Spooky Stories for the SOC

Oct 31, 2021
11 minutes

Halloween is here with ghouls and goblins around every corner. But in the world of cybersecurity, the scary threats are real and the horrors last all year. With creepy and sweet names like Zombiebots, Gh0st, Beast, Creeper, Cryptojacking, Cookie theft, OpenCandy, Gummy browsers, Hive, HelloKitty, REvil, BearCrypt, and Fancy Bear, these threats are no treat for SOC teams. 

To celebrate the season of spook and prepare you for some of what we know is coming, I dipped into the dark and found a group of four of Palo Alto Networks own dark art researchers including, Nathaniel Quist, Ramarcus Baylor, Sam Rubin and Stephen Dyson, to tell us about the cyber threats they fear the most.

Reader Beware! Below is a list of real threats lurking in the shadows this All Hallows Eve and beyond:


Cloud Vulnerabilities

Cloud misconfigurations allow the ghosts to float right in and this threat is at the top of the list for Nathanial Quist or ‘Q’ our expert Principal Researcher for Prisma Cloud and a threat researcher for Unit42. In our recent interview Q shared with me that, “the cloud is new and it's complex” and because the cloud was not built with security in mind, Q tells us that “the cloud is very default with a lot of misconfigurations and vulnerabilities.” which brings us to this current point where we are playing catch up and trying to train our professionals and build security into the cloud as fast as we can.

Exposing more of the dark side of this convenient technology, Q tells us that “65% of all of the security incidents in the cloud right now are misconfigurations.” Even more severe is that, he adds that, “99% of all cloud instances have at least one vulnerability and 96% of those have a critical or high vulnerability.

Sam Rubin, VP at Unit42 added “we took a deeper look and saw that approximately 25-30% of the incidents we handle touch a cloud asset in one way or another, whether it's S3 buckets or other parts of AWS, Azure, or GCP. When you look at that and see how fast digital transformation is happening and things are moving into the cloud, we think that in a couple of years, more than half of our incidents are going to touch the cloud.

With the skeletons out of the closet, I ask Q, what can security teams do today to start counteracting these horrifying risks? He told me it’s essential to “shift left and scan your code for misconfigurations and vulnerabilities as early as you can, then all the rest of that supply chain is secure, from the very beginning. For more information read the 2H 2021 Cloud Threat Report.

Remote Work and Insider Threats

Hiding a bite mark is a common trope in stories about zombie invasions, but when it comes to insider threats this analogy is not so far from the truth. “The biggest spook to me is insider threats, it's one of the most difficult attacks or objectives of an individual for the SOC to effectively track and manage, because it is hard to distinguish between regular user activities and what can be considered a threat.” Stephen Dyson, Consultant for Unit42 Professional Services told me.

Like a two headed monster, there’s also a risk of data leak by users working from home. In regards to the heightened risk created by remote work, Stephen is also freaked out by the fact that “a lot of companies are not necessarily equipped to really have a decentralized user base and ensure that there are secure methods for the users to come into the network beyond just a basic VPN or remote connection.

Additionally, Stephen noted that when it comes to mobile devices, if you're not either passing on a specific profile of certain requirements or using an MDM solution to manage that device, you're open to potential data loss and accidental exposure.”

To learn more about managing Insider Threats effectively, check out my blog on the Code42 Incydr content pack for Cortex XSOAR and download the Solution Brief. Would you rather see a video demo of the Incyder content pack? Register to watch it on-demand now.    

Ransomware and the Darkweb

Like a werewolf, ransomware threat actors can lurk right under your nose for weeks before the moon rises and your data is transformed, unleashing every CISOs biggest nightmare. Bringing our discussion on ransomware attacks out into the light, Ramarcus Baylor, a Global Incident Response Lead for Unit42 told me, “out there, ransomware is threat number one right now.” Sam nodded his head at this and commented, “and from an incident response perspective, our team responds to just as many ransomware events as we do any other type of incident. We're seeing three to five of these a week.” Then Ramarcus points out, “if you think about it from a criminal perspective, it's very lucrative for them, and so they've got the motivation and that's why we see it on the rise.” 

As we continued our discussion, Ramarcus weighed in on a new twist in the plots of these gold hungry Gollums, “but what’s very scary is that we're seeing ransomware threat actors using techniques and tactics that have been traditionally associated with nation state attacks. In other words they are piggybacking off vulnerabilities as they are being exposed and using whatever tactics and techniques they can to deploy their ransomware.” Sam added,“the Kaseya attack was probably the best example of a ransomware threat actor using the supply chain vulnerability to target MSSPs and then they were able to spider out and hit all the MSSP customers as well using remote access software with the vulnerability.

This year we also saw a shift in the spidery strands of the dark web with how threat actors are now clicking along this network to offer haunting for hire and other services and data which are passed like a torch to other creatures of the night to carry out their ghastly attacks. Sam reflects that “we all adapted quickly with the pandemic moving to remote workforce and the migration to cloud. And the threat actors did that too. That's when we saw them start to pick up this ransomware as a service model. Which basically enables them to leverage affiliates that themselves don't know how to operate ransomware or monetize it but have unauthorized access to the victim companies.”

