Search icon CANCEL
Subscription
0
Cart icon
Your Cart (0 item)
Close icon
You have no products in your basket yet
Arrow left icon
Explore Products
Best Sellers
New Releases
Books
Videos
Audiobooks
Learning Hub
Free Learning
Arrow right icon
Arrow up icon
GO TO TOP
Incident Response with Threat Intelligence

You're reading from   Incident Response with Threat Intelligence Practical insights into developing an incident response capability through intelligence-based threat hunting

Arrow left icon
Product type Paperback
Published in Jun 2022
Publisher Packt
ISBN-13 9781801072953
Length 468 pages
Edition 1st Edition
Languages
Arrow right icon
Author (1):
Arrow left icon
Roberto Martinez Roberto Martinez
Author Profile Icon Roberto Martinez
Roberto Martinez
Arrow right icon
View More author details
Toc

Table of Contents (20) Chapters Close

Preface 1. Section 1: The Fundamentals of Incident Response
2. Chapter 1: Threat Landscape and Cybersecurity Incidents FREE CHAPTER 3. Chapter 2: Concepts of Digital Forensics and Incident Response 4. Chapter 3: Basics of the Incident Response and Triage Procedures 5. Chapter 4: Applying First Response Procedures 6. Section 2: Getting to Know the Adversaries
7. Chapter 5: Identifying and Profiling Threat Actors 8. Chapter 6: Understanding the Cyber Kill Chain and the MITRE ATT&CK Framework 9. Chapter 7: Using Cyber Threat Intelligence in Incident Response 10. Section 3: Designing and Implementing Incident Response in Organizations
11. Chapter 8: Building an Incident Response Capability 12. Chapter 9: Creating Incident Response Plans and Playbooks 13. Chapter 10: Implementing an Incident Management System 14. Chapter 11: Integrating SOAR Capabilities into Incident Response 15. Section 4: Improving Threat Detection in Incident Response
16. Chapter 12: Working with Analytics and Detection Engineering in Incident Response 17. Chapter 13: Creating and Deploying Detection Rules 18. Chapter 14: 
Hunting and Investigating Security Incidents 19. Other Books You May Enjoy

Knowing the threat landscape

When a cybersecurity strategy is based solely on a defensive posture, without an understanding of current threats and the capabilities of adversaries to achieve their goals by evading security controls and avoiding detection, there is a risk of developing very limited capabilities that will rarely be efficient. It is the equivalent of being in a completely dark room, without being able to see anything, knowing that at some point, someone could try to hurt us, but without knowing the exact moment or the way in which this will happen. It's like walking blind without seeing the way.

The increase in the number of cyber attacks in the world on major sectors such as government, finance, manufacturing, health, education, critical infrastructures, small and medium-sized enterprises, and individuals, finally turned on the alert for strategies and investments needed to raise the level of protection and response of organizations to the possibility of becoming the next target.

In that sense, one of the biggest challenges for cybersecurity professionals is first to evolve and create protection and response strategies at the same speed with which new threats appear and then go one step further using threat intelligence information. The threat landscape is changing every day, cyber threats are evolving and becoming more dangerous, and the forms of protection that worked before may not be efficient enough today, which is why organizations need to develop the ability to adapt and switch from a reactive posture to a proactive attitude. Any regional or global context or situation can generate new risks and change the threat landscape drastically.

Is COVID-19 also a cyber-pandemic?

The COVID-19 outbreak completely changed the course of things and showed that countries around the world were not in a position to deal with it, and although scientific and technological advances enabled the development and manufacture of a vaccine in record time, the coordination and budgets required failed to solve the problem in the short term. This incident, in the same way as a cybersecurity incident, shows us once again the importance of being prepared and having a plan in case a threat materializes.

This global health crisis formed the perfect storm, many things changed in the workplace and at home, more people started using their digital devices, made online purchases, used financial apps instead of going to the bank, subscribed to streaming services, and took their classes online. The companies sent their employees and collaborators to work at home and, in some cases, asked them to use their own devices to do their job.

Cybercriminals and Advanced Persistent Threat (APT) groups know how to find and use the time and circumstances to launch their offensive campaigns and operations successfully, and this was an amazing opportunity for them.

