Incident Response failures during Cyber Attack
Noorul Ameen
Cyber Security Leader | SOC, IR & IAM - CISCO | Masters in Cyber Security - Incident Management & Business Continuity
Abstract
Hacking has become a ubiquitous phenomenon on the Internet. Considering that such fortune 500 prominent companies as Evernote are being hacked, it is not difficult to imagine that you, an individual, can also be hacked. This experience is quite common, although this does not necessarily make it any less sad. You are left confused, having no idea what you should do immediately after the sad act.
Introduction and background
Technological solutions are crucial for businesses to thrive in today's highly competitive environment. Companies use confidential and personal information about customers to implement data-driven business models.
At the same time, hackers continue to attack enterprises to break into critical systems, steal data and gain monetary benefits. Currently, attacks on financial organizations have increased by 238% since the outbreak of the coronavirus. In addition, 80% of companies reported an increase in the number of cyber-attacks. Ransomware attacks have increased by 600% as of March 2020. Reputable companies, such as Marriott and Nintendo hotel chains, became victims of cyber-attacks in 2020. The attacks on the first of them affected more than 5 million customers, while at least 300,000 Nintendo user accounts were hacked. Understanding emergency actions after a hack can reduce or prevent adverse consequences.
Problem statement
When an incident or compromise or hacking attempt happen in the organization, the organization show interest or preference to proceed with an incident?response plan immediately, but there are some ample amount of mistakes or errors that would happen on incident response planning due to non-mindful precautionary measures which not been taken by the incident respond planner or the cyber security expert in the organization here the below topic discuss about where the incident response goes wrong, and it will define detail about how it can be resolved
Where incident response goes wrong.
In the unpredictable and rapidly evolving fight against cyber-attacks, well-trained incident response teams are a powerful weapon in the organization's arsenal. Responsible for evaluating security systems and responding to security threats, incident response teams play an important role in solving problems and controlling damage from system violations, malware infections and other security events.
Addressing the ten common incident response errors can help organizations determine whether their incident response teams can solve, rather than aggravate security problems.
Failure??# 1: The plans are not designed specifically for the Organization Many organizations implement standard incident response plans that list in detail all the steps that need to be taken to investigate a potential incident. While this may seem thorough and encouraging, it can often overcomplicate response procedures and slow or hinder investigations. Ready-made plans are often outdated and ineffective against developing threats and changing technologies
Organizations should develop policies, processes and procedures that are appropriate for their culture, environment, response personnel and, most importantly, business goals. The documentation should be concise and constantly developed to meet both federal trends and changes in business goals.
Failure??# 2: Plans are used only in real incidents.
In the field of information security, planning goes so far. Organizations create comprehensive
incident response plans, but sometimes they do not check them to the real the event happens only to discover that they fail in the first step. In addition, many organizations consider the creation
of an incident response plan as a one-time event, rather than as an ongoing process. As a result, the plans contain incorrect information about tools and people, or detailed steps that do not work or do not work.
Organization need to regularly put their plans into action before a real incident occurs-similar to how fire-fighting exercises are conducted. The lack of an incident response plan may This can lead to increased response time, confusion and, worst of all, to an exploit.
Failure??# 3: Teams can't communicate correctly with the right people. Since many organizations dealing with IT security are characterized by segmented functions, such as vulnerability scanning, error correction and system administration, search, coordination, and interaction with key parties
involved in responding to an incident can be a major challenge.
A centralized communication dashboard where the incident response team can publishing detailed information about the ongoing investigation and retrieving information as needed can help limit the failures of constant email messaging, which can overload email mailboxes and lead to missed messages or conflicting information. In addition, this monitoring system can be configured to restrict access or add people as needed without sending duplicate emails.
Failure??# 4: Teams lack skills, are the wrong size, or are poorly managed. All organization, regardless of size, face challenges when it comes to choosing the right personnel to staff an incident response team. With limited security budgets, small organization can assign incident response responsibilities to system and network administrators who have technical knowledge and historical understanding of how systems work, but no experience in making decisions that affect business in a crisis or disruption. On the other hand, large organization are struggling to allocate the most efficient amount of resources for an incident response team, if more personnel equal more capacity. This can lead to duplication of effort.
Organizations should carefully assess the need for additional training or internal assistance in recruiting staff to help increase the appropriate level of experience in the incident response team. In addition, strong leaders who lead the team should clearly define roles and responsibilities, promote closer cooperation co-operation, and improve communication with the team and beyond.
