Threats are constantly evolving, and new threats emerge daily. Minimizing risk and the cost associated with security incidents means making rapid decisions based on the up-to-date and accurate information. Actionable threat intelligence can play a critical role in a proactive security program, as well as conducting efficient and effective incident response. Making incident response decisions based on incomplete or inaccurate intelligence can result in an incomplete or delayed response, residual risk and increased loss due to downtime, response cost, and fines.
Many security programs today experience challenges around gaining actionable and accurate threat intelligence and are looking for solutions to overcome these two key problems:
- How can I enrich incident indicators with actionable threat intelligence to make more informed decisions during the incident response process?
- How can I proactively gather threat intelligence data to ensure that my security team stays up to date on the latest threats and ongoing trends?
In this blog, we will briefly discuss how a security program can automate the collection of actionable threat intelligence from IBM experts utilizing IBM X-Force Exchange with its integration with DFLabs.
The DFLabs and IBM X-Force Exchange Solution
IBM X-Force Exchange is a cloud-based threat intelligence platform that allows security teams to consume, share and act on threat intelligence. It enables analysts to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats.
DFLabs IncMan SOAR platform and IBM X-Force Exchange bring actionable threat intelligence sourced from the experts at IBM as well as industry peers, together with the automation and orchestration power of IncMan to deliver industry-leading incident response capabilities. Together, these solutions allow joint customers to make better, more informed automated and manual decisions, reducing the risk posed by security incidents.
Enriching incident indicators with actionable threat intelligence enable enterprises to reduce incident resolution times, maximize security analyst efficiency, as well as increase the number of handled incidents.
Use Case in Action
An alert based on an internal host communicating with a potentially malicious URL has automatically generated an Incident within IncMan. This alert is automatically categorized as a Malicious Communication incident within IncMan based on the organizations’ policies, which initiates the organization’s Malicious Communication runbook, shown below:
This runbook begins by utilizing several IBM X-Force Exchange integration actions to enrich the alert information, in this case, the potentially malicious domain. First, a WHOIS lookup of the domain is performed using IBM X-Force Exchange. Next, any threat intelligence regarding this URL is retrieved from IBM X-Force Exchange using the URL Reputation action.
After gathering intelligence on the initially reported URL, the runbook pivots outward and performs a DNS record search through IBM X-Force Exchange. For each DNS record returned, the runbook performs a WHOIS lookup on the IP address, followed by a threat intelligence search on the IP address through IBM X-Force Exchange.
Once all available threat intelligence has been retrieved from IBM X-Force Exchange, the runbook reaches an automated decision point. In this case, the runbook examines the threat intelligence for any threat score meeting a certain threshold. If this threshold is met, IncMan will automatically send a notification to the security team, then automatically update the incident type to that of a confirmed security incident. Following this notification and incident update, the security analyst will be prompted to determine whether or not automated containment actions are appropriate.
Actionable threat intelligence can play a critical role in a proactive security program, as well as conducting efficient and effective incident response.
By using DFLabs IncMan R3 Rapid Response Runbooks to automate the collection of actionable threat intelligence from the experts at IBM, as well as industry peers through the IBM X-Force Exchange, security teams can enrich indicators and gather additional intelligence to make faster, more informed decisions when the time is of the essence.
If you would like to see a more in-depth demo of this use case in action, or other use cases within IncMan, please get in touch.
Faced with a growing threat landscape, a shortage of skilled cyber security professionals, and non-technical employees who lack awareness of cyber security best practices, to name a few, CISOs are continuously confronted with a number of existing and new challenges. To mitigate some of these challenges by eliminating security threats and minimizing security gaps, they must make some critical strategic decisions within their organizations.
Even though we are only at the beginning of April, 2018 is already proving to be a year of increasing cyber incidents, with security threats spanning across a range of industry sectors, impacting both the private and public sectors alike. We have seen many data breaches including Uber, Facebook and Experian that have made it clear that no organization, not even the corporate giants, are safe from these cyber threats and attacks. We are now also seeing newly evolving threats affecting the popular and latest smart devices including products such as Alexa and Goоgle Home. New technology not fully tested, or security vulnerabilities from IoT devices being brought into the workplace, now bring additional concerns for CISOs and their security teams, as they try to proactively defend and protect their corporate networks.
This problem seems quite simple to identify in that corporate policies are not being updated fast enough to keep up with dynamic changes and advancements in technology, as well as to cope with the increasing sophistication of advancing threats, but managing this problem is seemingly more difficult. This generates an additional set of challenges for CISOs to enforce policies that still need to be written, while conquering internal corporate bureaucracy to get them created, modified or updated. This is just one challenge. Let’s now discuss a few more and some suggested actions to manage them.
