Cybercriminals and their tactics are becoming increasingly sophisticated. Given the rash of widespread, devastating attacks thus far in 2017, this trend shows no signs of slowing down.

It’s no longer enough to simply implement incident response solutions. Today’s threats require a dedicated team of security experts to maximize these tools with dynamic, continuously updated threat intelligence.

Advice From an Incident Response Expert

At the recent Black Hat event, Mike Oppenheim, global research lead for IBM X-Force Incident Response and Intelligence Services (IRIS), took the time to share his thoughts on some of the major threats that have wreaked havoc so far in 2017. He also discussed the successes of X-Force IRIS and revealed why combining incident response and intelligence into a single team is so crucial to the fight against cybercrime.

Question: We’re now more than halfway through 2017, and the year has already seen some serious and far-reaching cyberattacks. Where do you think the industry stands today, and what are the major lessons we can draw from attacks such as WannaCry and Petya?

Oppenheim: This year, we’ve seen some huge global events utilize destructive malware to take down customers’ environments. These types of attacks are truly impactful to people’s businesses and people’s lives.

I think what we’ve seen so far really highlights the need for visibility within networks and underscores the need for companies to have a good incident response plan so that they know how to respond in the face of these huge global incidents.

At the end of the day, it comes down to having visibility within your network as well as the speed at which you’re able to respond. These are two lessons the industry has learned from recent events, especially those that were as widespread as WannaCry and Petya/NonPetya.

Let’s talk a bit now about X-Force IRIS. Your team combines incident response and threat intelligence. Why do you think putting these two services together is such a good fit?

IRIS is indeed two different practices within one. And the combination of incident response and intel really does prove beneficial. I am the global lead for research on the IRIS Intel team, and we learn a lot from incident response incidents. We’re on the ground when attackers are most likely active in an environment, so we’re able to collect a lot of data and understand how the attacks and attackers are actually operating. But we’ve also been through a lot of cases and do a lot of external research so that once we start dealing with a particular threat actor or a particular technique or methodology, we very likely already know what it is. And then we, of course, try to determine how to respond appropriately to the given threat.

By having the incident response team on the ground and the intel team helping support them not only with collection of data, but also providing operational and tactical data to the team on the front line, we can provide a really good response service to try to figure out root cause analysis and also stop attackers from actually accomplishing their goals.

What do you consider some of the IRIS team’s major successes this year?

As I just said, we do a combination of intelligence work and incident response work for our customers. Earlier this year, we responded to a couple Shamoon incidents. Shamoon is another piece of destructive malware, one that is a more targeted than, say, WannaCry.

But we ended up focusing not on Shamoon directly, because a lot of people already knew what Shamoon was doing, which was destroying networks. So instead, we tried to focus on the other parts of the attack life cycle, like how did these attackers who were using Shamoon actually get within victim environments? How did they escalate privileges and then move the Shamoon malware throughout the network to take it down?

We were actually able to do a lot of research to try to figure out how this particular set of actors who were responsible for Shamoon ended up getting within victim environments. What we ended up finding is that they were using spear phishing emails with an attachment, utilizing a malicious Word document that utilized a macro that invoked PowerShell.

While most people were just focusing on the end results of these attacks, we were striving to understand how the attackers went about their attack and what they did to accomplish their mission once they were in. I consider this one of our biggest successes because, ultimately, we were able to provide our data and analyses and intelligence to our customers so that they could defend themselves and, getting back to the importance of speed, also respond much more quickly in the future to prevent an attack like Shamoon.

It definitely sounds like IRIS is doing important work to help customers, but how does the work you do impact the overall IBM Security organization?

On the intel side, what IRIS is trying to do is focus on all the different threat actors and track as much of their activity as we can. Again, we want to spot them across the entire attack life cycle, not just looking at the final goal of what they’re trying to accomplish, but understanding how they get to that point. Just as in the case of Shamoon, we’re continually asking: How do these threat actors first get into the network? How do they escalate privileges? How do they move laterally? What types of tools and infrastructure are they using?

By tracking these types of activities, we can improve not only IBM Security Services such as our incident response practice, but also IBM products. If we’re able to track all the different malware and techniques that threat actors are using, we can build it into detection and into our response plans on the services side and also in our IBM products.

Learn More About IBM’s Incident Response and Intelligence Services

More from Incident Response

Poor Communication During a Data Breach Can Cost You — Here’s How to Avoid It

5 min read - No one needs to tell you that data breaches are costly. That data has been quantified and the numbers are staggering. In fact, the IBM Security Cost of a Data Breach estimates that the average cost of a data breach in 2022 was $4.35 million, with 83% of organizations experiencing one or more security incidents. But what’s talked about less often (and we think should be talked about more) is how communication — both good and bad — factors into…

5 min read

Ransomware Renaissance 2023: The Definitive Guide to Stay Safer

2 min read - Ransomware is experiencing a renaissance in 2023, with some cybersecurity firms reporting over 400 attacks in the month of March alone. And it shouldn’t be a surprise: the 2023 X-Force Threat Intelligence Index found backdoor deployments — malware providing remote access — as the top attacker action in 2022, and aptly predicted 2022’s backdoor failures would become 2023’s ransomware crisis. Compounding the problem is the industrialization of the cybercrime ecosystem, enabling adversaries to complete more attacks, faster. Over the last…

2 min read

Expert Insights on the X-Force Threat Intelligence Index

5 min read - Top insights are in from this year’s IBM Security X-Force Threat Intelligence Index, but what do they mean? Three IBM Security X-Force experts share their thoughts on the implications of the most pressing cybersecurity threats, and offer guidance for what organizations can do to better protect themselves. Moving Left of Boom: Early Backdoor Detection Andy Piazza, Global Head of Threat Intelligence at IBM Security X-Force, sat down with Security Intelligence to chat with us about the rise in the deployment…

5 min read

How Morris Worm Command and Control Changed Cybersecurity

4 min read - A successful cyberattack requires more than just gaining entry into a victim’s network. To truly reap the rewards, attackers must maintain a persistent presence within the system. After establishing communication with other compromised network devices, actors can stealthily extract valuable data. The key to all this is a well-developed Command and Control (C2 or C&C) infrastructure. The number of C2 servers used for launching cyberattacks increased by 30% in 2022. More than 17,000 of these servers were detected last year,…

4 min read