Which is why Sam and Ramarcus agree that the thing that scares them the most is where these attacks might hit, such as on the supply chain and infrastructure like the colonial pipeline attack, or attacks on manufacturing like the JBS food processor. Perhaps worse than these are some of the recent attack attempts they have seen around public school districts and healthcare organizations which house our personal information and detailed health records. The problem says Ramarcus is that, “human lives are at stake and these high profile targets are likely short staffed and not funded as well as similar sized corporations, which makes them much more vulnerable to these types of attacks.

Finally, did you know that the average ransom in 2020 was $847,000? If you don’t want to pay the ransom, a fast and effective response is critical. The essential guide to ransomware provides a step-by-step guide on leveraging automation to speed up incident response and recover without damage from ransomware attacks. Download and read this crucial guide. 

If this hall of horrors got you thinking about what you can do to stop the howling and sleep better at night, don’t dabble in hocus pocus, instead rely on the top recommendations from our experts below:

For Individuals:

Defend your home network

All these threats should have you worried about the personal and corporate data crossing your home network, especially if you work from home. Individuals and home networks are rising in the ranks as targets and easy entry points for threat actors to compromise and begin carrying out attacks. According to the 2021 Verizon Data Breach Investigations Report, the average home faces more than 100 cybersecurity threats per month. Several of the experts I interviewed predict that organization’s will have to increase focus on initiatives to strengthen the security, stability, and connection policies of users working from home and using personal devices. Are you scared yet? Not to worry, Palo Alto Networks offers multiple enterprise solutions that can be leveraged to protect the remote workforce and your home network, including our new consumer product Okyo Garde.

Okyo Garde protects your sensitive information and prevents malicious attackers across the open internet from taking control of your devices remotely while providing a reliable connection for every device in your home with mesh-enabled WiFi 6. If you want to get ahead of the curve and stop that creepy crawly feeling that comes from thinking about attackers getting into your home network, get the Okyo Garde at the starting price of just $349/year.

For Enterprise Security:

Implement Zero Trust

What’s that roaring sound? A hoard of all that things that go bump in the night bypassing your moat and climbing over the castle walls. If you haven’t done so already, it’s time to prioritize establishing Zero-Trust across your security network. Secure your organization from the inside out by eliminating implicit trust and continuously validating every stage of a digital interaction. Rebuilding your security infrastructure is serious business. Which is why you don’t want to invest in point solutions from various vendors. You want a total Zero Trust Enterprise solution. Palo Alto Networks delivers the Zero Trust Enterprise Framework you need with Prisma Cloud, Prisma Access, Cortex XDR, NGFW, and Cloud-Delivered Security Services. Learn more about our Zero Trust design service by downloading the datasheet here

From the Prisma Cloud side, Q ended our interview with this little reminder which sits neatly with the premise of Zero Trust, “scan your infrastructure as code because it's super super super important and we have tools that make it easy.” Or you could say - trust no one, and trust no code.

Automate your SOC workflows

Don’t fall for phantom approaches to automating your security workflows, Cortex XSOAR is the leading full featured SOAR platform on the market. Security teams using XSOAR experience 90% faster resolution times and deal with 75% fewer incidents. At the center of Cortex XSOAR, you’ll discover over 775 content packs with the prebuilt integrations, automations, and playbooks you need to orchestrate workflows around all the frights listed above. “The implementation of a SOAR platform is recommended to most of our clients. SOAR platforms can be a force multiplier for smaller security teams and allow them to act like a larger team, with a scope beyond the typical work day. Taking the menial tasks out of their hands through the automation and orchestration capabilities. SOAR also allows for better data enrichment from threat intel sources,” advises Stephen. 

With regard to using XSOAR for your cloud configuration workflows, Q adds, “if you have an alert based on a report from a server that says ‘this system has a misconfiguration’ and you know the system is publicly exposed to the Internet, XSOAR can automatically execute a patch to mitigate the risk or quarantine the server to keep it out of public view until it's fixed.”

Like implementing Zero Trust, enabling your security team to automate their most complex and time consuming workflows is critical to scaling and ensuring that you are prepared for what’s behind every innocent disguise. If your team is bewitched spending too much time investigating and responding to phishing emails, check out the latest Cortex XSOAR webinar featuring the Cofense phishing intelligence content pack with a halloween themed demo that gives you a look at how XSOAR playbooks can help simply the process and unpetrify your team.

Get threat intel you can use

Developed by the threat researchers at Unit42, you can find easy to read reports, blogs, and updates with cutting edge information on the threat landscape as well as actionable Threat Intelligence and content released through Unit42 ATOMs. Additionally, Cortex XSOAR’s Threat Intelligence Management module infuses these findings into content packs and uses AutoFocus along with all common third-party feeds for contextual enrichment across every event. Giving analysts instant access to the context they need available at their fingertips. There’s a big difference between bringing in a bunch of threat intel feeds you have to manage or translate compared to tapping into an ecosystem where the current intel you need and can use is automatically delivered at every step. Want to learn more about what’s next in Threat Intelligence? Get our latest report.


Want more? Stay tuned for the release of my recorded interviews with the experts featured in this blog. Until then, discover how Palo Alto Network’s SOC leverages Cortex XSOAR in our Virtual SOC Automation Tour. Watch now to jumpstart your automation journey.

Subscribe to Security Operations Blogs!

Sign up to receive must-read articles, Playbooks of the Week, new feature announcements, and more.