Gabriel Schram, Senior Analyst, Cyber Fusion Center
I currently work as a Senior Analyst in MorganFranklin Consulting's Cyber Fusion Center. Day to day, I work as a client lead for our MDR service as well as threat hunting lead for specific client projects in our advanced services pillar. Having transitioned from a role in GRC, I bring a unique perspective to my role in the SOC, understanding how security requirements align with organizational objectives. This knowledge empowers me to bridge the gap between compliance requirements and operational security. My alma mater, Utica University, is designated as a National Center of Academic Excellence in Cyber Defense Education (CAE-CD) by the National Security Agency and the Department of Homeland Security.
This presentation will discuss a comprehensive approach to enhance an organization's ability to prevent and withstand ransomware attacks by utilizing SOC capabilities, thereby minimizing their impact. Addressing the threat of ransomware presents significant challenges to organizations across various sectors. Organizations can track their ransomware resilience capabilities by mapping in-use compliance frameworks to ransomware mitigation; this process requires examining the differentiators in the levity of their respective controls. Furthermore, organizations need to analyze what insurance companies are asking – their questionnaires are meant to quantify their risk and one of their largest risks is ransomware. Lastly, the development of ransomware resilience aligns with identifying single points of failure, their compensating controls, and establishing effective testing metrics that align key controls with compliance requirements. Leveraging a Security Operations Center (SOC) to fortify ransomware resilience starts with enhancing SOC visibility and awareness. Utilizing a top-down approach to security governance, the SOC should maintain points of contact across departments and establish escalation criteria for specific types of incidents, including ransomware or precursors to ransomware. SOC communication and awareness of other departments allows for improved prioritization and hardening of specific users and/or systems, particularly in the context of insider threats. A SOC can make its largest impact on the augmentation of ransomware resilience through the use of proactive intelligence and reactive testing. Threat intelligence feeds allow a SOC to gain a better understanding of who might be targeting their infrastructure, and what TTPs they are likely to use. This data should inform organizational detection and response capabilities. Threat hunting can utilize threat intelligence based on historical attack patterns, or prevalent vulnerabilities being exploited in the wild. The SOC is informed on what to hunt for based on attack patterns being seen and alerts being responded to. When carried out strategically, these hunts can be used to obtain further threat intelligence, and in turn improve detection and response capabilities. Validate detection and response capabilities with purple team testing. The concept of a purple team emerges from the integration of red and blue team activities, focusing on bridging the gap between offensive and defensive cybersecurity practices. Specifically, purple team exercises can ensure that specific activities, usually based on real threat actors, are being alerted on and the alerts are triggered correctly within the proper amount of time. Lastly, it is imperative that a SOC is a stakeholder in the organization’s communicated and tested incident response plan. Running tabletop exercises using the incident response plan and potentially other runbooks allows for a more cohesive and faster reaction in the event of a ransomware incident.