Example showing ReversingLabs TitaniumCloud file enrichment.
Performing triage is one of the most tedious parts of being a SOC analyst. Hopefully, it's an alert that the SOC has an established and well-defined triage procedure, so the alert is not Yet Another False Positive (TM). If enough data is available, the analyst does not have to flip back and forth between tools and portals for another 15 minutes. As a former SOC analyst, I know getting the correct answer is a priority. The queue continues while the team is investigating, and wasting time because the data needed isn't readily available can be greatly demoralizing.
When deploying a Security Orchestration, Automation and Response (SOAR) tool, one of the easiest improvements that can be implemented is to automatically enrich alerts and data to give the SOC analysts more context. Here's how data can be enriched, and a few examples of how to do so.
What incident data can be enriched?
For any given security alert in your Security Information and Event Management (SIEM), there are going to have at least the following indicator types:
- IP address. One of the trickiest types of data to provide definitive context, but several pieces of information can be helpful to a SOC analyst. Most analysts first jump to geolocation data, which can help identify potentially compromised accounts. If a user logs in from the US at 8 AM but logs in an hour later from Japan, there's likely something to dig into. Knowing which ISP/organization owns the IP address can also be valuable information. A Microsoft-owned IP range will have a different response priority than foreign VPS providers known for being abused by malicious actors.
- File hash. On its own, a file hash is an ambiguous string of numbers and letters - essentially useless. Enriching a file hash can involve several steps, including sending a copy of the associated file to a sandbox for analysis. The first type of enrichment most will use is a basic reputation lookup to see if the file hash is known to be malicious and, if so, what kind of threat is associated. Other helpful information about the file associated with the hash includes the associated file type, signature validation, and publisher information.
- Domain name. Phishing attacks are more likely when the sender's domain was registered last week. A simple WHOIS lookup can provide a lot of information. Combining this with DNS record lookups, pulling out IP addresses, and doing further enrichment previously mentioned can be very useful in triaging an incident.
- URL. An SOC Analyst can get enriched data from a specific URL. Many times legitimate websites will be compromised, and the attacker creates phishing pages within the site's folder structure while leaving the homepage intact. An easy way to quickly determine if this is the case for a given URL is to capture a screenshot of the URL. A cloned Office 365 login page is straightforward to spot.
- Hosts. Hosts can provide much-needed context if a solid and up-to-date asset management system exists. Understanding the host's environment, applications, and users can make all the difference in determining if an alert is a high-severity incident.
- Account/Username. Like hosts, understanding the accounts related to an alert may determine response priorities. Organizations should place a high emphasis on signs relating to accounts with administrative privileges. Many organizations also prioritize VIP/executive accounts. Enriching the alert with this data will help save an analyst time from having to query the directory.
In addition to all of the ways to enrich the data types mentioned above, ensuring that you are utilizing threat intelligence indicator feeds with your SOAR platform can trim even more time off the “is this indicator malicious” phase of triage. Most SOAR platforms have a built-in threat intelligence feature or easily integrate with a third-party Threat Intelligence Platform (TIP).
[ See Free Trial on Azure Marketplace: ReversingLabs Enrichment APIs For Sentinel | Learn More: ReversingLabs Threat Intelligence for Microsoft Sentinel ]
How to enrich data?
As well as knowing what data may help enrich indicator types, it’s also essential for the SOC team to understand how to perform the enrichment. The enrichment data should be ready for the analyst before alert adoption, so ensuring you have playbooks set to run on alert creation is necessary. Depending on your SOAR platform and internal procedures, it may also be a good idea to allow the analyst to run enrichment automation for multiple indicators manually.
The TIP should have logged the indicator. The SOC team will often rely upon multiple third-party applications for data enrichment. However, many SOAR platforms have out-of-the-box integrations for performing automated enrichment. For example, some SOAR programs have a built-in feature that can automatically query the WHOIS database and update the case.
Here’s a review of methods to perform enrichment on each indicator type:
IP Addresses: Utilize IP reputation and geo-ip lookup services to uncover previously detected malware sources.
File hash: Utilize a file hash reputation lookup service and a SIEM/EDR to query for the prevalence of the file hash to uncover malware.
Domain name: Utilize reputation lookup services or even just the WHOIS command to determine the reputation and age of the domain.
URL: Utilize reputation lookup services and website screenshot tools to uncover compromised sites.
Hosts: Use the asset management system and retrieve information such as applications, operating system, installed patches, and system owner. This indicator will highlight users with outdated software or unmanaged devices like printer
Accounts: Query the user directory and retrieve information about the account, such as group membership, enabled status, office location, and manager. This indicator will highlight users in elevated positions, such as C-Level staff and higher-risk.
Alert clarity and repetition
ReversingLabs recommends that the enrichment information be easily accessible to the analysts and ensure that the enrichment process calls out anything that would indicate a problem. For example, the reputation check of a domain suggests that it is malicious. Ensure that SIEM presents that information to the analyst and considers automatically raising the alert's severity.
Many services have free tiers for their APIs but with certain limitations, such as a maximum number of API calls in a given timeframe. Therefore, Reversinglabs recommends storing the results locally to reduce redundant API calls to external services. Each SIEM and SOAR platform has different ways to do this; for example, in Microsoft Sentinel, it is possible to create a new custom table to store the data so a SOC analyst can reference it later.
Unlock efficiency and empower analysts through automation
One of the core tenants of SOAR is automation - that is, removing the need for a human to perform repeated small chunks of work manually. Think about how long it would take to complete the above mentioned actions. Submitting a single file hash to an online service takes a minute or two. However, put that in the context of an analyst needing to do this task for dozens or hundreds of indicators several times a day. A scripted API solution that requires no user input would automate this redundant task. That’s time that the SOC team could use doing more valuable analysis. The result is faster and more accurate triage, and the analysts will appreciate the reduction in tedious work. Automation should always be a goal of any of these threat research tasks.
Working in the SOC is hard. Having adequate policies, procedures, training, and resources makes it much more manageable. The SOC team wants to do the right thing in the right way, and organizations must enable these teams to ensure their success. ReversingLabs believes that a well-managed SOC that can correlate and quickly triage malware automatically is a massive asset to any organization's cybersecurity posture.
[ Sign up to get the Sentinel Threat Intelligence Briefing newsletter delivered weekly ]