IncMan SOAR Uses Cases

Read and Learn With Our Practical Use Cases.

Our experts have documented a variety of practical use cases for different types of scenarios including malware and phishing. Read more here.

/ 11 Jun 2020

Financial institutions are a constant target of intrusion attempts, which underlines the need for additional cyber security technologies that are capable of nullifying the risk of potential cyber attacks. However, the fact that financial institutions don’t have a way to better integrate their security tools with their SecOps teams means that their resources are being poorly distributed. Analysts are spending more time on false positives, while the real threats are left unattended. This decreases the optimal efficacy of the entire organization and reduces the ability of the SOC and CSIRT to properly respond to cyber attacks.In this regard, by acting as connective tissue amongst security tools via orchestration and automation, IncMan SOAR allows SOCs to drastically reduce their response time to cyber threats and increases their chances of intercepting cyber fraud alerts even before they evolve into full-blown incidents.How IncMan SOAR helps fight anti-fraudIn the battle against cyber fraud, IncMan SOAR has proven time and time again that it can be an indispensable asset. And to show its value in practice, we will take the example of one of the largest banks in Europe.The bank utilizes IncMan SOAR’s monitoring software to detect any potentially fraudulent transactions that may arise from the external systems. Such transactions include:National Wire TransfersPrepaid Phone CardPrepaid Credit CardsInternational Wire TransfersCredit CardsIn the event of a fraudulent transaction, the anti-fraud analysts will first create a pre-validation in order to verify the legitimacy of the transaction and determine whether or not the alert is a false positive. Furthermore, in order to confirm whether an alert is a real threat or possible false positive, IncMan receives valuable data regarding these transactions from the RAKE API and stores them into its TRIAGE function.After IncMan SOAR receives the data regarding the nature of the transaction, it uses its TRIAGE capability to store and utilize that data. The data is then sent to IncMan automatically from the Fraud Management System’s API. IncMan then analyzes the data and uses it to perform enrichment of the potentially fraudulent transaction via its R3 Rapid Response Runbooks. Analysts then read this information, and upon analyzing all of the data they decide whether a transaction is fraudulent and should be converted into an incident. This is done with the goal of preventing these transactions to be converted into incidents if there is no actual need of converting them into incidents.After reviewing all the evidence gathered, the transaction can be closed as a false positive or converted into an incident, according to the bank’s policies. If needed, a closed transaction can be reopened for additional processing. When a transaction is converted into an incident, all the enrichment actions that have already been performed will be visible inside the incident along with their results, and the team members will then process the new incident in accordance with the bank’s policies.All actions performed to a suspected transaction and an incident, and any user activity is automatically captured and stored into IncMan’s audit trail. Finally, specific reporting capabilities are created within IncMan which are related to the processing of these transactions to analyze the results.Furthermore, IncMan SOAR allows the bank to conduct this process continuously, as during working hours IncMan is operated by internal users, and in non-working hours IncMan is operated by external contractors.Using IncMan’s SOAR unique features for preventing cyber fraudIncMan SOAR allows users to customize their workflow and adjust it in different ways in order to enhance their user experience. In this case, the bank used different colors to map out the processes in a more visually accessible manner. This allowed the bank to create a visual representation which helped the team coordinate better:White: still to be processedPurple: assigned to a userGreen: assigned to a groupThis creates a visual cue that leads to fewer errors amongst the team. Any owner of a transaction can re-route it to a different user or team if necessary.When a user takes ownership of a transaction, an IncMan Rapid Response Runbook is executed. And, depending on the type of transaction in hand, the Runbook contains the appropriate enrichment actions. Different Runbooks are defined for the varying transaction types. The information resulting from all the enrichment actions executed by the Runbooks are stored within the transaction and are available to the analysts. The actions typically involve accessing the information on the Mainframe and other external systems.ConclusionIn this use case, we elaborated on the benefits of IncMan SOAR depicted properly in a real-life example. We explained how the bank utilizes IncMan SOAR as an effective technology toward discovering potentially fraudulent transactions and to improve its cyber security posture overall. We showed how IncMan’s flexibility plays a major part in improving the communication between team members, thus allowing the entire process to go smoothly.In regard to tackling fraudulent transactions, IncMan SOAR offers two very unique capabilities that can greatly enhance the chances of preventing such cyber threats:Open Integration Framework: With the Open Integration Framework (OIF) we want all vendors to integrate bi-directionally with us and everyone to be independent in creating integrations. DFLabs even integrate Mainframes for this particular type of use case.Triage: Triage is a major differentiator that distinguishes DFLabs from the rest. This feature allows users to properly deal with potentially harmful alerts that require a more thorough analysis. Through triage, analysts can also decrease the number of false positives by relying on contemporary technology and software, mostly based on automation, machine learning, correlation, and aggregation of events.The inevitable reality is that financial institutions are, and will continue to be, lucrative targets for cyber attackers. In this regard, financial institutions must think one step ahead and implement proper technologies, like IncMan SOAR, that will strive not to recover, but to intercept and prevent fraudulent transactions from ever happening.Download our eBook "The Most Comprehensive eBook on SOAR Use Cases," and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.

