Slaying the Hydra – Incident Response and Advanced Targeted Attacks

In incident response, protecting against a targeted attack is like slaying the hydra. For those not familiar with what a hydra is, it is a multi-headed serpent from Greek mythology, that grows two new heads for every head you chop off. A determined attacker will try again and again until they succeed, targeting different attack vectors and using a variety of tactics, techniques, and procedures.

The Snowden and Shadowbroker leaks really drove this home, giving partial insight into the toolkit of nation state actors. What really stuck out to me was the sheer variety of utilities, frameworks, and techniques to infiltrate and gain persistence in a target. Without the leak, would it be possible to reliably determine that all of those hacking tools belonged to a single entity? Would a large organization with thousands of alerts and hundreds of incidents every day be able to identify that these different attacks belonged to a single, concerted effort to breach their defenses, or would they come to the conclusion that these were all separate, unrelated attempts?

Our colleagues in the Threat Intelligence and Forensic analysis industries have a much better chance to correlate these tools and their footprint in the wild – they may discover that some of these tools share a command and control infrastructure for example. A few did have at least an outline of the threat actor, but judging by the spate of advisories and reports that were released after the leaks, not very many actually appear to have achieved this to a great degree. The majority were only able to piece the puzzle together once equipped with a concise list of Indicators of Compromise (IoC) and TTP’s to begin hunting with.

“How does this affect me? We are not important enough to attract the attention of a nation state actor”

Some readers may now be thinking, “How does this affect me? We are not important enough to attract the attention of a nation state actor”. I would urge caution in placing too much faith in that belief.

On the one hand, for businesses in some countries the risk of economic espionage by-nation state hacking has decreased. As I wrote on Securityweek in July, China has signed agreements with the USA, Canada, Australia, Germany and the UK limiting hacking for the purpose of stealing trade secrets and economic espionage. However, this does not affect hacking for national security purposes, and it will have little impact on privately conducted hacking. These are also bilateral agreements, and none exist in other nations, for example, Russia or North Korea. For militarily and economically weaker nation states, offensive cyber security is a cheap, asymmetric method of gaining a competitive or strategic advantage. As we have seen, offensive cyber activity can target civilian entities for political rather than economic reasons, and hackers are increasingly targeting the weakest link in the supply chain. This means that the potential probability of being targeted is today based more on your customer, partner, and supply chain network, and not just on what your organization does in detail. Security through obscurity has never been a true replacement for actual security, but it has lost its effectiveness as targeted attacks have moved beyond only focusing on the most prominent and obvious victims. It has become much easier to suffer from collateral damage.

Cyber criminals are becoming more organized and professional

On the other hand, cyber criminals are becoming more organized and professional, with individual threat actors selling their services to a wide customer base. A single small group of hackers like LulzSec may have a limited toolbox and selection of TTP’s, but professional cybercrime groups have access to numerous hackers, supporting services and purpose-built solutions. If they are targeting an organization directly and are persistent and not opportunistic, it will be as difficult to discern that a single concerted attack by one determined threat actor is taking place.

What this means in practical reality for any organization that may become the target of a sophisticated threat actor, is that you have to be on constant alert. Identifying, responding to and containing a threat is not a process to be stepped through with a final resolution step – instead, cyber security incident response is an ongoing, continuous and cyclical process. Advanced and persistent attacks unfold in stages and waves, and like a war consist of a series of skirmishes and battles that continue until one side loses the will to carry on the conflict or succeeds in their objectives. Like trying to slay the hydra, each incident that you resolve means that the attacker will change their approach and that the next attempt may be more difficult to spot. Two new heads have grown instead of one.

To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT

To tackle this requires that we cultivate a perpetual state of alertness in our SOC and CSIRT – but we must do this without creating a perpetual state of alarm. The former means that your team of analysts is always aware and alert, looking at individual incidents as potentially just one hostile act of many that together could constitute a concerted effort to exfiltrate your most valuable data, disrupt your operational capacity, or abuse your organization to do this to your partners or customers. In the latter case, your analysts will suffer from alert fatigue, a lack of true visibility of threats, and a lack of energy and time to be able to see the bigger picture.
The hydra will have too many heads to defeat.

In the Greek legend of Heracles, the titular hero eventually defeats the Hydra by cauterizing each decapitated stump with fire to prevent any new heads from forming. Treating an incident in isolation is the Security Incident Response equivalent of chopping off the head of the hydra without burning the stump. Applied to our problem, burning the stump means that we have to conduct the response to each incident thoroughly and effectively, and continue the process well beyond containment.

We must invest more time in hunting and investigating, and we have to correlate and analyze the relationship between disparate incidents. We must use threat intelligence more strategically to derive situational awareness, and not just tactically as a machine-readable list of IoC’s. This also requires gathering sufficient forensic evidence and context data about an incident and related assets and entities during the incident response process, so that we can conduct post event analysis and continuous threat assessment after containment and mitigation have been carried out. This way we can better anticipate the level of threat that we are exposed to, and make more informed decisions about where to focus our resources, add mitigating controls and improve our defenses. In Incident Response “burning the stump” means making it more difficult for threat actors to succeed in the future by presenting them with a hardened attack surface, reducing their reside time in our infrastructure, and reducing the time we need to discover and contain them. To do this we need to learn from every incident we manage.

Interested to know what 412 IT professionals and cyber security professionals think on the latest Security Analytics and Operations trends?

