Bot Vs Bot (Attack Vs Defend)
CyberSecurity measures are protecting your digital assets. These days, nearly all data is stored digitally; data as small as your schedule to information, to your banking details are all found digitally. As the technical means of digital penatration are ever increaing, mere protection is not sufficient. It has now become apparent that a strong process must be established to swiftly check data breaches so that remediation can be performed efficiently and effectively, and minimize any potential adverse effects. The following is a framework that covers the broad-level process steps of effective incident response remediation:
Detection and Analysis - Detecting anomalies and malicious activity within the network; gathering the necessary information to analyze the malicious activity.
Correlation - Correlating the events, data, assets, and network- to discern the overall scope of the malicious activity.
Remediation - Remediating the incident by removing the malicious files from the network and blocking the source.
The need for automation is apparent since any possible breach applies to large data sets and therefore requires countless hours to gather data, correlate, and make a decision, if these processes need to be done manually.Automation helps in automatically gathering large sets of data and correlating them within a short span of time and then presenting the data for a manual decision. Once a decision is made, automation works to efficiently manage the remediation efforts as certain breaches require vast amounts cleanup activities.
Why the Need?
Let’s evaluate the need for automation with real-life examples of cybersecurity attacks listed below.
WannaCry is a ransomware worm that affects Windows computers and encrypts files on the hard drive, then demands ransom payment for decryption.
How is it dropped into the network - WannaCry appears in an infected computer as a dropper. It is not known about the initial vector that was used to infect the system, but speculations are it was done through a phishing campaign. Which makes us wonder if phishing issues are properly and timely addressed within an organization, WannaCry incident could have been contained very effectively without the huge outbreak.
How does it infect a computer - It attempts to make a connection to the domain and if the connection is successful, it exits. If no connection is made then it encrypts the files on the hard drive of the computer.
How does it propagate - The programme uses EternalBlue, which exploits a vulnerability in the SMB protocol, allowing the malware to spread on unpatched windows machines that have the protocol enabled. The vulnerability allows remote code execution over SMB, so the WannaCry programme works by establishing a custom SMB session request with hardcoded values of the target system. After the first packet is sent to the initial IP address, it sends the packet to two more IP address within the network and so on.
“Of Course if the vulnerabilities are patched timely with automated vulnerability management WannaCry would have never happened -- Automation again.
Automated Vulnerability Management is not in the scope of this document.”
Check IDS/IPS for MS17-010, EternalBlue, and WannaCry Hash alert.
Identify all the systems missing MS17-010 and have SMB enabled.
Check the web content filter for traffic to kill-switch URL.
Correlate the Alerts and all the assets that are affected or vulnerable to infection.
Disable SMB on vulnerable systems.
Deploy MS17-010 on vulnerable systems.
Isolate the affected systems from the network.
Eradicate the infection with anti-malware and recover the backup.
Block WannaCry hash in endpoint security tools to prevent binary execution.
How Automation speeds up the above Process?
While the SOC is busy with analyzing and remediating few initial systems, automation gathers information on all the affected and vulnerable systems. After all the information is gathered and analyzed all that remains to be done is replicating the remediation.
Automation reduces the manual work of scanning numerous machines and gathering the necessary information to make a decision.
Automation helps with providing a score for making a decision.
Automation helps with segregating affected system vs vulnerable systems.
Automation helps with patching the vulnerable systems and reducing time by removing the need to patch individual systems manually.
Graphical Representation of a WannaCry Playbook
Let’s assume a Security Operations Center (SOC) team receives an Alert in their SIEM tool of a potential phishing email. As part of the remediation process, an alert has to be manually created in an Incident Response Tool so that the team can collaborate and document on the particular alert. Following is a high-level description of the phases of remediating a potential phishing attack:.
Gather information from the email content, such as the subject, sender, and content for analysis.
Detonate the file or URL contained within the email. Store the results and the score.
Find the IP, GeoLocation, and Domain Reputation of the sender.
Make a decision if remediation is required..
Find the assets to which the email was submitted.
Scan the assets and check for the bad binary and clean the assets.
Block the IP in the firewall.
How Automation enriches the above Process?
There is a lot of manual work to analyze a potential phishing attack as demonstrated in the previous steps. Now, multiply it with the number of assets in a large organization with 100K employees and with the number of concurrent phishing emails.