READ MORE
/ 04 Jun 2020

The goal of this use case is to demonstrate how IncMan’s integrations and R3 Rapid Response Runbooks quickly alert the security team about potential cyber threats. In this process, SOC operators are enabled to make a fast and well-informed decision regarding a possible threat via automation, or they can choose to manually handle the evaluation of the security alert and related courses of action.GoalsReceive alerts regarding suspicious activities or exceeding threshold over industrial systems.Automatically download specific activity logs related to specific industrial machines and store them as evidence.Automatically analyze those logs and extract the host originator of the latest commands sent to the machines.Retrieve information and reputation of the extracted hosts.Inform SOC operators of the threat and allow them to be able to decide what course of action needs to be taken.Contain the incident isolating the host from the network.Recover the state of industrial machines.Integrations UsedCisco Cyber VisionCisco Cyber ISESIEMAlleantiaEmail notificationImplementationCreating an R3 Rapid Response RunbookThe first step is receiving an alert related to the industrial machine status via multiple alerts (email, syslog, or others). In case of a threshold exceeding event or deviation from normal working, a baseline is converted into an alert and sent to IncMan.Then, IncMan starts with a series of enrichment actions. For instance, it can start by retrieving the latest events related to the industrial machine under analysis from Alleantia. Afterward, those logs are stored inside the incident container created in IncMan. For each log, a subset of information is extracted, and the analysis process starts in order to determine whether some host systems, voluntarily or not, sent commands to the industrial machine. The analysis output contains the host list that interacted with the industrial machine.The host list is used to query Cisco Cyber Vision in order to extract more information about host like, for example:Whether the host is well-known or newWhether it is present into the network perimeter recently or notWhether the details about Operative System are available or notWhether the host/s have in general have a good or bad reputationOnce this data is automatically collected by IncMan, which would only take a few minutes, the SOC operator responds. Then, IncMan generates a series of User Choices for a specific user, or group of users, asking what the next steps should be.If the host can be considered as “trusted,” IncMan makes an assessment and analyzes if any escalation is needed or if it is possible to close the incident as a false positive. In addition, the SOC operators are asked if the industrial machine needs to be restarted or if any commands should be sent in order to reactivate the normal operations.If the host is considered as “not trusted,” an extra enrichment step can be executed, asking the SIEM relevant questions regarding the enrichment phase, such as:Whether the host/s under analysis communicated with other systemsIf yes, when did the communication take placeWhether they have access to the InternetAfter those enrichment actions, the user can decide to: isolate the host from the network using a Cisco technology like Cisco ISE or leave this task as a manual intervention to be performed by an authorized operator.In case the host is recently added to the network, IncMan SOAR can update the SOC operators with the new information collected from the moment the host was added to the network.Figure 1 – Industrial Security RunbookSummaryDepending on the information received in the alert, SOC operators can determine whether the alert can pass as a false positive or whether it can pose an actual threat to the system. If so, the SOC operators can decide whether they want to manually pursue the remediation phase and choose the course of actions themselves, or whether they want to apply automation to the task in hand.Either way, IncMan SOAR’s enrichment phase utilizes the extracted information from the Runbook’s actions to create a valid assessment of the alert and provide the SOC operators with the opportunity to single-handedly carry out the rest of the remediation phase by providing them with valuable information regarding the alert, and if the SOC operators deem that the alert doesn’t require human interaction, they apply automation to finalize the remainder of the remediation phase.Thanks to IncMan’s prompt and thorough enrichment phase, SOC operators can make an accurate decision regarding an alert and carry out the remediation processes in the most effective manner.Download our eBook "The Most Comprehensive eBook on SOAR Use Cases", and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.

