4 Ways to Ensure You Do Incident Triage Right

All too often, when IT professionals and enterprise administrators confront data system glitches and error messages indicating a security incident, they’re reluctant to seek outside help. Whether paralyzed by fear or blinded by pride or simply overwhelmed by the crisis, they delay in triggering the alarm—a common but sometimes disastrous decision.

Not long ago, for example, Symantec’s Incident Response team received a call from a manufacturing company that had spent the previous four days trying to recover from a ransomware attack on their own. The lead IT person had just resigned, and senior management directed bringing Symantec in for triage.

After more than two weeks onsite, we identified the ransomware and verified that it had been sitting dormant on the company’s network for two months before it detonated. Unfortunately, these revelations hardly mattered: Everything had been encrypted, including the spreadsheet containing authorization credentials for accessing the company’s backups. In large part because the company lacked an endpoint security system (a final line of defense against ransomware), the incident brought down the entire business.

In incident triage, every minute and hour counts.

Contrast that tragic story with another recent incident we handled for one of Symantec’s Incident Response retainer clients, an e-commerce platform company with multiple web properties. Their IT team called us immediately after noticing a handful of dropped transactions on a critical, distributed system. They were frantic that customers’ personally identifiable information (PII) had been hacked. In this case, two of our team’s triage experts ran the dragnet, working hand-in-hand with the in-house team. We had sorted it out in the space of six hours: The failed transactions had been a kind of self-inflicted injury; the result of internal system changes that had unanticipated, unintended impacts. All the facts supported that no customer data had been compromised. Nothing had happened, which in incident response is always the best possible conclusion.

In decades of experience with incident triage, we’ve seen countless other examples of how a rapid response has been the key to companies’ survival. In incident triage, every minute and hour counts. While a swift response can be critical in containing an incident, we also advise creating security baselines for every system on a network, through tools like Symantec’s Enterprise Security Manager. In addition, we propose the following four strategies to increase your odds of survival:

  1. Partner with an incident response provider.
    Even if you believe your in-house security team represents the best and the brightest, when it comes to incident triage, bringing in experts who have different insights and viewpoints can help tremendously. Having an IR provider on retainer will also increase your credibility. Because the IT team at this company had proactively partnered with Symantec, when it came time to disclose the incident to management, no one questioned their conclusions.
  2. Be prepared and stay true to the process.
    We hammer on this point constantly, but we can’t emphasize enough the importance of having a well-documented and well-rehearsed incident response plan.

    While it might be tempting to improvise a gun-slinger solution, resist any urge to deviate from the plan. If you’ve retained an IR provider, contacting them should be one of your first steps.

  3. Map out your network and know what systems you’re running.
    We receive an alarming volume of calls from people who are panicked that their network is crashing but are clueless about how to navigate it.

    Unless your organization has an accurate (and up to date) map of its network and people who are fluent in describing your data and security systems, you will lose valuable time. Designate an IT or security professional (and a backup) to answer fundamental questions about which assets you possess, which assets might be affected, the applications you’re running, and the security products you have in place.

  4. Adopt and enforce data security policies that reflect the current, hostile reality.
    Hardly a week goes by that we don’t hear about how an employee’s email carelessness   has enabled unauthorized third-parties to access sensitive company data. Such breaches put your entire enterprise at risk. Require multi factor authentication across all email platforms
  5. Update and test all backups regularly.
    Ransomware attacks can encrypt your backups, which are in place so your operations don’t grind to a halt.  So, you should arrange for offsite storage of at least four weeks of weekly full and daily incremental backups. Also, make sure you have backups that are not connected to the network to prevent them from being encrypted by ransomware. Lastly, ensure restore capabilities support the need of the business.

Finally (and again), don’t hesitate to engage an emergency response team. Whether it’s a false alarm or an actual attack or something in between, the earlier you call for help, the better off you’re going to be.   


About the Author

Matt Sherman

Americas Incident Response, Symantec Cyber Security Services

Malware outbreak and threat containment specialist.

About the Author

Michael Smith

Americas Incident Response, Symantec Cyber Security Services

Helps customers solve problems at all stages of the incident response lifecycle.

Few Phish in a Sea Protected with Email Threat Isolation

Over the past year, email-based phishing attacks have continued to present a major risk, exposing organizations to malware infections, information theft and other cyber misdeeds. This no longer needs to be the case.

