Cybercriminals and their tactics are becoming increasingly sophisticated. Given the rash of widespread, devastating attacks thus far in 2017, this trend shows no signs of slowing down.

It’s no longer enough to simply implement incident response solutions. Today’s threats require a dedicated team of security experts to maximize these tools with dynamic, continuously updated threat intelligence.

Advice From an Incident Response Expert

At the recent Black Hat event, Mike Oppenheim, global research lead for IBM X-Force Incident Response and Intelligence Services (IRIS), took the time to share his thoughts on some of the major threats that have wreaked havoc so far in 2017. He also discussed the successes of X-Force IRIS and revealed why combining incident response and intelligence into a single team is so crucial to the fight against cybercrime.

Question: We’re now more than halfway through 2017, and the year has already seen some serious and far-reaching cyberattacks. Where do you think the industry stands today, and what are the major lessons we can draw from attacks such as WannaCry and Petya?

Oppenheim: This year, we’ve seen some huge global events utilize destructive malware to take down customers’ environments. These types of attacks are truly impactful to people’s businesses and people’s lives.

I think what we’ve seen so far really highlights the need for visibility within networks and underscores the need for companies to have a good incident response plan so that they know how to respond in the face of these huge global incidents.

At the end of the day, it comes down to having visibility within your network as well as the speed at which you’re able to respond. These are two lessons the industry has learned from recent events, especially those that were as widespread as WannaCry and Petya/NonPetya.

Let’s talk a bit now about X-Force IRIS. Your team combines incident response and threat intelligence. Why do you think putting these two services together is such a good fit?

IRIS is indeed two different practices within one. And the combination of incident response and intel really does prove beneficial. I am the global lead for research on the IRIS Intel team, and we learn a lot from incident response incidents. We’re on the ground when attackers are most likely active in an environment, so we’re able to collect a lot of data and understand how the attacks and attackers are actually operating. But we’ve also been through a lot of cases and do a lot of external research so that once we start dealing with a particular threat actor or a particular technique or methodology, we very likely already know what it is. And then we, of course, try to determine how to respond appropriately to the given threat.

By having the incident response team on the ground and the intel team helping support them not only with collection of data, but also providing operational and tactical data to the team on the front line, we can provide a really good response service to try to figure out root cause analysis and also stop attackers from actually accomplishing their goals.

What do you consider some of the IRIS team’s major successes this year?

As I just said, we do a combination of intelligence work and incident response work for our customers. Earlier this year, we responded to a couple Shamoon incidents. Shamoon is another piece of destructive malware, one that is a more targeted than, say, WannaCry.

But we ended up focusing not on Shamoon directly, because a lot of people already knew what Shamoon was doing, which was destroying networks. So instead, we tried to focus on the other parts of the attack life cycle, like how did these attackers who were using Shamoon actually get within victim environments? How did they escalate privileges and then move the Shamoon malware throughout the network to take it down?

We were actually able to do a lot of research to try to figure out how this particular set of actors who were responsible for Shamoon ended up getting within victim environments. What we ended up finding is that they were using spear phishing emails with an attachment, utilizing a malicious Word document that utilized a macro that invoked PowerShell.

While most people were just focusing on the end results of these attacks, we were striving to understand how the attackers went about their attack and what they did to accomplish their mission once they were in. I consider this one of our biggest successes because, ultimately, we were able to provide our data and analyses and intelligence to our customers so that they could defend themselves and, getting back to the importance of speed, also respond much more quickly in the future to prevent an attack like Shamoon.

It definitely sounds like IRIS is doing important work to help customers, but how does the work you do impact the overall IBM Security organization?

On the intel side, what IRIS is trying to do is focus on all the different threat actors and track as much of their activity as we can. Again, we want to spot them across the entire attack life cycle, not just looking at the final goal of what they’re trying to accomplish, but understanding how they get to that point. Just as in the case of Shamoon, we’re continually asking: How do these threat actors first get into the network? How do they escalate privileges? How do they move laterally? What types of tools and infrastructure are they using?

By tracking these types of activities, we can improve not only IBM Security Services such as our incident response practice, but also IBM products. If we’re able to track all the different malware and techniques that threat actors are using, we can build it into detection and into our response plans on the services side and also in our IBM products.

Learn More About IBM’s Incident Response and Intelligence Services

More from Threat Intelligence

IBM identifies zero-day vulnerability in Zyxel NAS devices

12 min read - While investigating CVE-2023-27992, a vulnerability affecting Zyxel network-attached storage (NAS) devices, the IBM X-Force uncovered two new flaws, which when used together, allow for pre-authenticated remote code execution. Zyxel NAS devices are typically used by consumers as cloud storage devices for homes or small to medium-sized businesses. When used together, the flaws X-Force discovered allow a remote attacker to execute arbitrary code on the device with superuser permissions and without requiring any credentials. This results in complete control over the…

Stealthy WailingCrab Malware misuses MQTT Messaging Protocol

14 min read - This article was made possible thanks to the hard work of writer Charlotte Hammond and contributions from Ole Villadsen and Kat Metrick. IBM X-Force researchers have been tracking developments to the WailingCrab malware family, in particular, those relating to its C2 communication mechanisms, which include misusing the Internet-of-Things (IoT) messaging protocol MQTT. WailingCrab, also known as WikiLoader, is a sophisticated, multi-component malware delivered almost exclusively by an initial access broker that X-Force tracks as Hive0133, which overlaps with TA544. WailingCrab…

GootBot – Gootloader’s new approach to post-exploitation

8 min read - IBM X-Force discovered a new variant of Gootloader — the "GootBot" implant — which facilitates stealthy lateral movement and makes detection and blocking of Gootloader campaigns more difficult within enterprise environments. X-Force observed these campaigns leveraging SEO poisoning, wagering on unsuspecting victims' search activity, which we analyze further in the blog. The Gootloader group’s introduction of their own custom bot into the late stages of their attack chain is an attempt to avoid detections when using off-the-shelf tools for C2…

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today