Spectra Assure Free Trial
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free TrialExample showing ReversingLabs file enrichment.
Performing triage is one of the most tedious parts of being a SOC analyst. Hopefully, it's an alert that the SOC has an established and well-defined triage procedure, so the alert is not Yet Another False Positive (TM). If enough data is available, the analyst does not have to flip back and forth between tools and portals for another 15 minutes. As a former SOC analyst, I know getting the correct answer is a priority. The queue continues while the team is investigating, and wasting time because the data needed isn't readily available can be greatly demoralizing.
When deploying a Security Orchestration, Automation and Response (SOAR) tool, one of the easiest improvements that can be implemented is to automatically enrich alerts and data to give the SOC analysts more context. Here's how data can be enriched, and a few examples of how to do so.
For any given security alert in your Security Information and Event Management (SIEM), there are going to have at least the following indicator types:
In addition to all of the ways to enrich the data types mentioned above, ensuring that you are utilizing threat intelligence indicator feeds with your SOAR platform can trim even more time off the “is this indicator malicious” phase of triage. Most SOAR platforms have a built-in threat intelligence feature or easily integrate with a third-party Threat Intelligence Platform (TIP).
See Free Trial on Azure Marketplace: ReversingLabs Enrichment APIs For SentinelLearn More: ReversingLabs Threat Intelligence for Microsoft Sentinel
As well as knowing what data may help enrich indicator types, it’s also essential for the SOC team to understand how to perform the enrichment. The enrichment data should be ready for the analyst before alert adoption, so ensuring you have playbooks set to run on alert creation is necessary. Depending on your SOAR platform and internal procedures, it may also be a good idea to allow the analyst to run enrichment automation for multiple indicators manually.
The TIP should have logged the indicator. The SOC team will often rely upon multiple third-party applications for data enrichment. However, many SOAR platforms have out-of-the-box integrations for performing automated enrichment. For example, some SOAR programs have a built-in feature that can automatically query the WHOIS database and update the case.
Here’s a review of methods to perform enrichment on each indicator type:
IP Addresses: Utilize IP reputation and geo-ip lookup services to uncover previously detected malware sources.
File hash: Utilize a file hash reputation lookup service and a SIEM/EDR to query for the prevalence of the file hash to uncover malware.
Domain name: Utilize reputation lookup services or even just the WHOIS command to determine the reputation and age of the domain.
URL: Utilize reputation lookup services and website screenshot tools to uncover compromised sites.
Hosts: Use the asset management system and retrieve information such as applications, operating system, installed patches, and system owner. This indicator will highlight users with outdated software or unmanaged devices like printer
Accounts: Query the user directory and retrieve information about the account, such as group membership, enabled status, office location, and manager. This indicator will highlight users in elevated positions, such as C-Level staff and higher-risk.
ReversingLabs recommends that the enrichment information be easily accessible to the analysts and ensure that the enrichment process calls out anything that would indicate a problem. For example, the reputation check of a domain suggests that it is malicious. Ensure that SIEM presents that information to the analyst and considers automatically raising the alert's severity.
Many services have free tiers for their APIs but with certain limitations, such as a maximum number of API calls in a given timeframe. Therefore, Reversinglabs recommends storing the results locally to reduce redundant API calls to external services. Each SIEM and SOAR platform has different ways to do this; for example, in Microsoft Sentinel, it is possible to create a new custom table to store the data so a SOC analyst can reference it later.
One of the core tenants of SOAR is automation - that is, removing the need for a human to perform repeated small chunks of work manually. Think about how long it would take to complete the above mentioned actions. Submitting a single file hash to an online service takes a minute or two. However, put that in the context of an analyst needing to do this task for dozens or hundreds of indicators several times a day. A scripted API solution that requires no user input would automate this redundant task. That’s time that the SOC team could use doing more valuable analysis. The result is faster and more accurate triage, and the analysts will appreciate the reduction in tedious work. Automation should always be a goal of any of these threat research tasks.
Working in the SOC is hard. Having adequate policies, procedures, training, and resources makes it much more manageable. The SOC team wants to do the right thing in the right way, and organizations must enable these teams to ensure their success. ReversingLabs believes that a well-managed SOC that can correlate and quickly triage malware automatically is a massive asset to any organization's cybersecurity posture.
Sign up to get the weekly Sentinel Threat Intelligence Briefing newsletter
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Explore RL's Spectra suite: Spectra Assure for software supply chain security, Spectra Detect for scalable file analysis, Spectra Analyze for malware analysis and threat hunting, and Spectra Intelligence for reputation data and intelligence.
Get your 14-day free trial of Spectra Assure
Get Free TrialMore about Spectra Assure Free Trial