Why not? Because, in July 2018, Symantec enhanced its existing portfolio of email security defenses with powerful new technologies. Those technologies can stop many phishing emails in their tracks and can short-circuit the threats posed by any malicious messages that manage to get through to their targets.

Phishing exploits – as far too many organizations have learned the hard way – aim to trick email recipients into either clicking on an embedded link or opening an attachment. The links bring users to malicious websites that often mirror the appearance of legitimate sites. Once a connection is established, the site may ask the victim to enter sensitive credentials and other private information or may simply download some form of malware to the user’s computer or device.

Phishing exploits – as far too many organizations have learned the hard way – aim to trick email recipients into either clicking on an embedded link or opening an attachment.

In the same fashion, email attachments can be used to spread malware. What may appear to be trustworthy documents, may immediately inject malware (via scripts or macros) into the unfortunate user’s device.  This is a growing problem and one that it is hard for users to be vigilant against. During 2018, nearly half (48%) of all malicious email attachments were Microsoft Office files, up from just 5% the previous year, according to Symantec’s annual Internet Security Threat Report (ISTR).

The phishing threat is broadly recognized, and most organizations have made at least some attempts to educate their users about safe email practices. The good news is that 78% of users never click on a phishing email all year, according to Verizon’s 2018 Data Breach Investigations Report. However, this still means that 22% of users will, and unfortunately, Verizon also found that for any given phishing campaign, on average, 4% of recipients will click on the phishing link or attachment.

That hit rate was enough to make phishing attacks the third-most common attack method used in successful cyber breaches during 2018, Verizon reported.

The frequency of phishing attacks has fluctuated in the recent past. Phishing assaults declined very slightly during 2018 compared to the prior year, with 1 in every 3,207 emails in 2018 representing a phishing attempt, Symantec’s ISTR reports.

Phishing attacks have also become more sophisticated, with many relying on advanced social engineering techniques and public information about targeted users to craft messages that even cautious recipients may have difficulty rejecting.

Symantec has deep visibility into phishing and other email-based exploits because our collection of on-premises and cloud-based security products and services processes more than 2.4 billion emails each day. Products including Symantec Email Security.cloud, Email Threat Detection and Response and other offerings provide a layered tier of defenses for service providers, organizations, and individuals.

The first line of defense against emails containing embedded links, of course, is to identify links to known malicious sites and to block the emails’ delivery. Many phishing exploits attempt to hide the ultimate destination site by redirecting a clicked link through multiple hops before arriving at the malicious final stop. While some security controls can only follow redirects through one or two hops, Symantec Link Protection can follow the path through these redirects to the end destination.

How ETI Neutralizes Malicious Attachments

In practice, however, it isn’t always possible to determine with certainty whether a linked site is good or bad – many fall into a gray zone. This situation may occur, for example, with sites that initially appear safe, but become weaponized some time after the initial receipt of the phishing emails that contain their links.

To deal with these nebulous websites – and also to neutralize malicious email attachments – Symantec introduced its Email Threat Isolation (ETI) technology, an industry first. In essence, this technology virtualizes web browsers in a virtual, secure and disposable container to create a safe execution environment to run the web sessions between the user and a potentially dangerous site. The user experiences nothing different from a normal website interaction but should the site attempt to download some form of malware or exhibit other threatening indicators, the threat is contained in the isolation container and eliminated.  Similarly, suspicious attachments can be opened in an isolated container and presented in read-only mode to keep the user safe from infection.

By adding ETI to its layered phishing defenses, Symantec has been protecting users in a more effective way than was possible before. We identify 1 in 3,207 emails as a phishing attack (0.03%) and block these threats using click time protection. However, we also know that customers often receive emails that link to unknown websites – that is, sites that may be safe or dangerous.  In these instances, our isolation technology serves to de-risk this email traffic.

Analysis conducted by the Symantec Technology and Response (STAR) organization shows that 7% of customers’ entire email, on average, links to such potentially risky websites.  For these “gray” websites, ETI functions as a preventative measure. With ETI, users can browse these websites with complete safety, no longer at risk from malware infection or credential theft. Therefore, ETI provides a valuable layer of protection without impacting the end user experience and is a marked improvement on just blocking access to known bad websites.

Symantec ETI is offered both within the Symantec Email Security.cloud solution and is also available as a standalone product that works with other vendor’s email security solutions.