READ MORE
/ 22 Oct 2019

This use case demonstrates how to use IncMan’s integrations and R3 Rapid Response Runbooks to quickly alert the security team to a potential insider threat, perform initial triage to determine the potential risk to the organization and create a helpdesk ticket to notify the team responsible for remediation.GoalsAutomatically receive alerts regarding large data transfers from an organization’s Web server to an internal host.Perform initial triage of the destination host and associated user account to determine user’s risk score.Automatically elevate the priority of the suspected incident based on the user’s risk score and/or the observation of additional security alerts for the user account within a specific timeframe.Create a ticket to notify the teams responsible for vulnerability remediation.Integrations UsedSecuronixMicrosoft Active DirectoryCarbon Black ResponseIncMan SOAREmail NotificationImplementationCreating an R3 Rapid Response RunbookThe first step in creating an automated response to this type of event is to create an R3 Rapid Response Runbook which will perform Enrichment and Notification actions, as well as Containment actions if necessary. We will assume that the alert has provided the following information at a minimum:Source IP addressSource nameDestination IP addressDestination nameUser accountThis R3 Runbook can be broken down into three main sections; information gathering and enrichment, escalation and containment. Figure 1 shows the entire runbook from beginning to end. Next, we will discuss the actions contained in each subsection in additional detail.Figure 1 – Suspicious User Activity RunbookInformation Gathering and EnrichmentThis R3 Runbook begins by performing basic information gathering and enrichment of information provided by the original alert from Securonix. The source and destination IP address are parsed out and checked against Securonix asset lists. This information is then passed to the organization’s Active Directory service to gather data on the user’s attributes, associated groups, and to obtain the user’s risk score from Securonix.Once this information is gathered the R3 Rapid Response Runbook comes to its first conditional statement. This conditional statement is evaluating the user’s risk score. If the risk score is either medium or high, the runbook will move into the escalation phase by escalating the incident’s priority to high. If the user’s risk score is low, the runbook will then query Securonix for additional alerts and events where the user or their workstation were involved. If additional alerts or events have been observed, the R3 Rapid Response Runbook will move into the escalation phase by escalating the incident’s priority to high.Figure 2 – Information Gathering and EnrichmentEscalationPrior to the escalation phase the R3 Rapid Response Runbook evaluates the user’s risk score to determine if the incident should be upgraded in priority or if more information needs to be gathered to make the determination. If the user’s risk score is either medium or high, the priority is adjusted, and a query is issued to Securonix to gather historical event and alert data regarding the user and their workstation. If additional security alerts have been observed, the incident is upgraded to critical priority before moving to the containment phase of the suspicious user activity workflow.If the user’s risk score is considered low, the same query is issued to Securonix to determine if the user’s account or their workstation had been observed in any security events or alerts over the last 30 days. If the account has been observed in additional security incidents, the incident’s priority is upgraded and automatically moves into the containment phase of the runbook. If there are no additional alerts for the user or their workstation a user choice selection is issued. This user choice entry temporarily pauses the runbook to allow an analyst to review the initial alert, the user involved, and the actions the user had taken to determine whether they would like to proceed in containing the user or to exit the runbook without taking further action.Figure 3 – EscalationContainmentOnce the R3 Rapid Response Runbook enters the containment phase of the workflow an additional conditional statement is evaluated to determine if containment actions are required. If it is found that containment actions are required, the runbook’s workflow follows four separate paths to determine what containment actions are appropriate.The first path is executed if the initial user’s risk score was medium or high and additional security alerts were observed. After escalating the priority to critical, the host machine is quarantined by Carbon Black Protect, the user’s account is disabled in Microsoft Active Directory, and an email notification is sent out to the security team to follow up with the suspected user.The second path is executed if the user account associated with the medium to high risk score has not been observed in any additional security alerts the R3 Rapid Response Runbook disables the user’s account in Active Directory and an email notification is sent out for the security team to investigate.The third path is executed if the user’s risk score is low and they had been observed in additional security alerts over the last 30 days. After the priority of the incident is elevated to high, the user account is disabled in Active Directory and an email notification is sent out to the security team for further remediation efforts. The final path is followed if the user’s account has a low risk score and has not been involved with any additional se3curity alerts in the last 30 days. If this path is taken the R3 Rapid Response Runbook issues a user choice selection before a containment action is taken. The user choice selection temporarily pauses the runbook and allows an analyst to review all the evidence that has been collected for the potential incident. Depending on the findings the analyst will choice whether or not containment activities are warranted. If the analyst decides to take containment actions against the observed activity, the runbook will disable the user’s account and allow the security team to follow up with remediation activities. If the analyst decides that containment actions are not needed the runbook will be unpaused and exit.Figure 4 – ContainmentUtilizing the R3 Rapid Response RunbookOnce the new R3 Runbook is created, IncMan must be told how and when to automate the use of this Runbook. This is achieved by creating an Incident Template, which will be used any time an incident is generated for a newly discovered vulnerability. Through this incident template, critical pieces of information such as Type, Summary, Category can be automatically applied to the newly created incident.In addition to incident information, the Incident Template also allows R3 Runbooks to be automatically assigned and executed each time the incident template is used. Assigning the previous R3 Runbook to the Suspicious User Activity Incident Template will cause the R3 Runbook to be automatically run for each matching incident.Finally, conditions must be set to indicate when IncMan should utilize the Suspicious User Activity Incident Template. In this use case, the Suspicious User Activity Incident Template will be used to create an incident each time an event is received from the organization’s endpoint detection system.SummaryThis use case allows the security team to be automatically notified each time an event is observed where a large data transfer has taken place. By automating this type of alert the will help to reduce the time between detection and response for this type of activity to help prevent a potentially serious data breach.The automated portions of this R3 Runbook can be executed in less than 60 seconds, orders of magnitude less than it would take an analyst to manually query all of these information sources. In addition, this R3 Runbook allows security managers to codify what criteria is indicative of a large data transfer event and what criteria may be grounds for immediate isolation until mitigation can be completed. This allows for an effective, efficient and consistent security response to any new attempt to transfer data both internally and externally to the company.Download our eBook "The Most Comprehensive eBook on SOAR Use Cases", and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.

