By Karen Levy, Vice President, Product and Client Marketing, Recorded Future
Cybercriminals are now running their operations in a way not dissimilar to modern legitimate businesses. Criminal groups have organizational structures, with various threat actors taking defined roles and using common business tools, such as lead generation apps, like Lead411 and UpLead. But to streamline operations and achieve higher pay-outs, automation has become a game-changing tactic. Automation can be used in any part of the cyber kill chain, from reconnaissance to infiltration, privilege escalation or data exfiltration. In response, legitimate organizations need to move beyond manual techniques to combat these new methods, otherwise, they will find themselves outgunned, outmaneuvered, and out of luck.
Businesses need to fight fire with fire and use automation across their security operations. Security Orchestration, Automation, and Response (SOAR), which integrates security orchestration and automation with security incident response platforms (SIRP) and threat intelligence platforms (TIP) is just one part of the puzzle. For a fully rounded defence, businesses must also automate other elements of their security operations such as decision making, intelligence, blocking, and alerting.
Managing External and Internal Threats
The relationship between an IT security team and those threat actors focused on infiltrating their network is like a game of chess, each trying to outmaneuver the other. However, threat actors have the advantage of setting the timeline of attacks and conducting research and recon to figure out how best to achieve their objective. This research can involve using the lessons learned from past attacks, as well as talking to other actors to discover their secrets and tools used.
From this information, threat actors develop their game plan for what they want to target and the most effective attack vector. For example, if they hear a rumor that an organization doesn’t do much in the way of cybersecurity training, a phishing campaign might be most effective. Or they may find that a firm’s remote desktop protocol is insecure and use that as a method of infiltration.
Intelligence about the external threats it faces is invaluable to an organization. If a company knows it is being targeted and has an idea of the threat actor’s intended tactics, techniques, and procedures (TTP), then effective defensive measures can be put in place.
However, trying to gather, analyze, and then act upon intelligence manually is resource heavy and ineffective. For instance, an organization might decide to integrate a threat data feed into its security information and event management (SIEM) solution. Such a feed could include a stream of data on suspicious domains, lists of known malware hashes, IP addresses associated with malicious activity or code-shared on pastebins. Anything that is flagged as a concern with the internal telemetry of an organization’s security infrastructure will be sent to the IT security team as an alert, without any context.
This is further complicated by security teams receiving alerts from actions carried out within the organization too. The issue is that alerts can be triggered by almost any activity that an organization’s monitoring system might find suspicious, particularly if the alert parameters are not well defined.
Each of these alerts has to be triaged, which takes up huge amounts of time, diverting IT security professionals away from other tasks, as well as making it near impossible to determine which threats to act upon first.
The total number of alerts generated by internal and external threats can often overwhelm security teams, resulting in alert fatigue. This can be a serious issue for the integrity of an organization as it can lead to security professionals simply ignoring alerts. Research from Cisco found that 44 percent of the alerts security teams receive each day are not even looked at, which could equate to many genuine threats to the network going unnoticed. Of the remaining 56 percent of alerts that are looked at, only 28 percent are deemed legitimate threats, meaning that there will be a significant number of false positives.
Automation can help address this issue by collecting unstructured data from disparate open, closed, and technical sources, then connecting the dots by providing context on indicators of compromise (IoCs) and the TTPs of threat actors. This creates actionable security intelligence that is timely, provides context, and is easily understood by security decision-makers.
Furthermore, automated security intelligence tools provide security teams with access to contextualized internal alerts that not only help them to prioritize those that need human intervention but also reduce the number of false positives. This enables the security team to focus on what really matters as well as keep an organization safe.
Improving Workflows and Responses
An internal cybersecurity ecosystem is complex, with many different workflows to monitor, such as SIEM, SOAR, and firewalls. Moving from one to another to correlate different information sources to discover the reason behind the certain suspicious activity is time-consuming and stressful. This stress is due to the time pressure of having to try to quickly and accurately resolve an issue. For example, is a spike in an organization’s bandwidth due to someone sharing a very large file or the start of a DDoS attack? The last thing a security operative wants to do is either prevent the CEO from sharing the latest annual report video with a prospective client or let an attack unfold due to their inaction. Therefore, it comes by no surprise that research by the Ponemon Institute found that around 65 percent of IT security staff considered quitting their roles due to various stresses. The stress surrounding IT jobs are also likely to impact decision-making abilities, meaning they could potentially miss a significant threat. Further, the cyber-skills shortage means that no organization can afford to lose a seasoned IT security professional.
Using automation to feed the information from all these intelligence sources into existing tools limits the need to change and disrupt workflows and streamlines efforts. This makes life much easier for security professionals to have the rich context they need for making timely decisions, while also helping to reduce the stress they are under.
Eventually, as automation becomes more popular in the cybercriminal underworld, businesses wanting to effectively repel infiltrators will have to likewise deploy automated security solutions. Failure to do so will leave them exposed to sophisticated threat actors who are ready and able to use such technology for their own illicit gains.
About the Author
Karen Levy is Vice President, Product and Client Marketing at Recorded Future. Karen Levy is the Vice President of Product and Client Marketing at Recorded Future with responsibility for go-to-market strategy, product positioning, and client programs. Her more than fifteen years in marketing at cybersecurity technology companies include leadership roles at RSA, CyberArk, and Recorded Future. Karen holds a Bachelors in Chemistry from the University of Pennsylvania and an MBA from Boston University
Our company website is https://www.recordedfuture.com/