Incident Response and Threat Intelligence: A Potent One-Two Punch to Fight Cybercrime
Cybercriminals and their tactics are becoming increasingly sophisticated. Given the rash of widespread, devastating attacks thus far in 2017, this trend shows no signs of slowing down.
It’s no longer enough to simply implement incident response solutions. Today’s threats require a dedicated team of security experts to maximize these tools with dynamic, continuously updated threat intelligence.
Advice From an Incident Response Expert
At the recent Black Hat event, Mike Oppenheim, global research lead for IBM X-Force Incident Response and Intelligence Services (IRIS), took the time to share his thoughts on some of the major threats that have wreaked havoc so far in 2017. He also discussed the successes of X-Force IRIS and revealed why combining incident response and intelligence into a single team is so crucial to the fight against cybercrime.
Question: We’re now more than halfway through 2017, and the year has already seen some serious and far-reaching cyberattacks. Where do you think the industry stands today, and what are the major lessons we can draw from attacks such as WannaCry and Petya?
Oppenheim: This year, we’ve seen some huge global events utilize destructive malware to take down customers’ environments. These types of attacks are truly impactful to people’s businesses and people’s lives.
I think what we’ve seen so far really highlights the need for visibility within networks and underscores the need for companies to have a good incident response plan so that they know how to respond in the face of these huge global incidents.
At the end of the day, it comes down to having visibility within your network as well as the speed at which you’re able to respond. These are two lessons the industry has learned from recent events, especially those that were as widespread as WannaCry and Petya/NonPetya.
Let’s talk a bit now about X-Force IRIS. Your team combines incident response and threat intelligence. Why do you think putting these two services together is such a good fit?
IRIS is indeed two different practices within one. And the combination of incident response and intel really does prove beneficial. I am the global lead for research on the IRIS Intel team, and we learn a lot from incident response incidents. We’re on the ground when attackers are most likely active in an environment, so we’re able to collect a lot of data and understand how the attacks and attackers are actually operating. But we’ve also been through a lot of cases and do a lot of external research so that once we start dealing with a particular threat actor or a particular technique or methodology, we very likely already know what it is. And then we, of course, try to determine how to respond appropriately to the given threat.
By having the incident response team on the ground and the intel team helping support them not only with collection of data, but also providing operational and tactical data to the team on the front line, we can provide a really good response service to try to figure out root cause analysis and also stop attackers from actually accomplishing their goals.
What do you consider some of the IRIS team’s major successes this year?
As I just said, we do a combination of intelligence work and incident response work for our customers. Earlier this year, we responded to a couple Shamoon incidents. Shamoon is another piece of destructive malware, one that is a more targeted than, say, WannaCry.
But we ended up focusing not on Shamoon directly, because a lot of people already knew what Shamoon was doing, which was destroying networks. So instead, we tried to focus on the other parts of the attack life cycle, like how did these attackers who were using Shamoon actually get within victim environments? How did they escalate privileges and then move the Shamoon malware throughout the network to take it down?
We were actually able to do a lot of research to try to figure out how this particular set of actors who were responsible for Shamoon ended up getting within victim environments. What we ended up finding is that they were using spear phishing emails with an attachment, utilizing a malicious Word document that utilized a macro that invoked PowerShell.
While most people were just focusing on the end results of these attacks, we were striving to understand how the attackers went about their attack and what they did to accomplish their mission once they were in. I consider this one of our biggest successes because, ultimately, we were able to provide our data and analyses and intelligence to our customers so that they could defend themselves and, getting back to the importance of speed, also respond much more quickly in the future to prevent an attack like Shamoon.
It definitely sounds like IRIS is doing important work to help customers, but how does the work you do impact the overall IBM Security organization?
On the intel side, what IRIS is trying to do is focus on all the different threat actors and track as much of their activity as we can. Again, we want to spot them across the entire attack life cycle, not just looking at the final goal of what they’re trying to accomplish, but understanding how they get to that point. Just as in the case of Shamoon, we’re continually asking: How do these threat actors first get into the network? How do they escalate privileges? How do they move laterally? What types of tools and infrastructure are they using?
By tracking these types of activities, we can improve not only IBM Security Services such as our incident response practice, but also IBM products. If we’re able to track all the different malware and techniques that threat actors are using, we can build it into detection and into our response plans on the services side and also in our IBM products.