READ MORE
/ 25 Apr 2019

The purpose of this use case is to demonstrate how to utilize IncMan SOAR’s integrations and R3 Rapid Response Runbooks to quickly detect and respond to threats targeting an organization’s endpoints. This use case will combine advanced endpoint detection capabilities with automated workflows to gather additional evidence and take containment actions network-wide.GoalsAutomatically gather incident evidence from endpoint and network-based toolsEvaluate incident evidence to make automated response decisionsAdjust incident priority based off incident findingsTake containment actions against would-be attackersCreate tickets for responsible parties to take manual action where necessaryIntegrations UsedCisco AMP for EndpointsDomainToolsSplunkCisco UmbrellaJiraImplementationCreating an R3 Rapid Response RunbookWhen creating an R3 Rapid Response Runbook within the IncMan SOAR platform performing enrichment actions are usually the first tasks built into the automation process. For the “Malicious File Download Use Case” we will assume the alert contains the following information:Source AddressDestination AddressSHA-256 File HashDomain NameThis R3 Runbook can be broken down in to three main sections; information gathering and enrichment, escalation, and containment. Figure 1 shows the entire Runbook from beginning to end. Next, we will discuss the actions contained in each subsection in additional detail.Information Gathering and EnrichmentUpon receipt of a malicious download event, IncMan will kick-off the Malicious File Download Runbook. The Runbook begins by pulling information from Cisco AMP for Endpoints regarding the current activity observed from the victim machine, as well as any other host activity who may have interacted with the malicious file or domain in question.Next, the R3 Runbook will query DomainTools to gather domain reputation information on the potentially malicious domain. Once this information is gathered, the R3 Rapid Response Runbook will split off into two separate conditional statements which will determine how the automated workflow will continue.Escalation and ContainmentThis R3 Runbook examines the previously enriched information for one of the following conditions:Are there additional hosts which interacted with the malicious file in the past 30 days?Does the domain visited have a negative reputation score?If the visited domain has a negative reputation score, have any additional hosts visited this domain in the last 30 days?If any one of these conditions exist, the incident priority will automatically be updated to a high priority incident and any additional hosts will be added to the incident as an incident artifact. This will be followed by creating a new helpdesk ticket through the organization’s ticketing system to alert the responsible teams that an incident has occurred.Finally, the organization’s SIEM will be queried for any alerts that have been generated by the vulnerable host in the recent past. If none of these conditions exist, this R3 Runbook will conclude, without alerting the security team to the false positive event.If any of the criteria in the Escalation section were met, this R3 Runbook will issue a containment action associated with the condition being evaluated. If the file which was downloaded is found to be malicious, it is automatically added to the block list created in Cisco AMP.Finally, if the domain where the file was downloaded from is also found to be malicious or have a negative reputation score, IncMan will automatically block the domain using Cisco Umbrella. Once these containment and escalation actions have been executed the R3 Runbook will conclude.Utilizing the R3 Rapid Response RunbookWhen the new R3 Runbook is created, IncMan must be told how and when to automate the use of this Runbook. This is achieved by creating an Incident Template, which will be used any time an incident is generated for a potentially malicious download. Through this Incident Template, critical pieces of information such as Type, Summary, Category can be automatically applied to the newly created incident.In addition to incident information, the Incident Template also allows R3 Runbooks to be automatically assigned and executed each time the incident template is used. Assigning the previous R3 Runbook to the Malicious File Download Incident Template will cause the R3 Runbook to be automatically run for each matching incident.Finally, conditions must be set to indicate when IncMan should utilize the Malicious File Download Incident Template. In this use case, this Incident Template will be used to create an incident each time a syslog message is received from the organization’s endpoint detection system.SummaryThis use case allows the security team to be automatically notified once a potential incident has been confirmed as valid, preventing valuable time from being wasted by analysts triaging an event.The automated portions of this R3 Runbook are executed in less than 60 seconds, which is exponentially faster than the time an analyst would need to spend querying and evaluating incident evidence to determine validity. This R3 Runbook also will allow security teams to identify poorly executed rulesets which will provide insight on what aspects of these ruleset must be adjusted to eliminate false positive alerting.Download our eBook "The Most Comprehensive eBook on SOAR Use Cases", and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.