A Weekend in Incident Response #29: Doxing Incidents Emerging as an Increasingly Common Cyber Threat to Organizations

The WannaCry ransomware attack sent shockwaves through businesses and governments all around the globe by bringing day-to-day activities in hospitals, banks, telecommunication operators, and local and state agencies to a grinding halt. Undoubtedly, this attack put a big spotlight on ransomware, highlighting it as a powerful, dangerous, and potentially life-threatening attack methodology exploited by cyber criminals as a means for quickly making significant financial gain. Recently, however, another method has emerged as an increasingly common tool for cyber extortion, one that is expected to gain much more traction in the near future.

The emerging threat in question is doxing and involves attackers obtaining confidential, proprietary, sensitive, or private information via social media or hacking, and threatening to publicly share that information if ransom is not paid. There have been a few notable doxing events in recent years involving hacker attempts to extort large corporations, with Walt Disney Pictures emerging as the latest victim. In another high profile case involving cyber extortion, hackers are today threatening to release a stolen upcoming blockbuster film, in advance of its premiere, unless they receive a pirate-like ransom  of bitcoins in return. With doxing becoming a go-to modus operandi for an increasing number of cyber criminals, organizations seeking to safeguard their proprietary information need to become more aware of the threat doxing represents and implement solutions to protect against these extortion attacks.

Improve the Ability to Identify Doxing Attacks Quickly

Beyond implementing layered preventative and detective security controls, efforts for defending against doxing attacks should include devising a proper cyber incident response plan, preferably one established within the framework of a cyber-security automation and orchestration platform. Through the adoption of such a platform, organizations would address the first and most important part of the process for tackling doxing threats – being prepared to quickly and effectively respond to the attack.

A cyber incident response platform provides organizations with automation and orchestration capabilities through integration with existing security infrastructure and structured response playbooks. This level of preparedness vastly improves their ability to detect, track, and recover from doxing attacks. By providing a consistent and repeatable response strategy, a better prepared organization can reduce or even completely avoid the potentially substantial and damaging impact of a successful extortion attempt.

This platform allows cyber-security teams to detect, predict, and track breaches in their organizations’ computer systems, and to respond quickly and inline by leveraging integrations with existing security infrastructure. The inline response reduces overall reaction times and allows for quick containment and eradication of the threat.

The platform dramatically accelerates the incident triage and response process to improve efficiency, and can even integrate with an organization’s forensic systems, allowing for fast and efficient gathering of digital evidence to help identify attackers and support subsequent law enforcement efforts.

By leveraging the full capabilities of a cyber-security automation and orchestration platform, organizations would be able to more quickly determine the scope and impact of extortion attacks, respond accordingly, and provide authorities with the information necessary to accelerate their investigation. Collectively, leveraging these capabilities would ensure an increased chance for resolving and recovering from  the incident without succumbing to  ransom demands.

A Weekend In Incident Response #4: How to Reduce the Noise of Cyber Threat Intelligence

Is Cyber Threat Intelligence Still Useful?

The importance of information in business in today’s modern world is invaluable. But, in some cases, having large amounts of information coming your way can actually hurt your business. This holds true particularly for organizations that are constantly dealing with the risk of cyber attacks, and every piece of information that could help them prevent those attacks can be of great use to them. This is where cyber threat intelligence comes in, as one of the crucial aspects of developing an effective cyber defense strategy.

But, with so many feeds from various sources at their disposal, determining which information is relevant and credible and distinguishing it from the data that is not essential in regard to a potential cyber threat has become a major challenge for many cyber security professionals. As a result, being able to reduce the noise coming from the flurry of threat intelligence is now key to creating successful security operations.

Overwhelming Amount of Cyber Threat Information

A new study recently conducted by Ponemon Institute LLC, and sponsored by Anomali, reveals that the amount of threat intelligence that cyber security professionals deal with is overwhelming, preventing them from tackling incidents more efficiently.

The study, titled The Value of Threat Intelligence: A Study of North American and United Kingdom Companies, surveyed more than 1,000 professionals from the cyber security industry, with 70 percent of them saying that threat intelligence is often “too voluminous and/or complex to provide actionable intelligence”. This is a figure that should raise a concern, considering that almost half of the respondents (46%) said that incident responders rely on threat data during the incident response process. Furthermore, according to the study, there is too much data to really make sense of if enterprises have a limited resource staff of security operations center analysts or threat analysts.

SIEM Integration Vs IR Orchestration

Cyber security experts agree that in order to be able to use cyber threat intelligence data in an effective and productive way, there must be an SIEM integration in place. However, while 62% of those surveyed said they were aware of this necessity, as many as 64% of them stated that putting such integration in place takes a lot of time and resources, making it a tough feat.

In my corporate experience, the companies that are actually integrating SIEM with CTI, represent a minority. The main challenge of such lack of integration is the impossibility of valorizing the TI Feeds, during an incident. But, there is a new technology trend that addresses this exact problem. There are platforms that are capable of sitting on top of the SIEM, integrating multiple tools from different vendors, which is one of the biggest challenges that threat analysts are faced with. This approach is usually taken during the incident triage phase, it is not intended to be a SIEM replacement but can help SOC and CSIRTs to reduce reaction time and related noise. Such platform fits the Incident Response and SOC Orchestration space, featuring multiple integrations that are easy to use and configure and, nowadays, are probably the only way to reach a near real time- and money-saver incident response, filling the gap that is created when the data sources are originated by different vendors. Such platforms support SIEM integration and could represent a great solution for all entities that are trying to create a successful and affordable cyber defense, by effectively reducing the noise of threat intelligence.

In one of my next columns, I will introduce this paradigm, along with its main potentials in the world of Security Operations and Incident Response. In the meanwhile, you can follow me on our LinkedIn Page, by clicking here.