Failure??# 5: The actions of the support service can destroy important evidence. From strange computer behavior to frequent account locks and numerous antivirus warnings about computer problems that can signal infection with malicious code, often first, it is reported to the support service. If the support staff is not well enough versed in the needs of incident response services, their work to fix user problems can lead to destruction key evidence. For example, installing software, running antivirus programs, or cleaning tools, or configuring system settings can overwrite information that can be invaluable for incident response services.
It may not be possible to piece together a chain of events, especially if the initial actions were not documented. Organization that use subcontractors as their IT support service should make sure that their support staff is aware of the indicators that they require the participation of an incident response team.
If they suspect that a problem with the user may be caused by malicious code, support staff should write the system image to memory before making any other changes. Support staff should also be trained to document their activities in case their actions become part of the investigation.
Failure??#6: Incident response tools are inadequate, unmanageable, untested, or underused.
Organizations may experience unexpected delays in incident investigation and troubleshooting processes, or even stop if tool teams rely on getting information about affected systems, and people are mismanaged or misused. Even the latest and greatest technological solution may not provide stable and reliable performance without proper planning, investment, and maintenance.
Organization should keep centralized records of instruments and establish processes that will help ensure timely license renewal and updating of functional components. In addition, team members should receive training on the entire set of tools on an ongoing basis. Finally, tools should be regularly evaluated to determine whether they can withstand the most modern threats.
Failure??# 7: The data related to the incident is not easily accessible. When information containing relevant information about an attack is missing or unavailable, a cascade effect occurs throughout the entire incident response process. Ultimately, the incident response team struggles to assess the impact, localize the damage, and report to management.
Solving this problem requires organizations to understand what data sources they have, what data they can create and how they manage their data. Attracting technology owners and evaluating the asset management system are both good ways to uncover the full range of potential data sources. In addition, the incident response team must identify signal events (for example, authentication failure, deletion of logs, interactive login, etc.), which could provide contextual information about the incident, and establish processes for aggregating, storing and understanding this data.
Failure?#8: There is no “intelligence “in the threat intelligence provided to incident response services.
Threat Information (TI) is a topic worthy of attention in the field of IT security; and threat analysis products are taking off the shelves, but many organizations believe that buying all available threat channels do not lead to full detection threats. Often, incident responders are overwhelmed with hashes, file names, IP addresses, and other indicators, but they have almost no idea how these indicators can affect their organization.
Organizations should integrate threat information into incident response and actively cooperate with their TI provider to assess whether this information is useful and useful for their organization.
Failure?# 9: The Incident Response Team lacks credibility and visibility in the organization.
Political disputes can counteract the efforts of the incident response team, hinder the response process
and prevent the timely resolution of incidents. It is rare for incident response teams to act with the highest authority to make changes to the business to ensure the security of the organization. Rather, they should bring the problems to the management to get the necessary support,
sometimes as the incidents worsen
Management should fully support the incident Response team, its mission and its
activities during the investigation. Incident response it should be reported and marketed as a service that maintains the integrity of the organization, not as a group that creates more work. In addition,
the incident response team should involve other groups to appoint a primary contact person to facilitate participation in the incident response process.
Failure??# 10: Users are not aware of their role in ensuring the security of the organization. Using users is one of the most common and easiest ways that criminals compromise organizations. Finding a vulnerability that gives an attacker full access to the network can be a lot of work, but creating
an email message that convinces the user to run malicious PO, is a child's game. Unfortunately, informing users about threats goes so far.
The Organization’s Security Management Team it should constantly inform users not only about general working methods, but also about the role of information security in the organization. By doing so, users can be active participants in ensuring security.
They will know where to turn and trust the process, rather than trying to solve security problems on their own, installing unreliable tools and potentially creating big problems throughout the network
Emergency Actions
How to act in case of a cyber incident
managers and organizations should take preventive measures to avoid the risk of a violation. After spending time on planning, spending money and training employees, does someone still manage to overcome the security measures of the organization? What are you doing now?! Once a violation has been detected, the organization must immediately take the following steps to limit the violation.
