Zinopy Security Operations Centre (SOC), Friday, May 12, 3pm: A tier-one analyst managing the inSIght Security Intelligence Console gets a warning of a potential malware outbreak in Asia, spreading at a very fast rate. A Priority 3 incident is automatically generated. After an initial triage investigation, using a variety of analysis tools and threat feeds, the analyst determines that the incident is real and potentially serious. The incident is escalated to Priority 2 and the Incident Response Plan (IRP) is initiated and a Tier-2 analyst is automatically engaged.
As part of the IRP, the SOC team lead (a 24 x 7 multi-disciplinary team) allocates a series of tasks to define the scale, scope and risk-profile of the incident. One of the tasks is to start developing a Security Advisory for our clients. At 7pm, the first draft of the Security Advisory is available for publishing, with associated analysis and recommendations to minimise damage to our customers. The advisory identifies that you are at risk if you have not deployed patch MS17-010 released by Microsoft in March 2017.
The advisory also identifies threat indicators such as hashes, filenames, domains and IP addresses associated with the attack. The Zinopy Security Intelligence Platform (inSIght) is updated with these parameters to speed detection of potential infections.
The SOC team initiates vulnerability scans of customer networks. For customer devices under SOC control, the SOC automatically deploys the required patch and issues a warning to all customers where the patch cannot be automatically deployed. The customers’ protection systems (IPS, Firewalls, AV, Email and Web Gateways) are also updated with the threat indicators.
Post the “WannaCry” attack, with counter-measures deployed on customer networks, and armed with the latest hashes, IPs and hostnames, the Zinopy team undertake historical checks to determine if customer vulnerabilities had been exploited in any way. “It is important for organisations to know that an attack has occurred in their environment and that they can demonstrate that they have successfully handled it. The Zinopy inSIght threat detection, monitoring and alerting system based on IBM QRadar and Watson, gives us the in-depth visibility which customers require before, during and after an attack”, comments John Ryan, chief executive, Zinopy.