About the Author

Sunil Choudrie

Sr. Manager, Symantec’s Global Information Protection

Sunil helps organizations protect their data against insider and external threats. He holds a Mechanical Engineering degree from the University of Bath and an MBA from Henley Business School.

29th July – Threat Intelligence Bulletin

July 29, 2019

For the latest discoveries in cyber research for the week of 29nd July 2019, please download our Threat Intelligence Bulletin


  • City Power, the electricity provider in the city of Johannesburg, South Africa, has suffered serious
    disruptions after a Ransomware attack. The attack prevented prepaid customers from buying electricity
    units and access City Power’s official website, eventually leaving them without electricity power.
  • New Android Spyware named “Monokle” has been spotted in targeted attacks and attributed to the
    Russian defense contractor Special Technology Centre (STC). Monokle presents sophisticated
    surveillance abilities and novel techniques to exfiltrate data including self-signing trusted certificates,
    recording a phone’s lockscreen activity in order to obtain users’ passcodes, and more.
    Check Point SandBlast Mobile provides protection against this threat
  • Security researchers have discovered a novel steganography technique used by attackers to hack fully
    patched websites in Latin America. The attackers hide PHP scripts in Exchangeable Image Format (EXIF)
    headers of JPEG images that are uploaded on the website, then able to deploy malicious webshell.
  • Credit company Equifax has to pay up to $700 million in fines after its infamous massive data breach in
    2017 which exposed personal and financial data of nearly 150 million Americans.
  • Security researches have spotted multistage attacks targeting unprotected or publicly available
    Elasticsearch Databases. The attacks deliver “Setag” and BillGates backdoors which can turn the infected
    targets into botnet zombies used in distributed-denial-of-service (DDoS) attacks.
    Check Point Anti-Virus blade provides protection against this threat (Backdoor.Linux.Setag)
  • Security researchers have discovered a new strain of malware dubbed “Okrum” distributed by the
    Chinese cyber-espionage group APT15. Okrum is capable of downloading and uploading files, executing
    files and shell commands, and was spread within a PNG file with steganography technique to evade
    Check Point Anti-Virus and Anti-Bot blades provide protection against this threat (Backdoor.Win32.Okrum)


  • A critical remote code-execution vulnerability has been uncovered in the GlobalProtect portal and
    GlobalProtect Gateway interface security products of Palo Alto Networks, which provide virtual private
    network (VPN) access to an internal network.
    Check Point IPS blade provides protection against this vulnerability (Palo Alto Networks GlobalProtect SSL VPN Remote Code
    Execution (CVE-2019-1579)
  • A Serious vulnerability has been discovered in the popular open-source ProFTPD file transfer protocol
    (FTP) server which is currently being used by over one million servers worldwide. The vulnerability could
    allow an attacker to copy files to vulnerable servers and potentially execute arbitrary code.
  • VLC Media Player, used by more than 3.1 billion users, is exposed to a critical vulnerability that can allow
    attackers to execute code, create a denial of service state, disclose information, or manipulate files.
  • A new severe code execution vulnerability has been discovered on the popular open-source office suite
    software “LibreOffice”. The vulnerability could allow an attacker to craft a malicious document that can
    silently execute arbitrary python commands.
  • A remote code execution vulnerability has been found in Adobe ColdFusion. The vulnerability is due to
    the JNBridge binary protocol port being exposed without any authentication.
    Check Point IPS blade provides protection against this vulnerability (Adobe ColdFusion Remote Code Execution (CVE-2019-


  • Check Point Research has released its mid-year Cyber Attack Trends report for 2019; discussing targeted
    Ransomware attacks as prominent ongoing trend, the rising of software supply chain attacks and the
    attention it get worldwide, the growing sophistication of attacks in the mobile arena, and more.
  • Security researchers have discovered a new variant of the Linux-based cryptocurrency mining botnet
    “WatchBog”. The new variant added a module to scan the Internet for Windows RDP servers vulnerable
    to “Bluekeep”, the highly-critical, wormable, remote code execution vulnerability.
    Check Point Anti-Virus and Anti-Bot blades provide protection against this threat (Botnet.Linux.WatchBog)
  • The government of Kazakhstan is beginning to intercept all HTTPS Internet traffic of its citizens. The local
    Internet Service Providers (ISPs) will allow access to the Internet only to customers who installed the
    government-issued root certificates.
  • A security report shows that data for over 23 million payment cards has been offered for sale in the
    cybercrime underground in the first half of 2019, over 60% of them issued in the US.