Isolation needed for triage and incident response
Like all financial institutions, the bank is well aware of cybersecurity threats that come in the form of phishing campaigns and use social engineering to obtain network access or steal funds by impersonating trusted clients or business partners. Managing these risks has become increasingly complicated as adversaries get craftier and more daring.
The bank has a team of dedicated professionals working at the security operations center (SOC), securing the bank’s systems against attacks, putting in protections against internal weaknesses (e.g., employees clicking on malicious links) and investigating suspected breaches to further harden the security perimeter.
Traditional browsers don’t have the right protections to allow SOC analysts to safely triage suspected phishing incidents and to follow up on threats by visiting malicious websites and engaging with potential adversaries.
The bank needed a solution that would give them an on-demand, highly secure and anonymous environment that they could use to complete their investigations safely – without risking exposure to toxic content or revealing their intentions.
Silo for Research helps the SOC investigate malware
Silo for Research is built on the Silo Web Isolation Platform, which provides users with a one-time-use browser, rendered on demand in a secure, cloud-based container. With all web code converted into a benign remote display session, endpoints are automatically protected from any malware and researchers are free to visit even the most devious sites, knowing they won’t expose their devices and networks to malicious content.
Before deciding on Silo for Research, the bank briefly considered other alternatives, but many of the commercial malware investigation tools didn’t work across platforms and devices, and maintaining a fleet of “burner” laptops disconnected from the bank’s network was neither cost-effective nor practical. The added expense of purchasing, maintaining, rebuilding and reimaging multiple machines was deemed too great, and the lack of anonymity and managed attribution made the researchers’ job less effective — and still inherently risky.
With Silo for Research, the bank’s SOC analysts can spoof their location; manipulate their hardware and software fingerprints; and safely collect to secure external cloud storage, annotate and share any internet-based information. Silo for Research also includes tools for language translation (especially relevant to the bank, as they deal with both domestic and foreign-origin threats), link tracing and web code and traffic analysis capabilities.
Improve response times, improve tradecraft
With the adoption of Silo for Research, the bank’s SOC team noticed significant improvement in incident response times. The more they got to know their adversaries, the easier it became to recognize threats, harden the bank’s defenses against them and educate the employees on bad actors’ tools and tactics.
The SOC team also found that Silo for Research helped them improve their internal processes and better their craft. With all actions performed inside Silo carefully logged, SOC analysts could easily retrace their steps or review how their colleagues went about researching a particular threat. “It’s a lot more useful when you move slowly, researching how the hackers operate and what they are thinking – as opposed to going straight to your target,” says a cyberthreat intelligence analyst at the bank.
Prevent future incidents
Phishing has been a popular vector for cyberattacks for decades. As long as organizations rely on electronic communications, there will be hackers relying on people being too busy, too distracted or too careless to scrutinize every email and site before clicking on it. But with tools like Silo for Research, organizations have a reliable method for investigating threats, uncovering their adversaries’ intents and tactics and using this information to strengthen their security posture.
In the future, the bank plans to use Silo for Research not only to reactively respond to incidents, but to proactively monitor known forums or even dark web sites to gather intelligence on potential attacks against the bank, its customers and partners.