Alert! Alert! But then what?

Posted by Hugh Docherty on Thu, May 21, '15

Gary Warner from Malcovery Security and Wendy Nather of 451 Research recently hosted a webinar: Using Contextual Threat Intelligence to Improve Incident Response. With some assistance from a very “animated” CISO, Gary and Wendy reviewed the challenges facing these teams today.  Here we provide an overview of some key points of part two of the webinar. 

As reported in the 2015 Verizon Data Breach Incident Report, incident response times are improving but are still lagging behind the time to compromise. This is in part because, as Wendy stated, “analysis slows down to the human in the chain”. More automation is necessary to analyze the data flowing through companies’ networks and more reliable data about the current threat landscape is needed for correlation in order to close the time response time gap.

Watchlist Items

In our post covering part one of the webinar, These Are The Events You're Looking For, we showed how SOC analysts have an advantage when they have access to key aspects of the attack in their SIEM console that allow them to prioritize and initiate a response faster. Once a trouble ticket is created, the response team needs quick access to the details about the attack. They don’t want to spend their time looking for information. 

But then what?

Gary demonstrated how using a combination of our threat reports and SaaS investigation tools, response teams can quickly identify and react to items in their queue. It sounds simple enough but just knowing why communication with an IP Address triggered an alert can save a lot of time and damage. For example, if the IP Address is a known C2 server then the responder needs to jump. Alerts driven by this type of information (shown here, outside of the SIEM) should filter to the top of the priority list within any company.

Many companies fall back on a re-imaging process for any computer that appears to be compromised and the response stops there. Being able to connect the IP address with recent malware campaigns can lead the responder down a number of paths. In Gary’s example, the IP address leads to Andromeda being distributed by a malicious macro in a Word document. Watch the video starting at 27 minutes to see howIt’s an old school attack but still effective. 

Gary shows how quickly this set of information about the attack can be correlated drill_downdirectly to malware campaigns recently seen disguised as questions about job ads and applications sent via email. Now the responder can work with the mail team to find and remove similar email before they are opened. She can also warn the organization that this attack is currently active and even distribute screen shots of the email.

InfoSec teams are working overtime to ensure the best protection for their networks, employees, and data.  It’s difficult to staff and maintain the team needed to defend against today’s threats and more automation is vital as InfoSec managers face an increasing shortage of quality analysts. Teams are growing in maturity and looking to improve the tools and processes to get ahead of today’s threats. 

Using high-signal, contextual threat intelligence gives your team an advantage by seeing real threats faster and jump starting their response. It’s not uncommon to have a couple clues about an attack from different sources. Using well formed intelligence to connect those clues and get the team focused in the right direction is a critical part of protecting your network.


P.S. Don't miss our next webinar: Malware Trends and Tactics: Focus on Botnet Infrastucture

Topics: Malware Intelligence, Protect Your Network

View Webinar Now