How CISOs Can Overcome Their Challenges
CISOs in international corporations need to focus on global compliance and regulations to abide with a range of privacy laws, including the upcoming European Union’s General Data Protection Regulation (GDPR). This new regulation due to come into force on May 25th, 2018 has set the stage for protection of consumer data privacy and in time we expect to see other regulations closely follow suite. International companies that hold EU personal identifiable information inside or outside of the EU will need to abide by the regulation and establish a formalized incident response procedure, implement an internal breach notification process, communicate the personal data breach to the data subject without delay, as well as notify the Supervisory Authority within 72 hours, regardless of where the breach occurred. Organizations need to report all breaches and inform their affected customers, or face fines of up to 20 million Euros or four percent of annual turnover (whichever is higher). A new law called the Data Security and Breach Notification Act is also being worked on presently by the U.S. Senate to promote this protection for customers affected. This new legislation will impose up to a five year prison sentence on any individual that conceals a new data breach, without notifying the customers that had been impacted.
So how can CISOs proactively stay ahead of the growing number of cyber security threats, notify affected customers as soon as possible and respond within 72 hrs of a breach? The key is to carry out security risk assessments, implement the necessary procedures, as well as utilize tools that can help facilitate Security Orchestration, Automation and Response (SOAR), such as the IncMan SOAR platform from DLFabs. IncMan has capabilities to automate and prioritize incident response and related enrichment and containment tasks, distribute appropriate notifications and implement an incident response plan in case of a potential data breach. IncMan handles different stages of the incident response and breach notification process including providing advanced reporting capabilities with appropriate metrics and the ability to gather or share intelligence with 3rd parties. This timely collection of enriched threat intelligence helps expedite the incident response time and contribute to better management of the corporate landscape.
The Need to Harden New Technology Policies
Endpoint protection has also become a heightened concern for security departments in recent months, with an increasing number of organizations facing multiple ransomware and zero days attacks. New technologies used by employees within the organization, not covered by corporate policies, such as Bring Your Own Device (BYOD) and the Internet of things (IoT) have brought new challenges to the CISOs threat landscape. One example as we mentioned earlier are gadgets such as Alexa or Google Home, where users bring them into the office and connect them to the corporate WIFI or network without prior approval. When connected to the network, they can immediately introduce vulnerabilities and access gaps in the security network that can be easily exploited by hackers.
Devices that are not managed under corporate policies need to be restricted to a guest network that cannot exploit vulnerabilities and should not be allowed to use Wi-Fi Protected Access (WPA). CISOs need to ensure that stricter corporate policies are implemented to restrict and manage new technologies, as well as utilizing tools such as an Endpoint Protection Product (EPP) or Next-Generation Anti Virus (NGAV) solution to help prevent malware from executing when found on a user machine. NAGV tools can learn the behaviors of the endpoint devices and query a signature database of vaccines for exploits and other malware on real time to help expedite containment and remediation to minimize threats.
Maximizing Resources With Technology as a Solution
With the significant increase in the number of and advancing sophistication of potential cyber security threats and security alerts, combined with a shortage of cyber security staff with the required skill set and knowledge, CISOs are under even more pressure to protect their organizations and ask themselves questions such as: How do I effectively investigate incidents coming in from so many data points? How can I quickly prioritize incidents that present the greatest threat to my organization? How can I reduce the amount of time necessary to resolve an incident and give staff more time hunting emerging threats?
They will need to assess their current organization security landscape and available resources, while assessing their skill level and maturity. Based on the company size it may even make business sense to outsource some aspects, for example by hiring a Managed Security Service Provider (MSSP) to manage alert monitoring, threat detection and incident response. CISOs should also evaluate the range of tools available to them and make the decision whether they can benefit from utilizing Security Orchestration, Automation and Response (SOAR) technology to increase their security program efficiency and effectiveness within their current structure.
Security Infrastructure and Employee Training Are Paramount
In summary, CISOs will be faced with more advancing challenges and increasing threats and these are only set to continue over the coming months. They should ensure that their security infrastructures follow sufficient frameworks such as NIST, ISO, SANS, PCI/DSS, as well as best practices for application security, cloud computing and encryption.
They should prepare to resource their security teams with adequate technology and tools to respond to threats and alerts and to minimize the impact as much as feasibly possible, with set policies and procedures in place. To enforce security best practices across all departments of the company, it is important that security decisions are fully understood and supported by the leadership team as well as human resources, with a range of corporate policies to meet the challenges of ever changing technologies.