In August 2020, Interpol published the report Cybercrime: COVID-19 Impact about the increase in cyber attacks, especially against individuals, companies, government, and healthcare infrastructure. According to this report, in the period January-April, the key cyber threats were phishing and scam fraud, accounting for 59% of incidents, malware and ransomware – 36%, malicious domains – 22%, and the dissemination of fake news – 14%. In all cases, the common factor was content or topics related to COVID-19. Meanwhile, according to the FBI, the number of complaints in relation to cyber attacks stood at 4,000 per day, roughly a 400% increase since the start of the pandemic:

Figure 1.1 – Distribution of the key COVID-19 inflicted cyber threats based on member countries' feedback (source: Interpol's Cybercrime COVID-19 Impact report)

Figure 1.1 – Distribution of the key COVID-19 inflicted cyber threats based on member countries' feedback (source: Interpol's Cybercrime COVID-19 Impact report)

In the words of Jürgen Stock, Secretary-General of INTERPOL, "Cybercriminals are developing and driving their attacks on people in an alarming way, and they also exploit the fear and uncertainty caused by the unstable social and economic situation created by COVID-19."

Cyber espionage against pharmaceutical companies

The urgency of developing a COVID-19 vaccine began a race against time in the pharmaceuticals industry. Unsurprisingly, these companies became a natural target of threat actors. Kaspersky discovered in late September 2020 that a group known as Lazarus had started a cyber espionage campaign against a pharmaceuticals company and a health ministry. Although different tactics, techniques, and procedures (TTPs) were used in both attacks, common elements were found that could attribute the attack to that group.

Cyber attacks targeting hospitals

Although some cybercriminal groups reported that they would not attack health organizations at the beginning of the pandemic, some of them did attack hospitals, including the Department of Health and Human Services.

In October 2020, the Department of Homeland Security (DHS) and the FBI issued an alert about an imminent threat of ransomware attacks on the U.S. healthcare system.

In the Czech Republic, a COVID-19 testing center hospital was compromised by a cyber attack, affecting its systems and disrupting the normal functioning of its operations, so that some urgent surgeries had to be postponed and several patients had to be sent to nearby hospitals.

Insecure home office

The need to adopt a home office model as a preventive measure to reduce the expansion of the pandemic surprised many organizations and their employees. According to the Kaspersky study How COVID-19 changed the way people worked, 46% of respondents said that had never worked from home before and 73% of workers did not receive security awareness training about the risks of working from home.

This scenario increased the demand for remote working applications and services such as video conferencing, collaboration, file sharing, and remote connection. Employees also began to perform a practice known as Shadow IT, which involves the use of unauthorized or company-evaluated applications; for example, 42% of respondents said that they were using their personal email accounts for work and 38% used personal instant messaging apps, making it a security problem because, according to Kaspersky's telemetry, there were 1.66 million Trojans detected related to such applications.

Additionally, IT teams had to adapt their infrastructure in some cases in an impromptu manner and without considering the security measures. For example, enabling remote connections directly to the company's servers from the internet opened a potential attack vector that was at once exploited by cybercriminals. According to Kaspersky, the number of brute-force attack attempts on the Remote Desktop Protocol (RDP) has soared significantly since the beginning of March 2020, reaching 3.3 billion attempts, compared to 969 million in the same period of the previous year.

Supply chain attacks

Supply chain attacks have been increasing in recent years. The main reason is that organizations have not considered these attacks within their threat modeling and cannot visualize them as a relevant attack surface.

The main risk of this threat is that it is difficult to detect. Usually, third-party services or tools are considered part of the company's ecosystem and are reliable, having a high trust level. Hence, the levels of security assessment and monitoring are more relaxed.

There are several cases related to supply chain attacks, including the compromise of the application CCleaner, which is a tool used by many companies around the world, or the attack known as ShadowHammer, where the ASUS live utility that comes pre-installed on that brand's computers and serves to update various components such as firmware, UEFI BIOS, drivers, and some applications, was compromised.

Without a doubt, however, one of the supply chain attacks that has had the most impact was the attack on the SolarWinds company discovered in December 2020. On December 8, the FireEye company revealed that they had been the victims of a cyber attack. The attackers had stolen tools that their Red Team teams used to conduct security assessments, and the attack vector was a SolarWinds tool installed in the company.

The attack's impact is unprecedented and affected even large technology companies such as Microsoft, Intel, Nvidia, Cisco, VMware, and at least 18,000 other companies worldwide and changed the threat level of this kind of attack for organizations.

You have been reading a chapter from
Incident Response with Threat Intelligence
Published in: Jun 2022
Publisher: Packt
ISBN-13: 9781801072953
Register for a free Packt account to unlock a world of extra content!
A free Packt account unlocks extra newsletters, articles, discounted offers, and much more. Start advancing your knowledge today.
Unlock this book and the full library FREE for 7 days
Get unlimited access to 7000+ expert-authored eBooks and videos courses covering every tech area you can think of
Renews at $19.99/month. Cancel anytime
Banner background image