Simplifying Intelligence Gathering with Recorded Future and DFLabs

DFLabs integration with Recorded Future enables automated information gathering from one of the industry’s leading intelligence solutions to provide investigators with crucial details and context surrounding a potential incident. By automating the information gathering stage, investigators will be able to better utilize their time investigating an incident rather than focusing this valuable time and effort performing manual information gathering and the data correlation necessary to prioritize an event. The cooperation between Recorded Future and DFLabs now enables simplified intelligence gathering. 

The Problem

Cyber security attacks continue to evolve and the security community has taken great strides to provide investigators with valuable information about their adversaries. However, this valuable information is often times scattered across many tools with varying degrees of confidence and little to no context. This leaves investigators without a full understanding of the risk posed to their organization which prevents confident decision making at the most critical time in an investigation.

Three of the most commons problems faced by security teams are as follows:

  1. Actionable threat intelligence is critical to efficient and effective response
  2. Information gathering is a time-consuming process
  3. Threat intelligence must be orchestrated into the rest of the response process
The DFLabs and Recorded Future Solution

Recorded Future is an industry leading Threat Intelligence solution which aims to empower its customers with contextualized threat intelligence in real time, enabling organizations to defend against threats at the speed and scale of the Internet.

With billions of indexed facts, and more added every day, Recorded Future’s Threat Intelligence Machine makes use of machine learning and natural language processing (NLP), to continuously analyze threat data from a massive range of sources to deliver contextualized intelligence to organizations in real-time.

According to recent research conducted by Recorded Future, more than a third of security incidents take weeks to detect and even months to remediate. The majority of the cost associated with a breach can be drastically reduced by improving the speed and efficiency with which an organization responds to a threat.

DFLabs’ partnership with Recorded Future combines this industry leading threat intelligence data with the orchestration and automation capability necessary to quickly identify and remediate potential incidents before they can become a breach.

Use Case

A WAF alert for a suspicious redirect is received and automatically triggers a new incident inside of IncMan. Utilizing IncMan’s integration with Recorded Future, the R3 Runbook begins to gather all the important information surrounding the redirected traffic. The domain reputation is checked against Recorded Future’s extensive threat database while also being evaluated against its Threat Intelligence search capability. This capability allows for the domain to be simultaneously checked across multiple threat intelligence platforms such as STIX and MISP.

While the domain is being evaluated the R3 Runbook also issues an IP reputation check to gather further information on our suspicious actor. Once all three of these reputation checks have been completed, the R3 Runbook encounters its first conditional action where the results of the information gathered can be evaluated together providing a broader picture of the malicious nature of this communication.

intelligence gathering_1

 

If any of the reputation checks report a threat score of 50 or above, the R3 Runbook will automatically change the priority of the incident to critical and will proceed to block the IP/Domain at the firewall and gather system information from the affected host. The system information is then checked against an EDR solution for any additional events which may have been observed involving that host over a predefined amount of time. If the affected host has been observed within any additional alerts, the R3 Runbook will pull all running processes on the host and will automatically quarantine it from the network. In the event the host must be quarantined, an email notification is sent out to the responsible team to indicate further action is necessary.

If the host has not been observed within any prior events, the R3 Runbook will issue a User Choice condition. This condition will temporarily pause the R3 Runbook and allow for an investigator to analyze the information gathered and determine whether the host should be quarantined or segmented for further observation.

Summary

Recorded Future enables five key data enrichment actions:

  • Threat Intelligence Search
  • IP Reputation
  • URL Reputation
  • Domain Reputation
  • File Reputation

Combined with IncMan SOAR from DFLabs, security analysts are able to collate important threat intelligence provided by Recorded Future, simplifying the information gathering process and automate data enrichment actions, identifying and responding to threats, while remediating potential incidents before they can become a breach.

If you would like to see IncMan SOAR and Recorded Future in action, we will be holding a joint webinar called “Utilizing Recorded Future Threat Intelligence within DFLabs SOAR Solution” on 14th November at 1pm PST / 4pm EST.  Register here.

Add Context and Enrich Alert Information for a More Effective Response with DFLabs and ArcSight

Responding to a new security incident in the fastest possible time frame is critical for any security operations center (SOC) or computer security incident response team (CSIRT), but having the necessary information at your fingertips is key in order to help improve response times and appropriately deal with the threat at hand. In this blog post we’ll take a closer look at how security teams can increase the efficiency and effectiveness of their response by adding context and enrichment to the alert information directly from ArcSight, when utilizing DFLabs’ Security Orchestration, Automation and Response (SOAR) platform and its many other bidirectional integrations.