Step 1: Inspect the damage
After the violation is detected, the designated members of the information security group an internal investigation is needed to determine the impact on critical business functions. This in-depth investigation will allow the company to identify the attacker, detect unknown
security vulnerabilities and determine what improvements need to be made to the company's computer systems
Step 2: Try to limit the extra damage
The organization must take steps to prevent the spread of the attack. Some preventive strategies include:
Inspect the damage – Incident damage can be assessed by keeping the network sensor at exit note with known actors’ indicator to detect the if any data is exfiltrated through unusual ports. Also deploying the EDR solution at endpoint would able to detect the unusual process of APT ?
Step 3: Write down the details
The Information Security Team should keep a written log of what actions were taken to respond to the violation. The information to be collected includes:
·???????Affected systems
·???????Compromised accounts
·???????Service failures
·???????Data and network affected by the incident
·???????The amount and type of damage caused to the systems
Step 4: Involve law enforcement agencies
A serious violation should always be reported to law enforcement agencies. Law enforcement agencies with which State and local law enforcement agencies
Many companies wait until a security breach occurs before contacting law enforcement, but ideally the response team should meet with law enforcement before an incident occurs. Preliminary discussions will help the organization learn when to report an incident, how to report an incident, what evidence to collect and how to collect it. As soon as the incident is reported, law enforcement agencies can contact the media and ensure that confidential information is not disclosed.
Step 5: Notify the affected
If a violation puts an individual's information at risk, they must be notified. Such a quick reaction can help them take immediate steps to protect themselves. However, if law enforcement agencies are involved, they should indicate to the company whether delay the notification to make sure that the investigation is not compromised, ?
Individuals are usually notified by mail, phone, email, or in person.
To avoid further unauthorized disclosure, the notification should not include unnecessary personal information.
Step 6: Learn from the problem
As cybersecurity breaches become a way of life, it is important to develop organizational processes to learn from violations. This allows you to better handle incidents if the company encounters a violation in the future. Some
learning challenges include:
The above responses to the event should not be a surprise. These reactions should be the rehearsed components of the organization
A Cyber Incident Response Plan. Keep the plan up to date. Without a plan, there is confusion and, most likely, costly mistakes will be made. Developing a plan will show law enforcement agencies and the public that your intentions are good and will most likely reduce the consequences.
Make sure that the key assets are specified in the plan. Have these resources at the ready. Identify the tools and processes that will be used and followed. Knowledge of your industry and what is valuable for your organization (or what is valuable for those who want to use your resources), will allow you to understand the intentions of the attacker and allow you to correctly assess the threat and execute a proper plan. Plan of action after the attack to ensure effective sorting after the event. Use this plan to prioritize your efforts, necessary for recovery after a cyberattack, understanding the extent of damage and minimizing further damage. Eliminate the gaps in the environment and develop a plan in such a way that it does not cause more harm. Once again, document everything. Thorough documentation increases the credibility of your organization, prevents the repetition of mistakes, and provides confidence throughout the organization. ?
Methodology adopted
Initiate incident response measures
The first course of action is to respond to hacking cases as soon as they are detected. Companies should use incident response procedures to prevent an attack and prevent further damage. The incident response plan allows you to evaluate faulty systems, stolen or damaged data and identify the root causes. Some of the measures that should be considered include disconnecting from the Internet and the corporate network, isolating the affected platform/service, and revoking access to all resources until the problem is resolved.
Understand the motives behind what happened Many factors can encourage hackers to target businesses. This can be financial gain, access to important information such as intellectual property, revenge, or threats from insiders. While figuring out the reasons can be a daunting task during a busy hacking scenario, they report on appropriate measures to stop and prevent the attack. In addition, it allows the affected organization to embark on the path of recovery.
Credential Reset
Resetting credentials such as usernames, passwords, and recovery accounts should be a priority after a hacking event. Passwords provide the first line of defense, and cases of hacktivism mean that cybercriminals can compromise them. Reset the passwords of all services, even if only one platform was compromised. It is extremely important to create new secure passwords, because the reuse of old passwords exposes the company to repeated attacks. Make sure that all devices and account users log out after the reset so that the new passwords take effect immediately.
Communication
Establishing the real intentions of a cyberattack can be a difficult task. Therefore, it is advisable to inform all parties about this as soon as a hacking incident is detected. These include law enforcement and legal authorities, supply chain partners, customers, friends, and others. Attackers can use a compromised network or account to spread malicious intentions among other organizations or individuals. Alerting them allows them to detect and report suspicious events indicating hacking attempts.
