Cybercriminals and their tactics are becoming increasingly sophisticated. Given the rash of widespread, devastating attacks thus far in 2017, this trend shows no signs of slowing down.

It’s no longer enough to simply implement incident response solutions. Today’s threats require a dedicated team of security experts to maximize these tools with dynamic, continuously updated threat intelligence.

Advice From an Incident Response Expert

At the recent Black Hat event, Mike Oppenheim, global research lead for IBM X-Force Incident Response and Intelligence Services (IRIS), took the time to share his thoughts on some of the major threats that have wreaked havoc so far in 2017. He also discussed the successes of X-Force IRIS and revealed why combining incident response and intelligence into a single team is so crucial to the fight against cybercrime.

Question: We’re now more than halfway through 2017, and the year has already seen some serious and far-reaching cyberattacks. Where do you think the industry stands today, and what are the major lessons we can draw from attacks such as WannaCry and Petya?

Oppenheim: This year, we’ve seen some huge global events utilize destructive malware to take down customers’ environments. These types of attacks are truly impactful to people’s businesses and people’s lives.

I think what we’ve seen so far really highlights the need for visibility within networks and underscores the need for companies to have a good incident response plan so that they know how to respond in the face of these huge global incidents.

At the end of the day, it comes down to having visibility within your network as well as the speed at which you’re able to respond. These are two lessons the industry has learned from recent events, especially those that were as widespread as WannaCry and Petya/NonPetya.

Let’s talk a bit now about X-Force IRIS. Your team combines incident response and threat intelligence. Why do you think putting these two services together is such a good fit?

IRIS is indeed two different practices within one. And the combination of incident response and intel really does prove beneficial. I am the global lead for research on the IRIS Intel team, and we learn a lot from incident response incidents. We’re on the ground when attackers are most likely active in an environment, so we’re able to collect a lot of data and understand how the attacks and attackers are actually operating. But we’ve also been through a lot of cases and do a lot of external research so that once we start dealing with a particular threat actor or a particular technique or methodology, we very likely already know what it is. And then we, of course, try to determine how to respond appropriately to the given threat.

By having the incident response team on the ground and the intel team helping support them not only with collection of data, but also providing operational and tactical data to the team on the front line, we can provide a really good response service to try to figure out root cause analysis and also stop attackers from actually accomplishing their goals.

What do you consider some of the IRIS team’s major successes this year?

As I just said, we do a combination of intelligence work and incident response work for our customers. Earlier this year, we responded to a couple Shamoon incidents. Shamoon is another piece of destructive malware, one that is a more targeted than, say, WannaCry.

But we ended up focusing not on Shamoon directly, because a lot of people already knew what Shamoon was doing, which was destroying networks. So instead, we tried to focus on the other parts of the attack life cycle, like how did these attackers who were using Shamoon actually get within victim environments? How did they escalate privileges and then move the Shamoon malware throughout the network to take it down?

We were actually able to do a lot of research to try to figure out how this particular set of actors who were responsible for Shamoon ended up getting within victim environments. What we ended up finding is that they were using spear phishing emails with an attachment, utilizing a malicious Word document that utilized a macro that invoked PowerShell.

While most people were just focusing on the end results of these attacks, we were striving to understand how the attackers went about their attack and what they did to accomplish their mission once they were in. I consider this one of our biggest successes because, ultimately, we were able to provide our data and analyses and intelligence to our customers so that they could defend themselves and, getting back to the importance of speed, also respond much more quickly in the future to prevent an attack like Shamoon.

It definitely sounds like IRIS is doing important work to help customers, but how does the work you do impact the overall IBM Security organization?

On the intel side, what IRIS is trying to do is focus on all the different threat actors and track as much of their activity as we can. Again, we want to spot them across the entire attack life cycle, not just looking at the final goal of what they’re trying to accomplish, but understanding how they get to that point. Just as in the case of Shamoon, we’re continually asking: How do these threat actors first get into the network? How do they escalate privileges? How do they move laterally? What types of tools and infrastructure are they using?

By tracking these types of activities, we can improve not only IBM Security Services such as our incident response practice, but also IBM products. If we’re able to track all the different malware and techniques that threat actors are using, we can build it into detection and into our response plans on the services side and also in our IBM products.

Learn More About IBM’s Incident Response and Intelligence Services

More from Incident Response

How the Mac OS X Trojan Flashback Changed Cybersecurity

Not so long ago, the Mac was thought to be impervious to viruses. In fact, Apple once stated on its website that "it doesn't get PC viruses". But that was before the Mac OS X Trojan Flashback malware appeared in 2012. Since then, Mac and iPhone security issues have changed dramatically — and so has the security of the entire world. In this post, we'll revisit how the Flashback incident unfolded and how it changed the security landscape forever. What…

What Hurricane Preparedness Can Teach Us About Ransomware

Each year between June and November, many parts of the U.S. become potential targets for hurricanes. In October 2022, we had Hurricane Ian devastate Florida. To prepare for natural disasters like hurricanes, organizations are encouraged to build out and test business continuity, disaster recovery, and crisis management plans to use in the response efforts. Millions of dollars each year are spent on natural disaster preparation, but natural disasters are not the only disruption businesses face. While we can’t equate the…

Charles Henderson’s Cybersecurity Awareness Month Content Roundup

In some parts of the world during October, we have Halloween, which conjures the specter of imagined monsters lurking in the dark. Simultaneously, October is Cybersecurity Awareness Month, which evokes the specter of threats lurking behind our screens. Bombarded with horror stories about data breaches, ransomware, and malware, everyone’s suddenly in the latest cybersecurity trends and data, and the intricacies of their organization’s incident response plan. What does all this fear and uncertainty stem from? It’s the unknowns. Who might…

A Day in the Life: Working in Cyber Incident Response

As a cybersecurity incident responder, your life can go from zero to 100 in a heartbeat. One moment you are sipping a beverage reading the latest threat intelligence or getting the kids ready for bed; the next, you may be lunging for your "go bag" because you cannot remote in to the breached system. It's all part of the game. Seasoned incident responders can handle this jab: "Why would you want a job like this? Are you crazy?" The truth…