Automation would programmatically gather email content, parse the information and present it to nalyst, so that the actual work is spent on analysis rather data gathering and correlation.
Automation would also automatically correlate all the affected assets and provide the analyst with scores for give a score on the attachments, URLs, Source IP information etc.
Automation would automatically triage remediation for scanning endpoints, blocking IP addresses in the firewall, deleting emails etc.
Time - Automation Vs Manual
According to research “you've got one minute and 20 seconds to save your company from being hacked. It's the median time it takes for an employee to open a phsihing email that lands on company's network and in their inbox, setting in motion a race to prevent data from leaking. That's according to the new Verizon Breach Investigations Report.
In 37 percent of the breaches examined, defenders were able to contain the attack within hours. And in an additional 30 percent of cases, they were able to contain the adversaries within days. The problem, however, lies in the fact that while organizations may be quick to respond when they discover an attack, it still takes them a long time to uncover a breach.
"Unfortunately, the proportion of breaches discovered within days still falls well below that of time to compromise," Verizon notes in the report.”
With the right kind of tools and process automation within the ‘One minute and 20 seconds’, SOC teams can make progress and secure the data leak as follows:-
Automation has already gathered the information contained in the email.
A decision has been made whether the email is harmful or not.
Recipient assets are scanned and any malicious file quarantined.
Email is deleted from all the recipient’s mailbox.
Source IP is blocked in the firewall policy.
Details of the Source IP like geo location etc, are provided automatically and immediately, to start further hunt of the Adversary.
Even if some users might have got affected by the malicious code within the email, using automation SOC teams can immediately contain the damage and reduce the time from “within hours” to “within minutes”, thus reducing the impact of any data leak.
Graphical Representation of a Phishing Playbook
Brute forceBrute force is a trial and error method used by application programs to decode encrypted data such as passwords through exhaustive attempts. A brute force attempt could be done in two ways by physically breaking in or by deploying a script that attempts to decrypt password combinations. Old methods like ‘limiting the number of times a user can unsuccessfully attempt’ or ‘temporarily locking out the user’ will not be beneficial as adversaries can easily get around by restricting their attempts.
Following is a high-level description of the phases of remediating a potential brute force attack:
Alert raised from SIEM based upon the policy set (say 3 unsuccessful login attempts).
Determine if it’s a brute force attack by gathering anomalies as follows:
Access to system outside business hours or outside of the resources’ shift timings.
Multiple Login Failure to a system.
Login to multiple systems with the same credentials.
Unexplained activity from the system.
Unexplained physical access.
Conduct scans to check for known malicious files
Identify the systems affected.
Identify User Credentials compromised.
Eradicate the bad binary in question.
Block the IP in the firewall.
Communication with the resource to comply with Security policies.
Patch the system.
How Automation enriches the above Process?
There is a lot of manual and time-consuming work to gather information about the anomalies.
Automation would automatically gather information about the anomalies and correlate event patterns and present this information for analyzes..
Automation would automatically correlate all the affected systems and impacted user credentials.
Automation would automatically eradicate the bad binary, send appropriate communication, and block the IP in the firewall.
Graphical Representation of a Brute Force Playbook
Summarizing Importance of Automation
Automation helps SOC team to gather information, analyze the information and manage the remediation in short span of time.
Automation helps SOC team to focus on actual analysis instead of the tedious process of gathering information that takes up a lot of their time..
Automation helps in minimizing human error by automating remediation steps such as blocking IP addresses on the firewall, or patching vulnerable systems..
Automation helps with reducing the time of compromise and remediation, thus minimizing the impact of a breach.
Advantages of Automation
Empower Team - with enriched data for better decision making.
Save Time - by automated information gathering and correlation.
Better Efficiency - by automating defined processes.
Fast - because of the computation power.
Less Errors - because of automation and human checkpoints.
Less Training - because the processes are defined, documented and automated.
Machine Learning - Will help automate responses to different kind of cyber threats, based upon previous actions/learnings.
Predictive Analysis - Will help analyze the trend of attacks and create defence policies accordingly.
Automated Playbooks - Will help trigger the right kind of playbook for the specific threat and switch as required.