The document discusses lessons learned from a cyber attack on IDT Corporation. It describes how the attackers were able to exploit vulnerabilities like missing patches and disabled firewalls to gain access and steal credentials. This attack highlighted the need for greater visibility, detection, and automated response capabilities. The document contrasts the slow, manual incident response process with a new approach using security automation and tight integration between tools to enable investigation and containment in seconds rather than hours or days.
19. TRADITIONAL (MANUAL) IR Total Time
9 Hours
WildFire Alert
Received in SIEM
Locate the
Downloaded File
Analyze Suspicious
Host’s Processes
Analyze Persistency
Methods
10 Min. 32 Min. 3.5 Hr. 8.0 Hr.
14 Min. 1.2 Hr. +Days
Follow Leads
Isolate Suspicious
Host Manually
Find Evidence for
File Execution
Initiate Forensics
Imaging
2 Hr.
2.3 Hr.
Analyze Splunk
for Network Activity
7.0 Hr.
Analyze Recently
Created Files
8.5 Hr.
Analyze Drivers
And Services
Generate
Leads
9.0 Hr.
20. Total Time
1.5 Minutes
Splunk Receives
WILDFIRE Alert
Search Host for Malicious
Activity
Collect Open Connections
Generate
Leads
Analyze All Running
Processes
Analyze Installed Services
and Drivers
Analyze Recently
Created Files
Analyze Persistency Methods
Analyze Network Logs
Analyze Authentication Logs
1 Sec.
18 Sec.
49 Sec.
1.5 Min.
7 Sec.
24 Sec.
+Min.
Follow Leads
Isolate Suspicious
Host with Palo Alto App
Terminate
Process
1.3 Min.
Alert User about his Host
being Investigated
Analyze WildFire Behavioral
Report via WF API
Search Behavioral Report
within Suspicious Host
Quarantine
Files
Collect Running Processes
Collect Recently Created Files
Collect Persistency Methods
Collect Authentication Logs
Collect Network Logs
Automated IR