Yazılım Kulübü

Incident response has been critical today since cybercriminals know ways to trick their targets to get information out of them. They mostly employ Phishing and spear phishing techniques that are intended to make through your organization’s defences by using a fake email to deceive your employees into disclosing sensitive information like usernames, passwords, and other credentials. Human error or behavior causes almost 90% of cyber attacks. Because it is human nature that makes people so vulnerable- they tend to trust people or have a fear of getting into trouble, which are all methods that social engineers use to create confidence to obtain sensitive information.[1]  The loss from phishing attacks can be a disaster, with many incidents costing millions, harming the brand name, and damaging relations with clients. Therefore, it is important to have an incident response technology in place to fight against these threats on the inbox level. In this blog, we are going to talk about an incident response capability that can protect inboxes from email attacks.

1 – What is Incident Response?

Incident response is a structured and well-defined operation that addresses cyber attacks and manages the after they have occurred.  The purpose of the incident response is to manage the event to mitigate or limit the damage and costs.

2- Why is Incident Response Necessary?

The impact of even the smallest data breach on any system cannot be underestimated. The UK government’s 2020 Cyber Security Breaches Survey found that the mean cost of a cybersecurity breach is £3,070 for large businesses and £919 for small to medium-sized businesses.[3]

Since email attacks happen at the end-user level, breach or incident response is often too late. It is very critical to protect your users’ inboxes.

According to a report published by Ponemon Institute LLC, Cost of a Data Breach Study: Global Overview,  there is a “relationship between how quickly an organization can identify and contain data breach incidents and the financial consequences.

• The mean time to identify (MTTI) was 197 day
• The mean time to contain (MTTC) was 69 days
• Companies that contained a breach in less than 30 days saved over $1 million vs. those that took more than 30 days to resolve”

According to the report, “the faster a data breach can be identified and contained, the lower the costs. For the fourth year, our study reports on the relationship between how quickly an organization can identify and contain data breach incidents and financial consequences. For our consolidated sample of 477 companies, the mean time to identify (MTTI) was 197 days, and the mean time to contain (MTTC) was 69 days. Both the time to identify and the time to contain were highest for malicious and criminal attacks and much lower for data breaches caused by human error. Companies that identified a breach in less than 100 days saved more than $1 million as compared to those that took more than 100 days. Similarly, companies that contained a breach in less than 30 days saved over $1 million as compared to those that took more than 30 days to resolve”  [2] Incident Response Plan

The above statistics show that intervening to a data breach in a timely manner is vital for companies. However, on a global scale, the mean time respond to these attacks takes as long as 69 days. So, we cannot expect the SOC team or the CISO to contain data breaches in a short period of time. Even an hour is more than enough for a malicious email to spread and compromise the important part of the users’ inboxes.

The figure reports the MTTI and MTTC for each country or regional sample. As can be seen, Brazil has the highest days to contain and the Middle East has the highest days to identify. In contrast, Germany has both the lowest days to identify and South Africa reports the shortest time to contain and the second shortest time to identify a data breach.

3- Incident Response: How to Detect, Identify and Contain/Remove Phishing Attacks in Minutes

Our Incident Responder (IR) Technology protects businesses on the inbox level.  This incident response technology analyses, removes, or contains a suspicious email on the inbox level. In addition to its own engines, Keepnet also analyses with the engines of different technologies it is integrated. In this way, it enables an institution to acquire the technologies that it doesn’t have. Incident Response Plan

a. What does trigger an incident investigation?

Keepnet Labs’ Incident Responder is one helpful tool that does this by installing a user-friendly plugin that lets end-users instantly report a suspicious email to the Keepnet Incident Response Platform ( IRP). The alert can be sent with only one click. This way, the incident response time is reduced from minutes to seconds.

An incident investigation can be triggered in different ways:

1. A user reports a suspicious email with a single click using phishing reporter add-in installed in Outlook and sends it automatically to the analysis. If the results are malicious, an incident response operation is started on the inboxes of the other users.
2. A SOC team member initiates a manual investigation and triggers an incident response operation. He/she can investigate the suspicious email in the users’ inboxes in minutes. Once he/she detected the suspicious email, he/she can delete/remove or contain it by sending a warning message to all users.
3. An investigation and incident response can be started according to the data coming from the indicator of compromise (IOC ). For example, the feeds taken from popular phishing websites like phishthank, openphish and IBMXforce, it triggers an automatic investigation and prevents dangerous phishing threats.

b. How does analysis mechanism work?