Strengthening cyber defense
Many victims often want to move on quickly after hacking cases stop and do not take measures to improve security. After identifying the root causes of a data leak, it is important to implement reliable controls to avoid a repeat in the future. In addition, victims should strengthen the security of unaffected services, using industry-standard methods to improve information security.
Measure the incident response effectiveness
In a world where cybercriminals are constantly improving their methods of combating threats, most security experts believe that the question is no longer whether an event related to data security will "happen" in the organization, but " when” it will happen. As you work to improve the protection of your IT stack, you need to make sure that you have developed a reliable incident response plan that provides quantitative data. As you strive to increase your resilience to cybersecurity, understanding these seven incident response metrics and how to use them can help you reduce risk and respond more effectively to incidents.
?
1. Average Detection Time (MTTD)
MTTD is defined as the average time it takes for your team to detect a security incident. To measure MTTD, you add up the total amount of time it takes your team to detect incidents during a certain period and divide this by the number of incidents. You can use this to compare performance between teams or use it to measure the current monitoring of controls.
For example, if Team A reports 10 incidents per month, and it takes 1000 minutes to detect them, then this is how you calculate their MTTD:
1000/10 = 100 minutes for detection
Meanwhile, Team B can report 8 incidents per month, but it takes 1500 minutes to detect them, their MTTD looks like this:
1500/8= 187.5 minutes for detection
Based on MTTD, Team B takes 87.5 minutes longer to detect a security incident than Team A. Using this indicator, you can find ways to reduce MTTD so that attackers spend less time on your systems.
2. Average Time to Confirm (MTTA)
MTTA measures the time interval between the system generating the alert and the employee of your IT department responding to the alert. While MTTD focuses on how long it takes to detect or report an incident, MTTA focuses on how long it takes to notice the problem and start working on it.
The higher the MTTA, the longer it takes your IT staff to confirm the incident report. You can use this metric to track how well your security service prioritizes alerts. If your team cannot prioritize high-risk warnings, then it may take them longer to start working to eliminate this risk. A lower MTTA means that your team responds quickly to security warnings, showing that they are prioritizing correctly.
3. Average Time to Restore (MTTR)
MTTR is the amount of time it takes your employees to restore and start a damaged system. MTTR gives you an idea of how quickly your incident response team can get you and any affected customers back to normal.
To calculate MTTR, take the amount of downtime for a certain period and divide it by the number of incidents. For example, if you had a total of 20 minutes of downtime caused by 2 different events over two days, your MTTR looks like this:
20/2= 10 minutes
Now, if the downtime was a total of 40 minutes for 2 incidents, your MTTR looks like this:
40/2 = 20 minutes
Since the second MTTR is larger, you can say that you have a problem with incident response processes. You can't tell what the problem is, but at least you know where to focus further investigation.
4. Average Time for Containment (MTTC)
MTTC combines MTTD, MTTA, and MTTR for a more holistic view of how well your organization responds to incidents. MTTC focuses on how long it takes for your incident response team to detect an incident, confirm the incident, and effectively prevent a cybercriminal from causing more harm.
To calculate the MTTC, take the sum of the hours spent on detecting, confirming, and resolving the alert, and divide it by the number of incidents.
For example, if there were 2 incidents in your organization, each of which took 3 hours to detect, 2 hours to confirm and 5 hours to eliminate, your MTTC will look like this:
(2+2+3+3+2+2)/2 = 14/2 = 7 hours
领英推荐
Many consider MTTC to be one of the most important indicators of incident response, because a low MTTC gives a holistic view of how your team works together. If the MTTC is high, then you want to start detailing in which area-detection, confirmation or recovery-is the weakest link.
5. System Availability
Your interconnected IT ecosystem also includes vendors whose incident response programs need to be monitored. Since you are not working " on the ground” with your suppliers, you need to find ways to measure third-party processes.
The availability of the system gives you an idea of how well your cloud services manage their products. This metric focuses less on how well your organization manages incidents, and more on how your suppliers manage incidents.
Often, a security incident, such as a distributed Denial of Service attack (DDoS), takes cloud services offline. The system availability indicator allows you to assess the reliability of your service provider, as well as to assess how quickly they eliminate incidents. The higher the system availability indicator, the more reliable the service is. For example, a service with 90% system availability is more reliable than a service with 80% availability.
