a timely manner.

The next layer of defense is centered around the duties and activities of an organization’s cyber security incident response team. They need to be able to recover from any cyber security event and conduct threat intelligence to prevent future incidents.

On top of that, cyber security teams need to take actions to ensure regulatory compliance, and that puts them under additional strain and might take their focus away from incident response and recovery.

Combining Human Resources and Automation for a Deeper Defense

Keeping in mind that cyber security teams have a lot on their plates, as they are tasked with so many duties, they could use an automated cyber incident response platform to make their lives easier. More specifically, they need a platform that combines human resources and automation, to be able to implement the layered security approach successfully. These types of platforms allow organizations to utilize both the expertise of cyber security professionals and the accuracy and efficiency of an incident response software.

By using a platform with automation and orchestration capabilities, cyber security teams will have the intelligence that will help them resolve an incident and take the necessary measures to prevent future incidents. Such platforms help reduce CSIRTs reaction time, by conducting the forensic investigation and tracking digital evidence during an incident, providing essential information, along with pre-defined workflows, to help organizations figure out how to resolve an incident as quickly and as effectively as possible to protect their most valuable assets.