READ MORE
/ 17 Apr 2019

This use case will demonstrate how to use IncMan SOAR’s integrations and R3 Rapid Response Runbooks to quickly gather incident data from across diverse hybrid-cloud environments to provide incident responders with the evidence necessary to rapidly prioritize and respond to a potential incident.GoalsAutomatically gather incident data from both on-prem and cloud environmentsPerform initial triage of the host to determine the potential risk to the organizationIsolate a compromised user accountCreate a ticket to notify the teams responsible for response effortsIntegrations UsedCarbon Black ResponseAWS Security HubSplunkMicrosoft Active DirectoryBMC RemedyImplementationCreating an R3 Rapid Response RunbookThe first step in creating an automated response to this type of event is to create an R3 Rapid Response Runbook within the IncMan SOAR platform which will perform Enrichment actions, as well as Containment actions if necessary. We will assume that the alert has provided the following information at minimum:Source IP Address (internal)Source NameDestination IP AddressThis R3 Runbook can be broken down into two main sections; information gathering and enrichment, and escalation and containment. Figure 1 below shows the entire Runbook from beginning to end. Next, we will discuss the actions contained in each subsection in additional detail.Information Gathering and EnrichmentThis R3 Runbook begins by simultaneously gathering enrichment data from across the AWS cloud environment, the internal environment via the SIEM architecture, and from the internal endpoint solution. IncMan first queries AWS for all findings where the destination IP address has been observed within the last month. At the same time, the SIEM and endpoint solution is queried for internal activity towards the victim IP. Additional security events involving the user account, and the system settings which include running processes are also gathered for investigation.After enriching the initial information, this R3 Runbook comes to a series of conditional statements which will dictate how the Runbook will finish its sequence. The first set of conditional statements looks for additional security alerts involving either the source of the incident, or the victim machine housed in the AWS cloud. The second conditional statement looks for additional security alerts involving the potentially compromised user account. Upon evaluation of these statements IncMan will begin to initiate additional actions based off their findings.Escalation and ContainmentIf the first conditional statement finds that additional alerts involving the source are found, IncMan will gather details on the system’s settings and its running processes. After this information is gathered, the R3 Runbook is paused and issues a User Choice action. A User Choice action is used when information is gathered that cannot be automatically verified and requires an analyst to review before continuing its execution.Once the incident data is reviewed, the analysts will have to decide whether the data gathered presents enough evidence to determine whether an incident has occurred. If the evidence proves that further response efforts are necessary, the analysts will select to proceed and the R3 Runbook will upgrade the incident priority to high, quarantine the potentially infected internal host, and send an email notification to the response teams to let them know that a potential incident has occurred.Simultaneously the second conditional statement is evaluated, and if there are additional security events revolving around the user’s account, the R3 Runbook executes an additional Runbook to disable the account and reset its password. This nested Runbook will gather user account details from Active Directory, execute a custom script to generate a random password, reset the user’s password, and send an email notification to the security team to inform them of the potentially compromised credentials.Utilizing the R3 Rapid Response RunbookOnce the new R3 Runbook is created, IncMan must be told how and when to automate the use of this Runbook. This is achieved by creating an Incident Template, which will be used any time an incident is generated that matches the incident condition. Through this incident template, critical pieces of information such as Type, Summary, Category can be automatically applied to the newly created incident.In addition to incident information, the Incident Template also allows R3 Runbooks to be automatically assigned and executed each time the Incident Template is used. Assigning the previous R3 Runbook to the Compromised Host Incident Template will cause the R3 Runbook to be automatically run for each matching incident.Finally, conditions must be set to indicate when IncMan should utilize the Compromised Host Incident Template. In this use case, the Compromised Host Incident Template will be used to create an incident each time a syslog message is received from the organization’s endpoint detection system.SummaryThis use case allows the security team to be automatically notified each time an alert is triggered indicating a potentially compromised host.The automated portions of this R3 Runbook can be executed in less than 60 seconds, which is far less time than it would take an analyst to manually query all of these information sources. In addition, this R3 Runbook allows security managers to codify what criteria is indicative of a potential high priority incident which must be addressed immediately, and what criteria may be grounds for false positive notification and can be discarded. This allows for an effective, efficient and consistent security response to each newly identified security incident.Download our eBook "The Most Comprehensive eBook on SOAR Use Cases", and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.