6. Compliance with the Service Level Agreement (SLA)
Another indicator for measuring the maturity of responding to third-party incidents is to compare the provisions of your service level agreements with the reality of the services provided. Your service level agreement may include service levels and expected responses. As part of a service level agreement, you can measure availability and recovery time. Then you can compare the actual availability of services and the actual MTTR with those listed in the service level agreement. If a supplier does not meet the requirements or has availability problems that exceed the maximum allowable rate, or it takes a long time to resolve the incident, you may need to start looking for another supplier.
7. Average time between failures (operating time per failure)
Time to failure measures the time between system failures during normal operation. You can measure the time to failure by taking the total number of hours of operation of the systems for a specified period, and then dividing this number by the number of failures that occurred during the same period.
For example, if your database runs for 5000 hours for a month and experiences 3 failures, your time to failure is:
5000/3= 1667 hours between failures
Another application running for the same 5000 hours has 8 crashes over the same period. For this application, your time to failure is:
5000/8 = 625 hours
Since the time to failure is lower for the second system, you can see that it causes more failures during the same period as the first system. The lower the time to failure, the more maintenance the system requires.
Although the time to failure is often used when comparing the expected service life of a technology before purchase, you can use the time to failure after purchasing a product as an indicator of the end of service life. The older the system, the more often it can fail.
Applying this to cybersecurity and incident response, you can consider MBTF as an indicator of an end-of-life system that may be at higher risk of being the weakest link in the IT stack. This can help you find a starting point when conducting forensic research.
The Security Scorecard card allows organizations to evaluate the effectiveness of responding to incidents
The Security Scorecard security rating platform continuously monitors your IT ecosystem, providing easy-to-read A-F security ratings. Our platform considers ten categories of risk factors, including IP reputation, DNS health, endpoint security, network security, patch frequency, web application security, social engineering, hacker chatter and information leakage.
Our continuous monitoring tool provides real-time alerts about new risks affecting your ecosystem, prioritizes warnings depending on the level of risk and suggests measures to eliminate them. With our platform, you can respond more effectively to security incidents or potential incidents and support your strategies with traditional incident response metrics.
Incident Response management stages and steps.
Different organizations use different terms and stages related to incident response processes. The NIST Computer Security Incident Management Guide divides the incident response lifecycle into the following four stages:
the described stages are further separated. The following eight steps are further subdivisions of the four NIST points:
Preparation
Preparation can also be called the pre-incident phase. This includes steps that are taken before an incident occurs. In other words, this is the time during which the team prepares for any incident. This may include training, defining policies and procedures, collecting tools and necessary software, purchasing the necessary hardware, etc. This stage should include everything that can help in resolving the incident more quickly. At this stage, an incident handling checklist is also compiled.
Detection
This is the main and most important step in the incident response process. Detection, sometimes also called the identification phase, is the phase in which events are analyzed to determine whether a security breach is an incident. The Organization will not be able to respond to a security incident in a timely manner without a proper and effective detection and analysis mechanism. This mechanism should include an automated and regulated operation to extract system events/logs and bring them into the organizational context. The context in the analysis is important because it can prevent the omission of an event that may be important, but not immediately obvious. The most important aspect of this stage is the rapid and decisive resolution of the situation, regardless of whether the incident is happening now or occurred in the past.
Response
The response phase is also called the containment phase. As the name suggests, this stage concerns the actual interaction of the response team with the affected system. The goal is to try to contain further damage from occurring and affecting more systems. The answers depend on the scenario, but common answers may include disconnecting the system from the network, disconnecting the system power, isolating traffic, and other related tasks. This phase usually begins with a forensic backup of the system involved in the incident. This stage also captures and resets volatile memory before shutting down the system.
Disabling systems can have a negative impact on the organization, so in this case it is most important to get permission from management to act, as well as inform them about the severity of the incident. Stopping the spread of an incident is more important than treating it in the first place where it was detected.
?
Mitigation
Liquidation is another name for the mitigation stage. This includes analyzing the incident, including understanding the root cause. This understanding can then help in reliably cleaning systems and can also help in implementing security measures against future incidents. The system can then be returned to a stable state after the cause is known, preferably without the risk of a repeat. At this stage, it should be noted that the obvious removal of malware is not enough until the cause is known and understood.
