Cyber Intelligence Leads to Resiliency

By Ryan Lawrence, Senior Security Consultant, Revolutionary Security

Cyber Intelligence Leads to Resiliency

Security by Compliance

Within this blur of a technology driven society, time and time again we see companies that have designed a security operations center to meet their compliance needs, and yet still appear on the evening news as being a victim of a cyber attack.  Security’s goal, protecting the digital assets of an organization from attacks, differs from that of compliance, which is ensuring that the organization meets regulatory requirements. For examples of how an organization may be compliant with cyber security frameworks such as NIST and ISO, but still be breached, one needs only look at the rapid growth trends in funds lost due to Business Email Compromise (BEC).  According to the FBI’s website: https://www.ic3.gov/media/2018/180712.aspx:

  • Between October 2013 to May 2018 over $12.5 billion in domestic and international dollars were lost;
  • Over 78,000 domestic and international incidents were reported; and
  • Fraudulent transfers have been identified to over 115 countries.

The common vector for BEC is utilizing social engineering via e-mail, phone calls, or attacker-operated clones of target websites. As such, identifying these initial attempts to establish a relationship prior to the fraudulent activity is vital in preventing this theft. Incorporating Cyber Intelligence into the incident workflow is a key task in improving the efficiency and accuracy of your prevention efforts.

Moving Away from Compliance-Centric Security toward Cyber Intelligence

Effective cyber defense is driven by innovation, creativity, and thinking outside the box. Moving from this compliance checklist approach and finding the right balance of cyber intelligence and “Checkbox Security” to ensure effective defense can challenge both organizations and individuals. While ‘Checkbox’ and ‘Checklist’ may be viewed as having a negative connotation, it is still important for your incident responders, threat hunters, and threat intelligence teams to have checklists for their internal processes. As outlined in the below chart, each team and the alert system should be able to produce and consume valuable information with other teams and alert systems, rather than being restricted or siloed.

First as seen by a SOC that is following typical Compliance-Centric Security

  1. An email is sent to a director in Accounts Payable that appears to be from the Chief Financial Officer (CFO). The body of the email states that a wire transfer needs to be made to a vendor to meet a contractual deadline.
  2. The company has a commonly used email security product that looks for SPAM and marks it as higher-level risk score than a normal email but does not block it.
  3. The system alerts a threat monitoring analyst, who responds to the alert and determines immediately that this is a phishing attempt to steal credentials.
  4. The analyst determines that the end user clicked the link in the email. Upon examining the network traffic, it was observed that the victim’s password was transmitted externally in clear text.
  5. The analyst does not force a password reset but requests the end user to do it, and there is no follow up to ensure that the reset was completed.
  6. The analyst considers this contained and mitigated and closes the investigation.
  7. The end user forgets to have the password reset and due to password reuse the attacker can login to the corporate OWA account for the end user with the stolen credentials.
  8. The attacker sends out an email with an infected PDF attachment from the end user to others in the company.
  9. As this appears to be legitimate, multiple end users are impacted by this infection and the attacker exfiltrates from multiple systems data that contained highly valuable and sensitive intellectual property.
  10. The attacker sells the stolen data to a rival company, and the rival company beats the other company to launching a product and corners the market on this new product.