READ MORE
/ 04 Mar 2019

Before we begin to delve into how IncMan SOAR utilizes open source intelligence for correlation capabilities and enrichment validation through its bidirectional integrations, it is essential to have a basic understanding of what threat intelligence is. We will briefly touch upon the main tenants of threat intelligence and then illustrate how IncMan leverages the best amount of information provided by these sources.Threat intelligence will fall under three classifications which are tactical, strategic, and operational. The operational element of threat intelligence doesn't apply to this specific use case so we will not address this aforementioned field. Additionally, for threat intelligence to be effective it has to meet 3 tenants which are actionable, timely and confirmed. The acronym that we like to use is ‘ACT’:A - ActionableC - ConfirmedT - TimelyThreat Intelligence CategoriesTactical IntelligenceTactical intelligence is often short-lived and usually provides the least amount of value compared to the other threat intelligence elements. The list provided below composes what tactical intelligence entails, and these particular elements often support the beneficial information necessary for effective threat hunting.IP ReputationMalware AnalysisSignaturesDomain/URL ContextThe primary reason behind this is because the attributes have a shelf life of minutes or even seconds. It is incredibly easy to modify Domain names, IPs and hash values which makes their value of little importance, and that's the reason as to why it sits at the bottom of the ‘Pyramid Pain’.Strategic IntelligenceStrategic intelligence supplies information that is used for long-term use. This type of information is a lot more difficult to acquire and a significant amount of research and investigative work is required to assimilate intelligence of this nature. This type of intel sits at the top of the pyramid and includes data such as:Techniques Tactics and Procedures (TTPs)Geographic LocationsSpecific Exploit ToolsNation-State SponsorsSpecific Malware FamiliesNow that we have a basic understanding of what threat intelligence is, we will now move on to list a few of the intelligence integrations and open source feeds that IncMan SOAR uses for its security purposes.IncMan SOAR's Threat Intelligence IntegrationsHere is a small list of a few of the threat intelligence integrations IncMan uses for correlation and threat intelligence services. This by no means is an exhaustive list but just a sample of the many sources that are used for our security orchestration in correlation capabilities. We will briefly list the abilities of the threat intelligence integration along with how IncMan utilizes certain services provided by these bidirectional integrations.MaxMindMaxMind specializes in fraud prevention and geolocation of potentially malicious Domains and IP addresses. During the enrichment phase of an incident, IncMan will use MaxMind to verify the location of destination IPs.AlienVaultAlienVault provides a host of solutions associated with threat intelligence. IncMan is able to capitalize on its threat intelligence for the purpose of URL, IP, and Domain Reputation. Additionally, hash values can be cross-referenced and verified via File Reputation validation and also Geolocation of a particular domain is also achieved via AlienVault.ThreatConnectThreatConnect is another leader in threat intelligence services. It remains to be one of the more popular sources for analysts and researchers in the field. It receives over 100 different intel feeds daily and it also has a very strong community portal following for those that are affiliated with this specific area of cybersecurity. IncMan relies on its information to validate potentially malicious tactical intelligence.Recorded FutureRecorded Future has become a household name when it comes to threat intelligence and cybersecurity-related information. In just a few years they have been able to make a name for themselves and have become very well respected within the threat intelligence community. Additionally, Recorded Future takes great pride in educating the public through there multiple podcasts and daily email updates on relevant information. IncMan utilizes its many services to validate and very reputational data that could be correlated