After the reason is known, the system returns to a working state. This recovery may include rebuilding the system from scratch or restoring to a known backup. Root cause analysis plays an important and significant role in finding a reliable known backup image. A timeline of events generated by root cause analysis can help determine which backup iteration is the safest.
The final important part of this stage is to prevent the consequences of such incidents in the future. Patching and stronger firewall configurations can be effective steps taken for future warnings.
?
Report
Reporting is a stage that begins with the beginning of the incident and continues until its completion. Reporting should begin immediately after the incident is detected. The reporting stage can be divided into two categories
The Incident Response Team is responsible for reporting the technical details of the incident. It is also extremely important that they inform the management about serious incidents. Non-technical stakeholders should be updated as the incident handling process progresses. This is an important step in reporting, and it should not be ignored. Official reporting will begin as the process reaches its recovery phase. The Incident Management Team will prepare and send official reports to technical and non-technical management personnel as the systems are restored and returned to production.
?
Recovery
As the name implies, this phase includes the processes associated with restoring the system to working condition. As a normal procedure, the unit responsible for the system will decide when the system will return to operational mode. Caution should also be exercised since there is a possibility that an infection or attack could persist during the mitigation phase. Careful monitoring of the system is necessary after it has been restored to working condition. Off-peak production hours are the best time to restore work. This will greatly simplify the monitoring of system security.
?
Remediation
Steps to correct the situation are taken at the mitigation stage, when the vulnerabilities discovered during the root cause analysis are eliminated. Recovery begins immediately after mitigation, and then its scope expands. To manage a security incident, you need to perform a root cause analysis. Root cause analysis helps to identify vulnerabilities that can lead to such an incident. Without an analysis of the root causes, the restored system may still have a certain weakness that may affect other systems or even lead to a repeat of this incident in the future. For example, if a previous backup is selected that is not sufficiently deleted, the restored version may also have this vulnerability, which will cause the entire cycle to be restarted.
?
Lessons Learned
"Lessons learned “is the stage after the incident, and, unfortunately, it is also the most ignored stage. The learning phase can be the most effective; if done correctly, it can lead to positive changes in the overall security of the organization. The purpose of this stage is to prepare a final report on the incident and transmit it to management along with the proposed improvements to avoid similar incidents in the future.
Important considerations may include an indication of ways in which identification can be made faster, how to respond as quickly as possible, a description of organizational shortcomings that could contribute to the incident, and any potential improvements in the system. Feedback from this stage directly affects ongoing training, and lessons learned can help improve preparation for future incidents.
Proactive mere to mitigate the cyber attack
We have all witnessed how ruthless 2020 was for a wide range of organizations. Even the most powerful, most prestigious companies and enterprises are not free from the deadly grip of sophisticated cyber-attacks.
For security professionals, this means that they should take an active, not a reactive position.
But how do you anticipate the unknown? Many security professionals would ask this question.
This starts with gaining additional visibility throughout your organization and launching proactive threat detection procedures.
Why SoCs should not wait for a warning to start searching for violations
Modern complex networks are excellent hiding places for cybercriminals who can hide around the corner, silently extracting valuable information and causing irreparable damage.
The sad reality is that most organizations are too slow to detect cyber threats. This was the case with the Marriott International data breach in 2018, which led to a 4-year data breach before the perpetrators were discovered, eventually revealing the data of a record 339 million guests. And, in addition, if we take into account the fact that hackers are now using more hidden means of penetrating networks, it is high time for organizations to take proactive precautions and act in a proactive, rather than reactive manner.
It is obvious that cybercriminals can enter systems without being detected, so in 2021 it is necessary to increase awareness of threats, paying special attention to the proactive search for threats.
Adding additional visibility levels is key
To anticipate the unknown and stay one step ahead of cybercriminals, SOC teams must be wary of every potential vulnerability in their system. And, as organizations become increasingly interconnected due to the introduction of various IoT devices, security professionals must bring their game if they want to prevent attacks.
In addition, due to the COVID-19 pandemic, which causes the need for remote work, more and more employees are using their unprotected personal networks instead of significantly more secure networks in the workplace.
Unfortunately, as networks become more and more complex, this means that SOC teams have less visibility, allowing hackers to sneak in undetected and infiltrate systems.
Therefore, it is extremely important to use visibility-enhancing technologies that instantly provide much-needed security visibility at all endpoints to ensure maximum security. Increasing visibility in your network means accurate knowledge:
Who has access to your network?