The Problem

Organizations are generating more log data than ever before and are increasingly turning to SIEM tools to help manage, correlate and alert on potential events from this large quantity of data. Once data is correlated and an alert is generated, enriching alert data is often a manual task which consumes a significant amount of analysts’ time. Pivoting from a single alert or from enriched information is often also a manual process, requiring many more custom written queries within the SIEM. Enriched and additional data must then be correlated manually by the analyst before it becomes actionable.

On a daily basis an analyst will face a number of challenges and is likely to be asking themselves the following questions:

  1. How can I use the SIEM logs to add context to a security event?
  2. How can I enrich information from the initial security alert?
  3. How can I pivot from the initial security alert to further my investigation?
The DFLabs and ArcSight Solution

DFLabs and MicroFocus ArcSight bring SOAR and SIEM together to allow rapid, informed responses to security incidents based on enriched, actionable information. DFLabs’ IncMan SOAR platform allows users to automatically query ArcSight to pivot from an initial alert to gather increase insight into the activity within the organization. IncMan also allows users to enrich information retrieved from ArcSight, such as IP addresses, hostnames and domains, using any number of IncMan’s other integrations.

About MicroFocus ArcSight

ArcSight is an industry-leading Security Information and Event Management (SIEM) solution from MicroFocus. ArcSight collects and analyzes events from across systems and security tools. It detects security threats in real time so that analysts respond quickly, and it scales to meet demanding security requirements. ArcSight’s advanced distributed correlation engine, helps security teams detect and respond to internal and external threats, reduces response time from hours or days to just minutes.

Use Case

To get a real understanding of how the two solutions work together, here is a simple use case in action.

A Web Application Firewall (WAF) has observed a potential attack against an application server in the organization’s DMZ. IncMan automatically responds by initiating an appropriate runbook for the alert. The runbook begins by performing basic enrichment on the source IP address of the malicious traffic. This basic enrichment is followed by a query for IP reputation information on the source IP address from the organization’s threat reputation service of choice.  

Following the threat reputation search, ArcSight is queried for any other events which have been recently generated by the source IP address. If ArcSight returns any other recent events generated by the source IP address, or the source IP address has a negative threat reputation, the severity of the incident is automatically upgraded to High. The analyst is then presented with a user choice decision to determine if the source IP address should be blocked at the perimeter firewall. If the analyst chooses to automatically block the source IP address, a ticket will be created in ArcSight Enterprise Security Manager (ESM) to notify the appropriate teams to follow up on the emergency change according to the organization’s policies.

These actions are followed by a second query to ArcSight, this time for any other recent events involving the web application server. If ArcSight returns any other recent events generated from the web application server, the severity of the incident is automatically upgraded to High (unless it has already previously been upgraded).  The runbook concludes by performing a query of the organization’s endpoint detection solution for all recent events from the web application server. This information will be retained for review by the analyst during the investigative process.

ArcSight

 

ArcSight Actions

In summary, here are the actions available to security analysts by using ArcSight.

Enrichment:

  • Get Active List Entries
  • Search Into Events

Containment:

  • Add Active List Entries
  • Clean Active List Entries

Notification:

  • Create Ticket
  • Get Ticket
  • Update Ticket

Integrating ArcSight with DFLabs’ IncMan SOAR allows organizations to efficiently triage the volume of alerts being generated by the SIEM, automatically prioritizing those alerts which may pose the greatest risk to the organization. By automating and orchestrating the SIEM with other security solutions, IncMan SOAR can automatically enrich the alert information, then pivot based on the enriched information as an analyst would do during a manual investigation. This ability to automatically enrich and pivot allows IncMan to more accurately prioritize incidents which may initially seem innocuous.  