With its existing analysis engines as well as its integrated 3rd party analysis services, Keepnet addresses an email component in  three ways and performs detailed analysis according to the following steps:

• Header
  • Spam control with integrated antispam services
  • Anomaly detection: It identifies evasion techniques performed to circumvent security measures and also blocks the emails outside of the RFC rules and standards
  • Typosquatting: Itidentifiesfake sender and prevents use for fraud
• Body
  • URL reputation control
  • Malicious content detection
  • Detecting suspicious content with artificial intelligence.
  • Domain Squatting
• Attachment
  • Known malware control with Antivirus services
  • Detection of unknown malware with AntiMalware Sandbox technology
  • Detection 0-day file format exploits with Anti Exploit technology

c. The Current Technologies Used For Analysis

d. How does the incident response mechanism work? Incident Response Plan

e. According to the investigation results, a response is performed in two ways:

     1.User Inbox Level: It investigates the incident in users’ inbox and takes action;

• • Delete email from Inbox
  • Send Warning to User

2. Generate Attack Signatures: To detect and prevent the malicious activities that are anticipated in your network, you should pass the necessary rules to Antispam, IPS, SIEM, DLP, Sandboxing etc. products. This issue, which requires severe expertise and consumes hours, is resolved in Keepnet’s interface with one click that it allows you to orchestrate your security solutions.

                  Example Scenarios for Active Response

To help you take precautions if the email you analyse is suspicious;

3.Call API: You can use APIs to integrate with various products.  For example, you can call the help desk, trigger the network access control and automatically take the risky user off the network.

g. Reverse Engineering Support

We provide expert support via our professional phishing and malware analysis team and with the power of other SOC companies around the world that we cooperate. In various SLA time, you have an opportunity to get an in-depth analysis of phishing emails and malware from a specialised team. Incident Response Plan

We offer sophisticated malicious software analysis support with SOC teams based EU, US and MEA are.

4- Phishing Incident Analysis and Incident Response Self-Assessment Questionnaire 

1. What kind of tools do you offer to your users to report a suspicious email?
2. How long does it take to analyse a suspicious email with its links and attachments?
3. Are you convinced about quality of your email analysis?
4. How do you prevent a malicious email that crosses all security measures and gets into the inbox
   before a user opens, clicks, or runs the link in it?
5. How do you know which users in your organization have phishing email in their inbox?
6. How long does it take you to find outwhich users have a suspicious email in their inbox?
7. How long does it take to delete a suspicious email from users’ inbox?
8. How long does it take to block a spear phishing on active security devices?
9. Which services do you use to block the next generation threats?
10. Do you have expert support for analysing and blocking advanced attack vectors like zero-day?

5- Analysing Suspicious Emails

Incidents of email-based attack are reported in three ways to the Keepnet Incident Response Platform (IRP).

1. By end-users (using our plugin technology),

2. SOC team members,

3. Third-party IOC feeds

Once received, the IRP analyses the header, body and attachments using our proprietary technology in addition to a number of integrated, best-in-class services for Anti-Spam, URL Reputation, Anti-Virus, Malware Sandboxing etc.

Keepnet will also integrate and automate other threat analysis services you may have, such as Fireeye, Bluecoat or Palo Alto, saving you time and reducing your technical dependency. It is a simple process to create custom rules, playbooks, and workflow to ensure Keepnet IRP responds to threats in ways that suit your specific policies.

On completion of the analysis, Keepnet IRP delivers detailed results, with industry-leading certainty, to the SOC team for further investigation and response.

6- Incident Investigation and Response

A unique feature and major benefit of Keepnet IRP is all investigation is done directly on the user’s inbox instead of at the server exchange, giving you maximum agility and reducing response time.

After finding all instances of an attack Keepnet IRP offers a suite of response options. Malicious messages can be flagged with a warning in the user’s inbox, they can be deleted from the inbox or Keepnet can call a custom API to perform another action e.g. call the user’s phone.

Additionally, Keepnet IRP will generate SNORT and YARA alarm signatures to update your other cyber-security technologies.

7- Automatic Incident Response and Investigation

When a user sends a suspicious email using Keepnet Labs Add-in, he/she gets a thank you message.

Then the suspicious email automatically sends to Incident Response Platform for analysis.

Then the system automatically analyses the suspicious content and if it is malicious, it automatically starts an incident investigation with default variables, which is to seek malicious content within the inbox of the users, find it and delete it.

See how an auto investigation works in the screenshot below. You can see the details of the number of users who have phishing reporter add-in installed, the number of incidents reported, the number of incidents resolved and the time & money saved.

Resources

[1] https://www.keepnetlabs.com/phishing-security/

[2]  https://www.ibm.com/security/data-breach

[3] https://www.gov.uk/government/statistics/cyber-security-breaches-survey-2020

Editor’s note: This blog is updated on 10/01/2020