Threats are constantly evolving, and new threats emerge daily. Minimizing risk and the cost associated with security incidents means making rapid decisions based on the up-to-date and accurate information. Actionable threat intelligence can play a critical role in a proactive security program, as well as conducting efficient and effective incident response. Making incident response decisions based on incomplete or inaccurate intelligence can result in an incomplete or delayed response, residual risk and increased loss due to downtime, response cost, and fines.
Many security programs today experience challenges around gaining actionable and accurate threat intelligence and are looking for solutions to overcome these two key problems:
- How can I enrich incident indicators with actionable threat intelligence to make more informed decisions during the incident response process?
- How can I proactively gather threat intelligence data to ensure that my security team stays up to date on the latest threats and ongoing trends?
In this blog, we will briefly discuss how a security program can automate the collection of actionable threat intelligence from IBM experts utilizing IBM X-Force Exchange with its integration with DFLabs.
The DFLabs and IBM X-Force Exchange Solution
IBM X-Force Exchange is a cloud-based threat intelligence platform that allows security teams to consume, share and act on threat intelligence. It enables analysts to rapidly research the latest global security threats, aggregate actionable intelligence, consult with experts and collaborate with peers. IBM X-Force Exchange, supported by human- and machine-generated intelligence, leverages the scale of IBM X-Force to help users stay ahead of emerging threats.
DFLabs IncMan SOAR platform and IBM X-Force Exchange bring actionable threat intelligence sourced from the experts at IBM as well as industry peers, together with the automation and orchestration power of IncMan to deliver industry-leading incident response capabilities. Together, these solutions allow joint customers to make better, more informed automated and manual decisions, reducing the risk posed by security incidents.
Enriching incident indicators with actionable threat intelligence enable enterprises to reduce incident resolution times, maximize security analyst efficiency, as well as increase the number of handled incidents.
Use Case in Action
An alert based on an internal host communicating with a potentially malicious URL has automatically generated an Incident within IncMan. This alert is automatically categorized as a Malicious Communication incident within IncMan based on the organizations’ policies, which initiates the organization’s Malicious Communication runbook, shown below:
This runbook begins by utilizing several IBM X-Force Exchange integration actions to enrich the alert information, in this case, the potentially malicious domain. First, a WHOIS lookup of the domain is performed using IBM X-Force Exchange. Next, any threat intelligence regarding this URL is retrieved from IBM X-Force Exchange using the URL Reputation action.
After gathering intelligence on the initially reported URL, the runbook pivots outward and performs a DNS record search through IBM X-Force Exchange. For each DNS record returned, the runbook performs a WHOIS lookup on the IP address, followed by a threat intelligence search on the IP address through IBM X-Force Exchange.
Once all available threat intelligence has been retrieved from IBM X-Force Exchange, the runbook reaches an automated decision point. In this case, the runbook examines the threat intelligence for any threat score meeting a certain threshold. If this threshold is met, IncMan will automatically send a notification to the security team, then automatically update the incident type to that of a confirmed security incident. Following this notification and incident update, the security analyst will be prompted to determine whether or not automated containment actions are appropriate.
Actionable threat intelligence can play a critical role in a proactive security program, as well as conducting efficient and effective incident response.
By using DFLabs IncMan R3 Rapid Response Runbooks to automate the collection of actionable threat intelligence from the experts at IBM, as well as industry peers through the IBM X-Force Exchange, security teams can enrich indicators and gather additional intelligence to make faster, more informed decisions when the time is of the essence.
If you would like to see a more in-depth demo of this use case in action, or other use cases within IncMan, please get in touch.
We have recently experienced a devastating wave of ransomware attacks such as Wannacry or ‘WannCrypt’ which spread to more than 200 countries across the globe. While Russia was hit hard, Spain and the United Kingdom saw significant damage to their National Health Services. Hospitals were forced to unplug their computers to stop the malware from spreading even further. This is just one of the security threats posed by special malware that encrypts computer files, network file shares, and even databases thereby preventing user access (Green 18-19). It happens in spite of heavy investments in a wide array of security automation and orchestration solutions and staff required to triage, investigate and resolve threats.
The primary problem is that organizations seem to be losing the battle against cyber attackers (Radichel, 2). The security administrators are overburdened and compelled to manually perform time-consuming and repetitive tasks to identify, track, and resolve security concerns across various security platforms. Notwithstanding the time and effort, it is difficult to analyze and adequately prioritize the security events and alerts necessary to protect their networks. Still, the inadequate visibility into the present activities of the security teams, metrics and performance leave security managers struggling to justify additional resources. It has long been accepted that the organizational efficiency depends heavily on the ability of the security system to reduce false positives so that analysts can focus on the critical events along with indicators of compromise.
Security event automation and orchestration ensures that an organization detects a compromise in real time. A rapid incident response ensures a quick containment of the threat. Through the automation of common investigation enrichment and response actions, as well as the use of a centralized workflow for performing incident response, it is possible to minimize response times and thus make the organization more secure. Security events automation and orchestration expedites workflows across the threat life-cycle in various phases. However, for the security team to deploy security automation and orchestration of event-driven security, there must be access to data concerning events occurring in the environment that warrant a response. To effectively employ event-driven security, automation should be embedded into processes that could introduce new threats to the environment (Goutam, Kamal and Ingle, 431). The approach requires that there be a way to audit the environment securely and trigger event based on data patterns that indicate security threat or intrusion. Of particular importance, continuous fine tuning of processes is required to make certain the events automation and orchestration being deployed is not merely automating the process, but providing long-term value in the form of machine learning and automated application of incident response workflows that have previously resolved incidents successfully.
At a time of increased cybersecurity threats, a structured approach can expedite the entire response management process from event notification to remediation and closure through automated orchestration and workflow. An automatic gathering of key information, the building of decision cases and the execution of critical actions to prevent and/or remediate cyber threats based on logical incident response processes are enabled. With security orchestration and event automation, various benefits are realized such as cost effectiveness, mitigation of security incidents and improved speed and effectiveness of the response. Hence, security event automation and orchestration is the real deal in containing security threats before real damage takes place.