From Alert to Action: How to Speed Up Your SOC Investigations

13 March 2024

Processing alerts quickly and efficiently is the cornerstone of a Security Operations Center (SOC) professional's role. Threat intelligence platforms can significantly enhance their ability to do so. Let's find out what these platforms are and how they can empower analysts.

The Challenge: Alert Overload

The modern SOC faces a relentless barrage of security alerts generated by SIEMs and EDRs. Sifting through these alerts is both time-consuming and resource-intensive. Analysing a potential threat often requires searching across multiple sources before finding conclusive evidence to verify if it poses a real risk. This process is further hampered by the frustration of spending valuable time researching artifacts that ultimately turn out to be false positives.

As a result, a significant portion of these events remain uninvestigated. This highlights a critical challenge: finding necessary information related to different indicators quickly and accurately. Threat data platforms offer a solution. These platforms enable you to look up any suspicious URL, IP, or other indicator and receive immediate insights into its potential risk. One such platform is Threat Intelligence Lookup from ANY.RUN.

Threat Intelligence Platforms to the Rescue

Specialized platforms for SOC investigations leverage their databases of threat data, aggregated from diverse sources. Threat Intelligence platform will collects Indicators of Compromise (IOCs) from millions of interactive analysis sessions (tasks) conducted within the sandbox.

The platform offers an additional dimension of threat data: logs of processes, registry and network activity, command line contents, and other system information generated during sandbox analysis sessions. Users can then search for relevant details across these fields.

 

Threat Intelligence Platforms Benefits

·         Deeper Visibility into Threats

Instead of relying on scattered data sources, such platforms offer a single point of access to search for IOCs across various data points. This includes URLs, file hashes, IP addresses, logged events, command lines, and registries, allowing for more comprehensive threat identification and investigation.

·         Faster Alert Investigations

When a security incident occurs, time is of the essence. TI platforms help gather relevant threat intelligence data rapidly, enabling a deeper understanding of the attack's nature, affected systems, and compromise scope. This can significantly speed up and improve response efforts.

·         Proactive Threat Hunting

Threat intelligence platforms empower teams to actively hunt for known IOCs associated with specific malware families. This proactive approach can help uncover hidden threats before they escalate into major incidents.

They can provide access to data that might reveal potential vulnerabilities associated with known threats. This information can inform risk assessments and help organizations prioritize security efforts based on the most pressing dangers.

·         Threat Analysis and Decision-Makin

Armed with detailed insights into malware behaviour, teams can more accurately analyse threats and make informed decisions about containment, remediation, and future preventative measures. This continuous learning cycle strengthens the overall security posture and team competency.

Threat Intelligence Platform Query Examples

·         Searching with Individual Indicators

Imagine you suspect a compromised system within your network is downloading malicious files. You pinpoint a specific IP address as the potential source and decide to investigate further. Enter the IP address into the search bar of a threat intelligence platform. Instantly, the platform flags the address as malicious and linked to the Remcos malware, offering info on domains, ports, and even files associated with this IP.

It also provides access to analysis sessions where this IP address was involved and lists Tactics, Techniques, & Procedures (TTPs) employed by malware in these sessions.

You can study every session in detail by simply clicking on it. The system will take you to the session's page in the ANY.RUN sandbox, where you will be able to explore all the processes, connections, and registry activity, as well as collect the malware's config and IOCs or download a comprehensive threat report.

·         Flexible Search with Wildcards

Another useful feature of threat intelligence platforms like TI Lookup is the ability to submit wildcards and combined queries.

For instance, the query "binPath=*start= auto" uses the asterisk wildcard and searches for any command line with "binPath=" followed by any characters that end with "start= auto". 

The platform returns a hundred sessions where the same fragment appeared. A closer examination of the search results indicates that this specific command line artifact is characteristic of the Tofsee malware.

·         Combined Search Requests

Another option for conducting an investigation is to pool together all available indicators and submit them to the threat intelligence platform to identify all instances where these criteria appear collectively. 

For example, you can construct a query that searches for all tasks (sessions) categorized as "file," run on Windows 7, with a 64-bit operating system, connecting to port 50500 and containing the string "schtasks" in the command line. 

The platform then identifies numerous sessions that meet the specified criteria and additionally provides a list of IPs tagged that highlighting the malware responsible. 

Related News

A review of zero-day in-the-wild exploits in 2023

28 Mar 2024

In 2023, Google observed 97 zero-day vulnerabilities exploited in-the-wild. That’s over 50 percent more than in 2022, but still shy of 2021’s record of 106. Today, Google published its fifth annual review of zero-days exploited in-the-wild.

Read More

Vulnerability In 16.5K+ VMware ESXi Instances Let Attackers Execute Code

25 Mar 2024

VMware has acknowledged the presence of several vulnerabilities in its products after they were privately reported.The company has released updates to address these issues in the affected software. While each vulnerability is rated as ‘Important,’ their combined potential impact escalates to ‘Critical’ severity. Shadowserver has tweeted a warning about vulnerabilities in VMware ESXi instances. These vulnerabilities can enable a malicious actor with local admin privileges to bypass sandbox protections. Shadowserver is conducting scans and sharing its findings to help mitigate the risks associated with these vulnerabilities.

Read More

NIST Cybersecurity Framework 2.0: 4 Steps to Get Started

20 Mar 2024

The National Institute of Standards and Technology has revised the book on creating a comprehensive cybersecurity program that aims to help organizations of every size be more secure. Here's where to start putting the changes into action.

Read More