November 19, 2020 Events & WebinarsCarbon Black Response
Eric Groce Rick McElroy Tom "TK" Kellerman Taree Reardon

The Rise of Island Hopping and Counter Incident Response

The pandemic, a distributed workforce and the U.S. Presidential Elections have created a “perfect storm” for cybercriminals, according to VMware Carbon Black’s Global Incident Response Threat Report.

This threat intelligence report found that cybercriminals are honing their ability to remain undetected inside organizations they’ve breached. Even more troubling is that they have evolved their attacks to counter defenders’ response efforts.

The latest report also uncovered insights from respondents who reported that 82 percent of attacks now involve instances of counter incident, while 55 percent involve island hopping—where an attacker infiltrates an organization’s network to launch attacks on others along its supply chain.

These evolving challenges now pose new security challenges for IR and cybersecurity professionals responsible for detecting and stopping emerging attacks.

Watch Tom Kellermann, Head of Cybersecurity Strategy at VMware Carbon Black, Rick McElroy, Senior Cybersecurity Strategist at VMware Carbon Black, Taree Reardon, Senior Threat Analyst at VMware Carbon Black, and Eric Groce, Incident Handler at Red Canary, as they discuss the rising threat of counter IR via lateral movement, effective incident response in a remote world, and how to address these challenges with VMware Carbon Black Cloud and Red Canary.

00:11 Panelist Introduction

00:38  Webinar Agenda

01:22 Security Threats by the Numbers

01:26 82% of incidents have counter incident response associated with them.

02:52 Detecting Emerging Attacks

02:59 [Counter incident response] are the activities that the adversary takes when they know that you’re either onto them—vis-à-vis you’ve stopped some executable, detected what they’re up to, and moved them into another environment.

04:04 Island hopping is the phenomenon of getting onto one piece of infrastructure inside of an environment and now leveraging that infrastructure to go attack partner networks or anything that’s connected to the infrastructure.

06:40 “We really have to pay attention to what’s happening within our network and on our endpoints and be able to detect those anomalies after we form a really good baseline.” – Taree

07:44 “You can’t just rely on network detection because oftentimes you’ll see the attackers hiding in common traffic. From an endpoint standpoint, you need some type of network data to determine what resources were accessed and what the actual attacker was looking after. Endpoints hold a lot of valuable information, especially surrounding what types of commands are being run.” – Taree

08:43 Threat Hunting Best Practices

09:17 “As adversaries are getting more sophisticated in their attacking methodologies, you have to look at the behavior: if they’re trying to blend in, if they’re trying to be stealthy, if they’re pivoting tactics, they’re still going to exhibit behavior to get to their end goal that’s in very stark contrast to what a normal user would be doing on their network.” – Eric

14:36 “There’s a lot of things that organizations need to do in order to understand what’s on their network, understand what’s normal, and then build detections around pointing out the abnormal. That way analysts won’t be inundated with numerous alerts of the exact same thing every day.” – Taree

17:11 Basics to Focus Your Detection Program On

18:28 Fighting Back Against the Biggest Cybersecurity Threats

20:59 Rapidly Evolving Business Environment

26:17 Best Practices for Transitioning Endpoints from WFH to the Office

28:26 Disabling Security Tools 

34:24 Masquerading

36:40 Reconnaissance

42:39 Lateral Movement

43:58 “Now that we can put this contextual picture together [with detection tools], we have an opportunity to figure out which part of our real estate isn’t owned by us and kick the cyber squatters out.” – Rick

52:09 How Can We Be Future Ready?

54:27 “Whether it’s work from home or satellite or HQ, there’s a couple things that don’t change: the data—which is still critical, whether it’s on an endpoint or a data center—and credentials.” – Eric

55:15 “No matter how secure you and your organization are, the people you’re working with maybe aren’t as secure, so make sure that with any trusted relationships you have with vendors, you’re not giving them admin credentials and are locking down any type of access that they have.”  – Taree

55:53 Additional Resources

 
Incident Response Guide
 
Seeking an Ally to Accelerate Incident Response
 
Operationalizing Carbon Black Response: 5 Success Stories
 
3 Essential Components to Build into Your Incident Response Program
 
Eric Groce
Incident Handler, Red Canary
 
Tom "TK" Kellerman
Head or Cybersecurity Strategy, VMware Carbon Black
 
Rick McElroy
Cybersecurity Strategist, VMware Carbon Black
 
Taree Reardon
Senior Threat Analyst, VMware Carbon Black