CISOs need to promote security best practices and corporate policies, industry laws regulations and compliance by educating and training relevant stakeholders, starting with employees. The use of workshops, seminars, websites, banners, posters and training in all areas of the company will heighten people’s awareness to threats and exploits, increasing their knowledge, while also teaching them the best way to respond or to raise the alarm if there is a potential threat. The initial investment in education and training may be a burden on time and resources but in the long run will prove beneficial and could potentially prevent the company from experiencing a serious threat or penalty from non-compliance.
Completing a full analysis of current resources, skill sets and security tools and platforms will all play a part when deciding whether in-house or outsourced security operations is the best approach, but the benefits of using SOAR technology to leverage existing security products to dramatically reduce the response and remediation gap caused by limited resources and the increasing volume of threats and incidents, as well as to assist with important breach notification requirements, should not be overlooked.
The cyber security industry today offers a wide variety of solutions aiming to mitigate attacks that are becoming more common and more sophisticated, making it increasingly difficult to detect, manage and respond to breaches as effectively and as efficiently as possible. But, the fact alone that there is no shortage of potential solutions out there to choose from, doesn’t make the challenge of having to deal with the overwhelmingly frequent and complex attacks less grueling. In fact, it can make the task that much more daunting, with the vast pool of tools and platforms available making it difficult for CISOs to decide which solutions to adopt, considering that there is rarely one that addresses all the different security elements required, as well as the specific organizational needs, such as affordability and ease of implementation and management.
With that in mind, it’s safe to say that a solution capable of covering as many angles of the cybersecurity spectrum as possible would serve well to organizations being faced with data breaches on a regular basis. It’s exactly that ability to cover multiple aspects of an organization’s cybersecurity defense that makes DFLabs’ IncMan stand out from the crowd, and one of the factors that helped it to achieve two highly coveted awards at the latest edition of the prestigious GSN Homeland Security Awards.
Holistic Approach to Incident Management and Response
The two platinum awards received by DFLabs were in the Best Continuous Monitoring & Mitigation, and Best Cyber Operational Risk Intelligence Solution categories, respectively. This highlights IncMan’s versatility and ability to save valuable time when responding to an incident and when helping to detect and prevent future attacks.
Computer Security Incident Response Teams (CSIRTs) can benefit immensely from features such as automated collection of threat intelligence, triage, threat containment, as well as processes that help make threat hunting and investigation more efficient. With these types of functionalities, platforms like IncMan help cut incident resolution times drastically and improve the effectiveness of CSIRTs, significantly increasing their incident handling capacity.
The above capabilities that IncMan boasts are in large part a result of the background in law enforcement and intelligence of the people who were involved in creating the platform. These experiences have allowed them to better understand the challenges security teams face when trying to resolve an incident and address their needs in terms of dealing with continuously increasing number of alerts, underlining the necessity of automating certain tasks and adopting an orchestrated approach to incident response. As the nature of cyber security attacks continues to evolve over time, so does the sophistication and capabilities of the platform to ensure organizations always remain one step ahead.
Advanced persistent threats (APTs) have become a particularly common type of cyber attack used by cyber criminals and state-sponsored actors looking to gain continuous access to government and private organizations’ networks. These attacks are extremely difficult to defend against, due to their sophistication and precise targeting which helps successfully circumvent cyber defenses and maintain access to an organization’s network undetected for prolonged periods of time.
The severity of the damages incurred by advanced persistent attacks and the costs associated with them, will continue to rise exponentially. Organizations would be wise to invest more financial and human resources into detecting, preventing, and eradicating those attacks.
Incoming Email Automation
A fast reaction time and the ability to diagnose a cyber threat correctly as quickly as possible is key to resolving cyber incidents and containing the potential damage that can arise from them. To that end, organizations need to automate their cyber incident response processes, in order to accelerate the reaction of their cyber-security professionals and enable them to identify every threat and resolve every incident in a timely manner. An automation-and-orchestration cyber incident response platform is arguably the ideal solution for organizations that are potential targets of advanced persistent threats.
These platforms have a wide spectrum of features that are aimed at tackling advanced persistent threats, with incoming email automation being among the most effective ones. Email parsing rules within cyber incident response platforms allow your cyber-security team to detect intrusions and block potentially hazardous emails. After such rules have been created, the platform can analyse incoming emails and scan specific parameters, including the subject, the body, and the sender address, to filter out the ones with malicious content, helping to prevent advanced persistent threats attempting to access your network through phishing email messages.
