Automated Responder Knowledge (ARK) in Action

We released our Machine Learning Engine PRISM in our most recent 4.2 release. The first capability that we developed from PRISM is our Automated Responder Knowledge (ARK). This capability will change the way incident responders and SOC analysts respond to incidents, and how they share and transfer their entire knowledge to the rest of the team. The key to this capability is that it learns from your own analyst’s responses to historical incidents to guide the response to new ones.

We are not re-inventing the wheel with this feature. SOC and Incident Response teams have been doing this the old-fashioned way for a long time – through 6-12 months training. What we’re doing is providing a GPS and Satellite Navigation, guiding the wheel and giving you different paths to choose from according to the terrain you are in.

We do this by analyzing incidents and their associated attributes and observables, to work out how closely they are related. Then we can suggest actions and playbooks based on your organizations’ historical responses to similar threats and incidents.

Automated Responder Knowledge (ARK)

Using Automated Responder Knowledge (ARK) in IncMan

Step 1: Not really a step – as it’s done automatically by Automated Responder Knowledge (ARK), but this occurs in the background for every incoming incident. Every Incident possesses a feature space1 that contains all the information related to it, composed of every attribute, associated observable and attached evidence. ARK analyses the feature spaces associated with every incident ever resolved. When a new incident is opened, it is scored and ranked and then compared by ARK to the historical model to identify related incidents or actions based on similar and shared attributes. The weighting of the ranking can be customized by analysts.

 

Automated Responder Knowledge (ARK)

 

Step 2: Open the incident, selecting the applicable incident type. To save time, you can create an incident template to prepopulate some of the contexts automatically in future.

 

Automated Responder Knowledge (ARK)

 

Step 3: Select Playbooks, and PRISM.

In the next screen, you will see a variety of suggested related actions and related incidents based on the feature space that your incident type is matched with. The slider at the top is used to determine the weighting in ranking for actions that are suggested. For example, if I move the slider to the left, the entire feature space actions appear, then if I move the slider to the far-right only a few actions appear from highly ranked incidents.

 

Automated Responder Knowledge (ARK)

 

 

Automated Responder Knowledge (ARK)

 

Step 4: Determine which automation and actions you want to use from the suggestions. After saving, you will be presented with options such as Auto-Commit, Auto-Run, Skip Enrichment, Containment, Notification or Custom Actions. You have the ability to select only the actions you want to automate. If you are concerned about running containment automatically, for example, you just deselect those options.

 

Automated Responder Knowledge (ARK)

 

Step 5: The automated actions are executed, resolving the incident, based on prior machine-learning generated automated responder knowledge.

ARK is designed to facilitate knowledge transfer from senior to junior analysts and to speed up incident response by applying machine learning to automate the knowledge gathering and analysis.

Using Incident Correlation to Reduce Cyber Threat Dwell Time

Attackers spend a considerable amount of time conducting reconnaissance on compromised networks to gain the information that they need to complete their objectives for criminal activity, including fraud and intellectual property theft. Dwell time, the amount of time an attacker is present in an enterprise is currently measured in the hundreds of days.

One of the most effective technologies available to incident response teams to help to reduce the threat actor dwell time and limit the loss of confidential data and damage, are Security Automation and Orchestration platforms. Security Automation and Orchestration technologies process alerts and correlates these with threat actors’ Tactics, Techniques, and Procedures. The ability to determine not only the initial ingress point of the attacker but any lateral movement inside the enterprise significantly reduces the time to deploy containment actions. In this scenario, the incident correlation engine is utilized not only as a mechanism for responding and orchestrating the response but also to proactively search for related IoC’s and artefacts. The synergy of response, automation and correlation provide organizations with a holistic approach to reducing cyber incident dwell time. In more mature organizations, these measures are leveraged frequently by IR responders to transition from being threat gatherers to threat hunters.

incman dwell time
Figure 1DFLabs IncMan Observables Hunter and Correlation Engine

When Incident correlation is available within the SAO platform, cyber threat dwell time is reduced through 3 separate but complementary capabilities:

  1. Category based correlation – Correlating incidents by type.
  2.  Asset based correlation – Contextualizing the criticality and function of an asset
  3. Temporal correlation -Providing insight into suspicious activity or anomalous access

Defense in Depth strategies is designed so that high-value targets, such as privileged accounts, are monitored for increased or suspicious activity (Marcu et al. 5). The incident correlation engine not only visualizes this but also provides information to help determine the source of an incident by identifying the points of entry into the affected infrastructure.

“Patient Zero” identification is accomplished through tracking the movement from a source to an end user, and assists responders in determining the epidemiology of the attack, and also possible intruder motives. The correlation engine can achieve this objective through correlating similar TTP amongst incidents and visualizing associational link analysis between hosts. This comparison produces a topology of the lateral movement and can easily identify and visualize the path of an intrusion and the nature of an attack. This permits incident responders to initiate containment actions in real time, as the intentions and objectives of hackers are readily determined.

Dwell time of cyber threats can be significantly reduced from the industry average length, currently measured in the 100s of days, to only a few hours by providing a system capable of identifying not only the magnitude of the attack but by providing a roadmap to successfully hunt the incident genesis point to prevent further proliferation.

Using Queues in IncMan

In this short blog series, I will be discussing and discussing IncMan management features to demonstrate some of the power user functions in our most recent IncMan 4.2.0.1 SP release. Today we will be focusing on how to use the queues feature in IncMan. This functionality has been designed for a SOC team that manages large volumes of incidents with a flexible assignment schedule. This is typically used by SOC’s with a large amount of alerts and incidents, Managed Service Solution Providers and Managed Detect and Response Providers.

  1. Let’s begin by navigating to “General Settings” which is found in the Settings section.
    incman 1
  2. Select the section titled “Queue Settings”. Add a new queue by clicking the “+” symbol. The queue will need an email address. This will be used to email the relevant group of users when this incident type is selected.Incman 2
  3. Now create a queue name and add the required mailing list for this queue. Click save.Incman 3
  4. Navigate to the incident view to start using this queue. Select the Tree Options in the top right of the incident list.Incman 4
  5. You will see the new queue that we have created “My New Queue”, in this example. For this queue to become visible, please add it to the selected items list by clicking on “My New Queue”Incman 5
  6. The new queue will now be available for usage. See below:Incman 6
  7. When you create incidents or update your incident templates you will be able to select this new queue option, expand the queue to see the incidents assigned to it, or be able to click on the queue to show an overview of associated incidents.