with any type of tactical or strategic threat intelligence.STIXStructured Threat Information Expression (STIX) is not a tool or application but rather a standardized language that is used and shared among those within the threat intelligence community. STIX provides information and services to IncMan to include threat intelligence data associated with observables, strategic incident intel, and multiple forms of indicators of compromise pertaining to tactical data.TAXIITrusted Automated Exchange of Indicator Information (TAXII) is very similar to STIX. Like STIX, TAXII is not a dedicated threat intelligence sharing platform. Seemingly, it is more focused on defining the standards needed to communicate cyber threat intelligence amongst those in the alliance. Additionally, aside from TAXII’s focus on upholding language standards, IncMan draws upon its threat intelligence information sharing hubs. Intel can be obtained through several sources such as peer-to-peer and being able to query repositories that have been created and maintained by organizations and individuals for the sole purpose of sharing threat intelligence data.IncMan SOAR’s Correlation EngineAll incidents created within the IncMan SOAR platform will contain observables and artifacts that are stored for numerous purposes. Observables and artifacts will include elements such as IPs, Domains, URLs, geo-locations, and hash values just to name a few. IncMan’s correlation engine permits its users to perform correlation capabilities via manually or by generating a visual graph to help speed up the process correlation necessities.Below you will find a correlation graph that was generated for the purpose of this use case. Each node represents an incident which will have at least one line, or edge, that will be connected to another node, to indicate some type of correlation among the connected nodes. Additionally, depending on the color of the line or edge, dictates the number of correlations that exist between that node and its connecting nodes.For example, green is an indicator that there is only one association between those two nodes. However, the red lines indicate that there is a minimum of three correlations that exist between the connecting nodes of that red edge.IncMan SOAR’s correlation engine is a great function for those who wish to maximize their time and resources when it comes to deciphering the many artifacts and indicators of compromise affiliated with each node. Once you are within the correlation engine GUI, the user is authorized to perform correlation requirements in two ways. For those who are visual learners the ability to generate custom correlation graphs are not only visually appealing but also very efficient and fun to manipulate and query for information and data. The customers are also able to manually click through the various incidents without the graph for incident research necessities.In SummaryThreat intelligence has now become the epicenter to the cybersecurity industry. With the ability to piece together all of the moving elements of a malicious nation-state or threat actor we can now transition into offense mode. A few of the main takeaways to remain cognizant of are that there are several forms of threat intelligence and not all serve an equal value. This is why IncMan relies on multiple streams of threat intelligence to guarantee that our flagship product specializing in security orchestration and automation is continuously up-to-date with the latest and greatest when it comes to defending against those that wish to bring harm to our organization, family and friends.Download our eBook "The Most Comprehensive eBook on SOAR Use Cases", and learn how to automate your security operations workflow, accelerate the efficiency of your SecOps team, and combat cyber threats with the power of SOAR technology.

READ MORE

Get Started with a One-to-One Personalized Demo

Dramatically reduce the mean time to detection, response and remediation of all potential security incidents, ensuring no alert goes untouched.
See IncMan SOAR in Action.

Request a demo

Award-Winning SOAR Platform.

Top 100 in Europe

Best Security Orchestration Automation and Response

Security Automation and Orchestration

Security Orchestration, Automation and Response

Best Continuous Monitoring & Mitigation