Finding a Balance Between Rapid and Measured Incident Response

Since I am a new face (or perhaps just a name to most of you) here at DFLabs, I wanted to take a moment to introduce myself before we jump into the topic for today. My name is John Moran and I recently joined the DFLabs team as Senior Product Manager. Prior to joining the DFLabs team, I worked in a variety of roles, including incident response consulting, security operations and law enforcement. While I have many responsibilities at DFLabs, one of my primary roles and the one that I am perhaps most passionate about is ensuring that DFLabs continues to bring you the industry leading security orchestration, automation and response feature that you have come to expect from IncMan. If you have feature requests, suggestions or other comments, good or bad, regarding IncMan, I’d love to hear from you. Please reach out to me at [email protected]. With that out of the way, let’s get to the good stuff…

While reports such as the Verizon DBIR indicate that the increased focus on creating holistic, detect and respond security programs has had a positive impact on reducing the time to detect security incidents, these same reports have also shown that attackers are continuing to evolve. There is still a continuing gap from compromise to detection. what I would like to discuss here instead though, might be described as the opposite problem; overreaction to a perceived security incident, or conducting a full-scale response to a security incident prior to validating that a security incident has indeed occurred.

Please do not misunderstand what I am saying, I will always advocate the “treat it as an incident until you know otherwise” approach to incident response. However, I would also encourage that the response to any security incident should always be a measured response. The incident response process must be rapid and decisive; but just as under-responding to an incident can present serious financial and reputational risks to an organization, so too can over-responding to a potential security incident. As with any other business process, incident response must provide value to an organization. Continued over-response to perceived security incidents will reduce the overall value that incident response provides to an organization, and over time will result in decreased support from management.

Few studies have truly been able to quantify the costs associated with failing to conduct a measured response. A 2015 study by the Ponemon Institute suggests that response to incidents detected based on erroneous or inaccurate malware alerts costs large organizations up to 395 hours-per-week, or almost $1.3 million a year. It is important to note that this study only took into consideration time spent investigating malware alerts. While malware detection technologies have undoubtedly improved in the two years since this study was conducted, most organizations have a variety of detection technologies, all generating alerts which must be investigated. It was assumed by Ponemon that the organizations surveyed were conducting an appropriate, measured response to each of these false positives. With the cost already so high, it is easy to conclude how costly over-responding to incidents can become at scale.

While conducting incident response consulting, I have personally seen organizations spend weeks to months conducting full-scale incident response activities before spending tens of thousands of dollars for incident response consulting, only to find out that the perceived incident was based on faulty information or conclusions. So how do you minimize the risk of over-responding while continuing to ensure that each potential incident is properly investigated? Here are five tips based on my experience:

  1.  Have the right people in place – There is simply no substitute for having the right people in place. While proper training and experience are vital, the qualities of an effective analyst extend beyond these two attributes. It is crucial to have analysts who possess an analytical mindset and can remain level-headed amidst a stressful and dynamic environment. Training and be provided, the experience can be gained, however, some of these less tangible qualities are much harder to learn.
  2.  Have the right toolsets in place – Attempting to substitute tools for skills will inevitably lead to failure. However, it is important to have the proper tools in place to give those highly skilled analysts the information they need to make fact-based conclusions. Even the most highly skilled analysts will inevitably arrive at the wrong conclusion when presented with incomplete or inaccurate information.
  3.  Know the threat landscape – Threat intelligence, and I mean actual intelligence, not just a machine-readable threat feed, can provide much greater context surrounding a potential security incident. Analysts must also be provided the opportunity to remain up-to-date on the ever-changing threat landscape. This can allow decision makers a much more accurate perspective on which to base their initial level of response. Often, it is a lack of knowledge and conclusions based on assumptions that lead to a dramatic over-response.
  4.  Know your limitations – Unless you are fortunate enough to work for a government agency or one of the world’s largest organization, chances are at some point your needs may exceed the scope of your internal capabilities. These limitations are not weaknesses in and of themselves. Instead, the risk here presents itself when an organization fails to realize its limitation and attempts to work outside of those bounds. It is important to know when to consider tapping into external resources such as consulting, incident response retainers and managed services.
  5.  Replace the emotional response with processes and procedures – Even the most highly skilled analysts will approach some potential security incidents with certain biases or preconceived notions. It is essential to implement quality processes and procedures which maximize the analyst’s skills, take full advantage of the available tools, and guide the incident response process. Processes and procedures surrounding incident validation, incident classification and initial resource allocation can ensure that the process stays on track and avoid straying down the wrong, costly road.

The most important goal of any security program must always remain to never under-respond to an incident. However, integrating these five tips into your security program will undoubtedly provide a better, more efficient process to determine what the appropriate level of response to each potential security incident should be, greatly reducing the risk of over-responding.