Operationalize the Power of HackerTarget’s Security Tools with IncMan SOAR
To stay ahead of today’s sophisticated cyber attacks, organizations must develop a diverse defense strategy. From staffing their security teams with the most knowledgeable and well-rounded candidates to deploying the most recent toolsets and defense products, the need to bring depth to a security program is crucial.
DFLabs’ integration with HackerTarget provides organizations with the same powerful tools their adversaries are utilizing in their campaigns against them to bring critical incident data to their incident responders. Armed with this data in real-time, network defenders can quickly contain an incident through automated containment activities to prevent an attacker’s campaign from becoming successfully executed.
Today’s attacks are made more sophisticated by the ever-changing tactics, techniques and procedures (TTPs) attackers use to launch their campaigns. These campaigns are stealthy and hard to detect and unfortunately are being met with not only a staff shortage, but a shortage in the skills necessary to quickly respond when the campaign is successful.
The skills shortage is being met with advanced toolsets to help aid in identifying these security threats. However, as these tool sets become more plentiful, organizations are struggling to correctly maintain and utilize their tools and the evidence they provide their incident responders.
Three key challenges that security operations and incident response teams are facing include:
How can we stay on top of the ever-changing TTPs attackers use to circumvent our defenses?
How can we overcome the shortage of skilled staff necessary to combat today’s sophisticated attacks?
How can we successfully utilize and maintain the numerous tool sets required to defend our business against the increasing number of threats?
The DFLabs and HackerTarget Solution
The integration between DFLabs and HackerTarget grants organizations the ability to fully operationalize HackerTarget’s powerful security tools by utilizing DFLabs’ IncMan SOAR platform to quickly gather the crucial evidence generated by these tools to provide incident responders with the entire picture of a potential attack.
By gathering this data and making automated decisions for a responder, they will not be pulled into an investigation of a false positive incident and will have the rapid response capabilities necessary in the event an incident is found to be legitimate. This helps organizations battling the staffing crisis to ensure that their security teams are able to focus only on the matters which require their attention, saving valuable investigational time allowing responders to remain proactive and to stay ahead of their adversaries.
HackerTarget began as a project that would enable people to test firewalls externally with an online port scanner. Since those early days, HackerTarget has evolved into a complete vulnerability scanning solution; offering an easy and convenient way to access a range of powerful open source security tools.
By utilizing hosted security testing tools, organizations are able to test their internet perimeter and servers from an external perspective. Many organizations have firewalls or intrusion prevention devices that make testing of the perimeter from an internal system ineffective and prone to errors. More accurate results are possible by probing from the perspective of actual attackers (i.e. from the Internet).
Now let’s see a simple use case in action.
An organization’s IDS detects potentially suspicious web browsing activity coming from their Sales department. DFLabs’ IncMan SOAR platform receives the alert and begins to gather information surrounding the source of the malicious activity.
The R3 Rapid Response Runbook for Suspicious Web Activity within IncMan queries HackerTarget to gather WHOIS and geographic information, performs a reverse IP and DNS lookup, and runs the domain and IP information obtained through a reputation checker. Once this information is fed through the reputation checker, the R3 Rapid Response Runbook comes to its first set of conditional statements.
The first statement checks the IP and domain reputation score. If the score is found to be higher than 50, IncMan will then issue a query to the organization’s SIEM platform to gather information on any additional events where the malicious IP or domain had been observed within the last 30 days.
If the score is less than 50, the R3 Rapid Response Runbook runs the IP and domain information through another reputation checker to verify a clean score before closing out the event. If the re-check of the IP and domain finds the reputation score to be greater than 50, IncMan will then proceed to execute the Runbook in the same fashion as the original malicious classification by querying the organization’s SIEM platform for additional events.
If additional events are found, the additional event IDs and involved hosts are added to the incident as incident artifacts, the priority of the incident is elevated, the domain and IP are blocked at the firewall, and the systems involved in the activity are tagged for review in the endpoint detection product. Once these actions have been carried out, the R3 Rapid Response Runbook creates a new ticket in the organization’s ticketing system to have the responsible party review the evidence gathered and to check on the hosts involved in the activity to ensure no further containment actions are necessary.
If no additional events are found, IncMan will issue the request to block the IP and domain at the firewall, tag the affected system for review, and open a ticket within the organization’s ticketing system to have the responsible party also review the evidence and inspect the affected machine for any signs of compromise.
As organizations look to stay ahead of today’s sophisticated threats, they need to utilize the same tool sets to secure their organization as the attackers do to penetrate it. Gathering critical incident data from across all tool sets to present a full picture of an attack to first responders is crucial within the process and quickly being able to contain an incident through the full automation of disperse security products in a matter of minutes will only help to prevent an attack from becoming a successful campaign.