In an era of unprecedented data growth and according to The State of Attack Surface Management 2022 Report, a staggering 80% of cybersecurity professionals find themselves inundated by the sheer volume of security alerts.
Amid the relentless barrage of security alerts, the cybersecurity analysts grapple with a trifecta of challenges: alert fatigue, the struggle to sift through the noise for meaningful information, and the time-intensive process of triaging and gathering essential artifacts. With the recent International Data Corporation (IDC) highlighting the potential consequences, such as missed cyber threats. This blog post marks the beginning of a series that delves into how these challenges become opportunities for innovation and improvement.
Prominent Security Information and Event Management (SIEM) providers have been dedicated during the recent years to a core mission: enhancing their alerting systems and ensuring a user-friendly experience. Their efforts have largely revolved around extending incident coverage, enhancing the presentation of alert data, and elevating data quality. These improvements equip cybersecurity analysts with the comprehensive information needed to distinguish true alerts from false positives. However, the quest for efficiency begs questions: isn't it more efficient to have only the necessary information? How can we consolidate all duplicated alerts into a single one? Can we streamline the investigation process to save time? Inovaguard’s Incident Response (IR) Automation holds the answers!
Inovaguard’s Incident Response Automation is an integrated capability of the Octodet Security Platform that empower Managed Detection and Response (MDR) to seamlessly integrate, maintain, and deliver high-quality security services to their customers.
The MITRE ATT&CK framework serves as a comprehensive, globally accessible repository of adversary tactics, techniques and procedures grounded in real-world observations. Security experts have mapped a majority of their detection rules to MITRE, primarily with the aim of pinpointing defensive weaknesses, evaluating security tool capabilities, orchestrating detections, and proactively hunting down threats.
Within each MITRE technique, a specific set of MITRE Data Sources is defined, encompassing a diverse range of subjects and information types that sensors and logs can capture. These data sources serve as a valuable reference for security experts when crafting or investigating detection rules and identifying relevant Indicators of Compromise (IOCs).
The initial step in the creation of inovaguard’s MITRE dictionary involved conducting an in-depth analysis of all MITRE techniques, scrutinizing the associated data sources and evaluating a vast array of Elastic, Sigma and Splunk detection rules. Through this comprehensive research, We've devised an innovative approach that revolves around data sources indicating which fields to focus on, rather than solely pointing to specific IOCs. In essence, our novel data sources address the “Where?” question, redirecting the emphasis from “What?”. With this approach, we resolve two key investigation challenges: the first pertains to creating investigation templates based on behavior (distinct rules employing the same technique but different IOCs), and the second involves streamlining our focus to only the essential fields.
Elasticsearch was used as a database for creating The initial version of Inovaguard's MITRE dictionary. To extract the requisite fields for each MITRE technique, a two-step process was implemented:
Mapping Mitre technique with logs categories : By analyzing MITRE technique data sources to compile a list of indicators, identifying the equivalent event categories capable of containing these indicators, and mapping them accordingly.
Refining Field Selection for Enhanced Relevance: By creating a subset of relevant fields in each category and removing the unnecessary ones.
As a result of implementing the first phase, only relevant fields are extracted from the alert event.
However, is this alone sufficient for making an informed decision? What if analysts require additional information, such as IOCs reputation, the sequence of processes, the source of downloaded files, or other affected hosts? Let’s look at our next phase.
In The Sign of the Four, one of Sherlock Holmes' renowned quotes resonates: “When you have eliminated the impossible, whatever remains, however improbable, must be the truth.” In a similar vein, analysts, during their investigative endeavors, pose a series of crucial questions echoing Holmes's deductive approach. These inquiries serve as a compass for making informed decisions:
Inovaguard’s IR automation equips analysts with pre-populated tickets containing answers to the questions they might pose. The implementation of this phase first involved dividing the question set into two main categories: customer activities questions and cybersecurity community questions.
To effectively address questions related to the customer activities, the following steps are undertaken:
Addressing related questions presented a challenge. However, the challenge was successfully overcome, and a first enrichment section has been added to each alert ticket, as illustrated in Fig 3.
In tackling the second set of questions, our main emphasis centered on assessing the reputations of Indicators of Compromise (IOCs) and devising a methodology to calculate a relevancy score, discerning between genuinely harmful and innocuous IOCs.
Security analysts typically have the reflex of verifying the reputation of various indicators such as process hashes, IP addresses, URLs, and more. A common practice involves checking internal databases, such as a list of trusted IPs. Subsequently, experts often consult external platforms like Virustotal, known for curating the world's largest crowdsourced threat corpus through community contributions, or other services like Abuse IP or Alienvault. However, the challenge arises as the results from these platforms can vary, leading to confusion regarding the true harmfulness of the identified Indicator of Compromise (IOC).
In the course of our automation process, we harnessed the public APIs of the aforementioned websites for conducting IOC reputation checks. Instead of directly displaying the obtained results, our security team devised a novel approach for classifying IOCs. This innovative formula utilizes the results gleaned from API calls to various websites and assigns a new label to the IOC, as illustrated in the figure below.
Consequently, a secondary enrichment section titled Threat Intel is added to every alert ticket, as depicted in Fig 5.
Concluding the Second Enrichment Phase: Inovaguard’s tickets now encompass comprehensive information empowering security analysts to make informed decisions. And, addressing the initial concern raised about alert fatigue, Inovaguard's automation also ensures the presentation of unique tickets, consolidating all duplicated alerts into a single, manageable ticket.
Through Inovaguard's Investigation module, we've successfully tackled a myriad of daily challenges faced by security analysts, ushering in an era of streamlined processes, reduced response times, and diminished human error. As we continue our journey, the focus now shifts to enhancing the response side by combining human skills and knowledge with the power of Large Language Models (LLMs). Stay tuned for our next blog, where we'll delve into the strategies and innovations aimed at further elevating the efficiency and effectiveness of incident response. The evolution continues, and we invite you to be a part of the journey towards a more robust and resilient cybersecurity landscape.