Information Sharing Capabilities Also Key
Another essential feature of some cyber incident response platforms is the ability to share incident information with law enforcement and with cyber threat intelligence platforms, improving an organization’s capability to successfully defend against advanced persistent threats. For instance, if a platform supports threat intelligence exchange platforms such as STIX, you will be able to share and receive key information related to current and past cyber security events, allowing you to adjust your cyber defense program based on changing methods, tactics and channels used by advanced persistent threat attackers.
In a word, staving off advanced persistent threats requires a comprehensive approach by cyber security professionals. It should be centered around the use of a cyber incident response platform capable of threat intelligence sharing and incoming email automation, as some of the most effective tools for battling these types of sophisticated cyber attacks.
In many aspects, cyber crimes are similar to other, more traditional types of crimes. Forensic investigation and analysis of the evidence recovered at the crime scene are among the aspects that cyber attacks have in common with other crimes. These are some of the key components of a fast and effective solution to a crime of any type, but are especially important when it comes to cyber attacks. Being able to gather evidence and various data related to a cyber security event is crucial for detecting and preventing future incidents. Considering that government agencies, organizations, and businesses across many industries around the world are facing a growing threat of cyber attacks, sharing threat intelligence is becoming an increasingly important part of the global efforts for successfully tackling cyber crime.
Incident Response Platforms with Threat Intelligence Sharing Capabilities
Threat intelligence sharing is a major part of the broader cyber-security incident response process, and organizations are advised to pay special attention to it. Among other things, this means that when they start shopping around for a cyber incident response platform, it’s recommended that they look for a platform that can provide this capability, because trying to share cyber threat intelligence through other means can add an unwanted burden to their cyber-security teams and incur substantial costs.
There are a lot of cyber-incident response platforms that support various threat intelligence sharing tools and mechanisms, including TAXII, STIX, Splunk, QRadar, and ThreatConnect, presenting a fast and simple method for sharing threat information among organizations.
These types of platforms allow you to notify other organizations, cyber threat analysts, threat sharing communities, and everyone involved with cyber defense, of every cyber security incident, sharing with them very important information, such as where a given attack has come from, attack patterns, and possibly identification of the attackers, among others.
Sharing Threat Intelligence Increases Response Plan Effectiveness
Sharing intelligence often proves to be crucial to resolving cyber incidents as fast as possible and containing the damage after an incident occurs. It can also help predict and detect future incidents, allowing organizations to prepare and adjust their cyber defense accordingly and take appropriate actions to mitigate the potential risks.
Ultimately, sharing threat intelligence can help lead to the development of more advanced incident response platforms and the creation of more effective response plans, further deterring cyber attackers and preventing breaches.
People working in cyber security nowadays face numerous challenges on a regular basis. Starting from having to deal with advanced threats, through managing third-party risk, ending with ensuring regulatory compliance, which is becoming an increasingly difficult challenge, in light of the growing regulations and mandates introduced by governments across the globe. With so many aspects to consider, cyber security professionals sometimes have trouble focusing on cyber incident response and recovery. That is why organizations should consider enhancing their cyber security efforts through a layered approach, because it would allow them to detect incidents, manage risks, and quickly respond to different types of cyber security events.
Involvement of C-Level Managers, System Administrators, and Cybersecurity Teams
In order to be effective, the layered cyber security approach needs to include an organization’s c-level management, system administrators, and cyber security teams. For starters, the users of your computer networks and systems should alert your company’s system administrators of any technical problems and suspicious behaviors within your system as soon as they detect them. To that end, all members of your organizations who use your information systems should go through some sort of cyber security awareness training, so that they can recognize when something is wrong and notify your cyber security incident response team in a timely manner.
The next layer of defense is centered around the duties and activities of an organization’s cyber security incident response team. They need to be able to recover from any cyber security event and conduct threat intelligence to prevent future incidents.
On top of that, cyber security teams need to take actions to ensure regulatory compliance, and that puts them under additional strain and might take their focus away from incident response and recovery.
Combining Human Resources and Automation for a Deeper Defense
Keeping in mind that cyber security teams have a lot on their plates, as they are tasked with so many duties, they could use an automated cyber incident response platform to make their lives easier. More specifically, they need a platform that combines human resources and automation, to be able to implement the layered security approach successfully. These types of platforms allow organizations to utilize both the expertise of cyber security professionals and the accuracy and efficiency of an incident response software.
By using a platform with automation and orchestration capabilities, cyber security teams will have the intelligence that will help them resolve an incident and take the necessary measures to prevent future incidents. Such platforms help reduce CSIRTs reaction time, by conducting the forensic investigation and tracking digital evidence during an incident, providing essential information, along with pre-defined workflows, to help organizations figure out how to resolve an incident as quickly and as effectively as possible to protect their most valuable assets.