From advisory to action: automate the FBI’s RansomHub recommendations with Tines

Written by Amber LangdonProduct Marketing Manager, Tines

The Federal Bureau of Investigation (FBI), the Cybersecurity and Infrastructure Security Agency (CISA), the Multi-State Information Sharing and Analysis Center (MS-ISAC), and the Department of Health and Human Services (HHS) recently issued a joint advisory on the RansomHub ransomware. RansomHub is a ransomware-as-a-service variant, previously known as Cyclops and Knight. Since February 2024, it has encrypted and exfiltrated data from over 210 victims spanning multiple industries.

Although the advisory was issued by U.S. government organizations, RansomHub poses a global threat. According to security vendor ZeroFox, RansomHub attacks have impacted organizations worldwide, with 39% occurring in North America, 34% in Europe, 10% each in the APAC region and South America, and 5% in Australia/New Zealand.

The FBI has provided three essential recommendations to help mitigate cyber threats from ransomware:

  1. Install updates for operating systems, software, and firmware as soon as they are released.

  2. Require phishing-resistant MFA (i.e., non-SMS text based) for as many services as possible.

  3. Train users to recognize and report phishing attempts.

With Tines, you can automate these three key recommendations. Let’s dive into an example story for each recommendation. 

1. Streamline macOS software updates with self-service patch management 

Example Story

Streamline macOS software updates with self-service patch management

Our macOS Patch Management automation streamlines the entire lifecycle of managing software updates for macOS operating systems. It includes a self-service implementation of opting in and out of the patch management pilot group via Tines pages and a ring 0/ring1 approach to distributing macOS operating system updates. Updates are initially pushed to the pilot group for testing, and after a week, they are rolled out to the production group. This automation neatly balances user empowerment, system security and stability, and overall reduction of our company's attack surface.

Tools

Jamf

Community author

Tyler Talaga at MyFitnessPal

This story, crafted by Tyler Talaga from MyFitnessPal, helps organizations streamline the complete lifecycle of managing macOS software updates. It features a self-service model allowing users to opt in or out of the patch management pilot group via Tines pages, along with a tiered approach for distributing macOS updates. Initially, updates are deployed to the pilot group for testing and, after one week, are automatically rolled out to the production environment.

Security teams can use Tines to create workflows that ensure all users have the latest updates and required security software installed.

2. Disable new MFA devices in Okta 

Example Story

Disable new MFA devices in Okta

Query all Okta users and disable any new MFA devices if multiple are associated with an account.

Tools

Okta

Created by

Michael Tolan

Requiring a phishing-resistant MFA, such as Okta, is highly recommended. In the event of a breach, attackers might try to add a new device for MFA to a user’s account. This story monitors for multiple MFA devices associated with a user. If it detects more than one, it will deactivate the most recent device and notify the user via email about the update.

3. Send KnowBe4 training reminders via Slack 

Example Story

Send KnowBe4 training reminders via Slack

This Story checks KnowBe4 enrollments for users who should be notified about different stages in their training.

Your team serves as the first line of defense against attacks, making it crucial to train employees to recognize and report phishing attempts. Implementing a security awareness training solution, such as KnowBe4, can effectively educate employees on identifying and reporting phishing attempts.

After assigning security awareness training, it's essential to send reminders to ensure all employees complete it. This story sends KnowBe4 training reminders via Slack, either as a supplement to or as an alternative to the default email notifications.

Automate your security processes 

These three stories are just a glimpse of how Tines can automate your security processes. Tines integrates with any tool that has an API, allowing you to establish connections between systems in minutes and deploy valuable workflows within hours. Additionally, our library offers over 800 pre-built workflows to get you started quickly.

Built by you, powered by Tines

Talk to one of our experts to learn the unique ways your business can leverage Tines.