Second as seen by a Cyber Intelligence Center

  1. An email is sent to a director in Accounts Payable that appears to be from the Chief Financial Officer (CFO). The body of the email states that a wire transfer needs to be made to a vendor to meet a contract deadline.
  2. The company has a commonly used email security product that looks for SPAM and marks it as higher-level risk score than a normal email but does not block it.
  3. The system alerts a threat monitoring analyst, who responds to the alert and determines immediately that this is a phishing attempt to steal credentials.
  4. The analyst determines that the end user clicked the link in the email. Upon examining the network traffic, it was observed that the victim’s password was transmitted externally in clear text.
  5. The analyst observes through the Security Event and Information Management tool that there was one other “Clicker”.
  6. The analyst temporarily disables the victims’ accounts until the victims’ network passwords have been reset.
  7. The analyst follows the handoff procedures to the Security Awareness team, so that the victim may receive additional training for detecting phishing attempts.
  8. The Analyst:
    • Notifies all other recipients of the email that it was phishing.
    • Blocks the links and domains used in the attack.
    • Searches for other domains used by the same registrant.
    • Hands-off the case to the threat intelligence (TI) team as the email was specifically targeting finance managers and directors within a certain business group.
  9. The TI team acknowledges the handoff to harvest and grow the indicators of compromise (IOCs) from the email. Cross-referencing the data against various threat intel feeds, they find that the attacker was part of a known campaign targeting financial departments in the company’s industry and sends the support operations team a detailed report including attribution and Tactics, Techniques & Procedures (TTPs) of the attacker’s group.
  10. The support operations team creates multiple new blocking rules and alerts from the IOCs from the report and deprecates an older alert rule that is no longer valid.
  11. The ticket is automatically updated with the following:
    • Date and time the end user has completed Security Awareness training (if required).
    • The security awareness, support operations, and TI team tasks were acknowledged and completed.
    • A text file appended to the ticket with the rule changes and rule deprecations the support operations team made.
    • A copy of the TI report.
  12. During the investigation, the analysts notice that the system also had some out of date patches and alerts IT to fix and resolve them. IT responds when the patches have been applied and the analysts manually update the ticket with the actions taken, summarize all the activities in their incident ticket, and close the case.
  13. A few weeks later the attacker tries again, but this time the email is blocked as it was sent from a domain that was registered by the same email registrant in the first attack. The support operations team was successful in adding other security controls to block future attacks.

Because this organization had a cyber security team that effectively utilized threat intelligence, they were able to thwart the attack before the stolen credentials were utilized.  The team was able to improve its security controls, block a future attack, and find attribution to which threat actor was attempting to steal information.  If they had only designed their security operations team to be compliant, they would have been compromised multiple times, and actual payments could have been made to attackers.  The ineffectiveness of compliance-driven or ‘check box’ security would not have allowed for the flexibility or analytic freedom the analysts used to:

  • Identify potential future domains used in a second attack and block them.
  • Find all the recipients within the first phishing campaign.
  • Mature IOCs and write a threat report containing attribution and TTPs of the attack.
  • Allow for the support operations team to create new rules and alerts and deprecate the old rules.
  • Have the security awareness team instruct the end user to take additional training.

Revolutionary Security is passionate about helping our clients through the rigorous struggles of building a Cyber Intelligence based security team.  We take our years of experience in assessing, designing, and transforming security centers to tailor solutions that convert reactionary security teams to proactive cyber intelligence organizations.  If you would like more information on how to transform your SOC from a compliance check box security team to a robust Cyber Intelligence organization, please visit the “Contact Us” section of our website: https://www.rev-sec.com/contact-us/  and we will dive deeper on how we can assist.

 


About the Author

Ryan Lawrence
Senior Security Consultant
Revolutionary Security

Ryan Lawrence is a Senior Security Consultant for Revolutionary Security LLC and has over 15 years of Fortune 100 IT and Cyber Security experience.  Ryan is a subject matter expert in incident response, developing Cyber Security playbooks, Threat Intelligence and Threat Hunting.

Prior to joining Revolutionary Security LLC, Ryan served as a Senior Security Analyst for a Fortune 100 company’s Computer Incident Response Team (CIRT) where he trained and mentored other analysts.  He supported transitioning the company into to a robust Cyber Fusion Center.  Ryan developed several Incident Response Plans, and most recently was the principal designer of the Incident Response Strategy for the enterprise’s cloud solutions.

He holds GIAC GCIH, GIAC GCFE, CompTIA Network+, and CompTIA A+ certifications.  Ryan is also a member of Infragard, an FBI sponsored program partnership between the FBI and members of the private sector designed to protect Critical Infrastructure.

Share this post