“With regard to the attack vectors, we assume the attackers will attempt to carry out DDoS attacks or leak the databases of small Israeli websites (based on past experience, most of the data leakage will be recycled from previous campaigns). We also believe they will use familiar or self-developed DDoS tools, as well as malware based on njRAT, which is very popular among Arabic-speaking hacktivists. “It is also possible that there will be attempts to infect Israeli end-points with Ransomware via emails with malicious files during this campaign. In most cases, these malicious emails pose as invoices, fax notifications or fake purchase orders to deceive unsuspecting users. Moreover, attackers sometimes spoof an internal email address to alleviate the concerns of potential victims. – SenseCy, a threat intelligence company
So Many Attacks, So Little Information With conventional security operations, attacks like #OPIsrael can be overwhelming. The attacks often originate from multiple regions and involve multiple actors, making detection more difficult for the typical tier-1 security analyst.
Threat intelligence service providers have been monitoring the #OPIsrael effort and their reports could be a significant asset in fighting such cyber threats. Practically, though, threat intelligence reports are consumed by threat intelligence investigators in conventional SOCs not the tier-1 security analysts triaging incoming security alerts. And DDOS triggers an enormous number of alerts. The alerts appear to the security analyst as rows-upon-rows of independent entries in the spreadsheet-like interfaces of their SIEMs. Analysts are left having to sift through those entries, researching and analyzing each one. They struggle with understanding the strategic picture, the connection between the alerts and the importance to the business. Always at risk is the possibility that they will miss the few truly critical alerts, amongst the thousands of others, indicating the bigger threats — data exfiltration attempts or critical system penetrations. Stop Working From Alerts Instead of triaging thousands of security alerts, tier-1 security analysts in next generation SOC work from a prioritized list of “cases.” Cases are visual representations of the attack chain, synthesizing information from many sources including:
- The significant alerts from the SIEM
- Threat intelligence reports
- Active Directory information, and business intelligence information
Instead of being overwhelmed with thousands of alerts from a DDOS attack, the security analysts of next generation SOCs only have to work with a handful of cases. Alone, shifting from alerts to cases is a paradigm shift. Siemplify customers see the workload of their tier-1 security analysts decrease significantly, more than 90 percent in at least one instance. Just as important, though, security analysts can see and focus on the important cases, the ones indicating a bigger threat often lost in the wave of DDOS attacks. The tier-1 analyst in a next generation SOC can also investigate many of those cases, a function usually reserved for more senior analysts. The Siemplify platform lays out the entire attack chain as a visual storyline. Analysts investigate a threat simply by clicking on an icon and pivoting off of the object. Gathering information from data stores is also simpler than in conventional SOCs. Analysts retrieve data by filling in forms not by writing complex queries.
Building accurate and reliable cases requires a robust backend. With Siemplify, advanced data science algorithms analyze the enormous amount of networking- and security-related information that may be relevant to the alert. A graph database helps understand the relationships between users, applications and networking objects. Together, the two automatically identify the significant security events.
By taking a strategic view, security teams become more efficient. They focus on what matters, first. They analyze threats faster and respond quicker. With DDOS, for example, analysts can remediate an attack by blocking a pattern of attacks emanating from a region at the click of a button.