Who should have access to your network?
What applications are used
What data is being accessed
All of this means that cybercriminals will be looking for more opportunities to exploit, and SOC teams should consider every second of their threat hunt.
General Forecast
Every security specialist is aware that at the current rate of development of cyber threats, every organization needs to buckle up and significantly invest in strengthening its position in the field of cybersecurity.
Now our forecasts are based on reasonable assumptions, but we have seen how the COVID-19 pandemic has reset all the best forecasts of security specialists for 2020. Therefore, we advise you to treat these carefully analyzed forecasts with a degree of skepticism:
More false positives
More targeted ransomware attacks
Financial and medical institutions are still the main targets
More sophisticated cyber attacks
Data leakage is among the most frequent attacks
Increased focus on mobile devices
Cybersecurity awareness will be increased among all employees
Attackers will continue to use the COVID-19 pandemic
The COVID-19 pandemic has largely contributed to the inevitable increase in cyber-attacks. Naturally, it was expected that cybercriminals would take advantage of the increase in the number of remote workers who rely on their own personal networks, which are much less secure than the networks of their workplaces. That is why only those organizations that can adapt to serious changes caused by unforeseen events are considered able to properly respond to such harsh conditions.
The cybersecurity landscape is evolving every day and keeping up with the most complex cyber threats means using the most modern technologies to combat these threats.
How SOAR Helps to Increase the Level of Your Threat Hunting
SOAR is a term coined by Gartner and means Security Organization, Automation and Response. In practice, SOAR is a highly developed security solution that instantly affects the capabilities of your SOC for faster and more efficient execution of SECOP operations.
The biggest advantages of SOAR are related to the fact that this technology is based on progressive automation and orchestration, which means that SOAR uses machine learning to optimize your normal workflows.
What SOAR can do for the efficiency of a single SOC is truly amazing, since many important aspects of SOC performance are improved with SOAR. For example, the track record of Cloud SOAR shows an irreplaceable impact on SOC performance:
Improved response time by 80% thanks to the automatic processing of more than 150 incidents per day
More than 500 alerts are sorted per day in 55 seconds before turning into full-fledged incidents
The number of false positives has been reduced
performance of 10 times per second
Increases the number of resolved incidents by 300%
Increases incident response time by 80%
What distinguishes SOAR from any other security technology is that SOAR directly affects your workflows using progressive automation. This means that SOAR learns from experience with certain types of warnings, distinguishes between false warnings and applies the recommended set of actions when a similar warning is detected in the system.
In addition, by offering a single dashboard, SOAR allows SOC teams to have much greater visibility across all endpoints, allowing analysts and threat hunters to expand their threat detection capabilities and detect cyber threats on the go.
And, given that thousands of alerts are currently being sent to the SOC, every SOC team is in dire need of a solution that would almost double the incident response time and triple the number of incidents resolved.
Only with SOAR will your analysts have the time and freedom to use the potential of their threat detection skills and successfully respond to every warning received in real time.
Learn more about how SOAR can improve threat detection and overall SOC performance by reading this detailed guide.
?
Conclusion
It is, of course, disorienting, and frustrating when you are hacked. However, it is better to keep your cool and take the necessary steps to reduce the damage and remove hackers from your organization.
There are no 100% security promises by any vendor or organization,
But we can limit the damage by strategizing the suitable security investments and mature and reviewing the incident process, which may help us take the right emergency action after hacking.
?
Reference ?
10 Common cyber incident response mistakes. https://assets.kpmg/content/dam/kpmg/pdf/2016/04/cyber-incident-response.pdf
WHAT TO DO BEFORE AND AFTER A CYBERSECURITY BREACH .... https://followcybersecurity.com/2021/01/13/what-to-do-before-and-after-a-cybersecurity-breach/
7 Incident Response Metrics and How to Use Them. https://securityscorecard.com/blog/how-to-use-incident-response-metrics
Responding to Computer Security Incidents - BH Consulting. https://bhconsulting.ie/responding-to-computer-security-incidents/
Why proactive threat hunting will be a necessity in 2021 .... https://www.sumologic.com/blog/why-proactive-threat-hunting-is-a-necessity-in-2021/
Enterprise Account Manager at ImmersiveLabs
2 年100% ! Great article Noorul ??