Automation Tools Help with Real-Time Incident Response and Protection

Free webinar: Real-world examples of how to keep your environment secure from attacks, accelerate remediation

If you’re an information security professional responsible for incident response, you may feel frustrated and overburdened by all the manual processes needed to keep your environment safe.

You’re not alone.

In a recent Enterprise Strategy Group survey, more than 60 percent of information technology professionals say their organization has taken steps to automate incident response, but 91 percent say those processes are not effective or efficient.

Did you know there are resources and tools available to help facilitate some of these key processes for your organization? GuidePoint Security’s Virtual Security Operations Center (vSOC) analysts and incident responders have real-world experience using these types of tools. One such tool, Carbon Black, helps power GuidePoint’s vSOC enabling analysts and responders to hunt for incidents in real time, visualize the complete attack kill chain, and efficiently defend environments from attacks.

Here are some examples of how they have successfully used Carbon Black to stop incidents and monitor endpoints:

PowerShell Watchlist

Recently, GuidePoint analysts used Carbon Black to create a PowerShell watchlist for an unauthorized user attempt. Once alerted, analysts tracked down a malicious remote address and shut down unauthorized privileges on the host.

Environment audits

In another instance, vSOC analysts used Carbon Black to audit an environment to limit privilege account credentials. The audit alerted analysts to a possible vulnerability that could have allowed unrestricted access to a domain.

PUA/PUP activity

vSOC analysts recently used Carbon Black to create a custom watchlist for PUA/PUP activity. They found an instance that stood out from others and located an unapproved IE toolbar, which was loaded without approval on multiple workstations. The toolbar was isolated as a threat because it had the ability to monitor web-browsing behaviors.

Would you like to know more about these real-world incident response examples and how you can move from playing incident response catch-up to proactively hunting for threats?

Join GuidePoint and Carbon Black for a free, interactive webinar, “Conquering Challenges of Incident Response: Real-Time Hunting and Response,” at 2:30 p.m. Thursday, Nov. 17. The session will last about 45 minutes, with a chance to interact with the presenters, Stephen Jones, GuidePoint’s director of managed services, and Justin Scarpaci, technical solutions lead, Carbon Black.

Register online here.

About the presenters

Stephen Jones has more than 10 years of experience in information technology and cyber security. He specializes in security operations and has extensive experience working within the Department of Defense and the Intelligence Community.

Justin Scarpaci is a technical account manager on the Partner Success team at Carbon Black. In that role, he assists IR/MSSP partners with operationalizing Carbon Black as part of their service offerings. Justin served in the Marine Corps and has worked in multiple security roles for a defense contractor. He has a master’s degree in information security and forensics.

Can’t make the webinar? No worries. Go ahead and register now and we will send you a recording after the live presentation.

About GuidePoint Security

Headquartered in Herndon, Virginia, GuidePoint Security provides innovative and valuable cyber security solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification is with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.

Reshape Cyberwar: Flip the Script to Put Attackers on the Defensive

If we’re going to succeed in defending against bad guys, we should admit we are in a cyberwar. We are at odds with people who want to steal, corrupt, and destroy. To succeed against these cyber enemies, let’s draw from the words of Sun Tzu, the ancient Chinese military strategist: “Hold out baits to entice the enemy.”

Many people believe government network defenders only need to make one mistake before they are “pwned” and the bad guys steal sensitive data. As a network defender in this cyberwar, you have to be right 100% of the time; attackers only need to be right once. A missed vulnerability, a misconfigured router, or an overlooked Indicator Of Compromise (IOC) gives attackers the opening they need to cause damage.

To arm yourself in this cyberwar, find a way to flip the script. Do you remember the movie, “Home Alone?” Its message is applicable here: Even if you’re at a disadvantage when you’re defending your “home,” if you prepare for the bad guys, you can flip things to your advantage.

This creates a new category of “deception” technology. To capture the bad guys, this can be anything from basic virtual fake systems to confuse bad actors, to full networks with elaborate fake data, alarms, and traps.

More mature solutions go past simple virtual machines that look like juicy targets. To alert SOCs of potential breaches, they include deception inside Active Directory structures and at real endpoints and servers. By planting worthless administrative-looking credentials inside endpoints and Active Directory, a SIEM can easily alert SOC analysts to illicit behavior.

These solutions create a web of alarms and traps like the ones the “Home Alone” kid set up in his house. When the bad guys find and try to use credentials or scan or log into these fake systems, a spotlight is immediately illuminated on the activity. This shows the SOC that someone is attempting to do something bad; however, instead of a thief screaming about his head being on fire like in the movie, a simple SIEM rule about the use of a non-working credential or deception created system burns a hole in the bad guy.

Instead of fumbling around a network, the bad guys make one mistake and they are caught. This changes the game from the penetrator’s advantage to the defender’s advantage. They must tiptoe around and be careful about what they touch and where they go.

So let’s follow the best ideas from Sun Tzu to Churchill, Po-Ch’eng and even the Hittites and use deception to reshape the battlefield of cyberwar in our favor. Remember, as cliché as it may be, “The best defense is an offense.”

 

About GuidePoint Security

GuidePoint Security LLC provides innovative and valuable cybersecurity solutions and expertise that enable organizations to successfully achieve their mission. By embracing new technologies, GuidePoint Security helps clients recognize the threats, understand the solutions, and mitigate the risks present in their evolving IT environments. Headquartered in Herndon, Virginia, GuidePoint Security is a small business, and classification can be found with the System for Award Management (SAM). Learn more at: http://www.guidepointsecurity.com.