I think we’ve seen this before... Why 'incident intelligence' is imperative
Lately, I’ve had a lot of conversations about how threat intelligence can enrich organizations’ incident response processes and how the right intelligence can make them more effective. As a note, I’m a former full time lead incident responder for a massive organization and now a researcher.
I can confidently say that when you’re dealing with literally hundreds of malware incidents per day, the minute differences in identified indicators can all start to blur together. Being able to very quickly and efficiently answer the question of whether or not a particular indicator of compromise has been seen before (and in what context) is crucial. Let’s call this "incident intelligence". Incident responders always need to have a clear picture of what they are dealing with and how it may relate to something already encountered during previous incidents, but unfortunately for most teams, this is easier said than done.
An equally inhibiting issue is the fact that incident responders or security operations analysts typically require up to ten different Web pages or portals open at any given time in order to fully understand the elements of the current incident. The number of details involved in a single security incident is staggering, and when responders need to gather those details from numerous sources, it only adds to the confusion of trying to remember if a single indicator has been seen in a previous incident or not.
The solution to this (lack of) incident intelligence problem is surprisingly simple: Put proper processes in place! While many organizations implement complex incident handling and tracking processes, they may not be addressing the issue in the most effective way. Processes for ongoing incidents must be updated to include searching back through previous incidents to determine if there is any overlap. Hopefully organizations have a powerful search capability built into their incident tracking systems (assuming an organization even has a tracking system), which they can leverage in these situations.
It’s important to have your processes updated to include this historical search capability because it’s absolutely imperative to be able to know what you’ve seen before. If you rely solely on that instinct of "I think we’ve seen this before," you will make mistakes, you will miss crucial details, and you won’t be as effective as you need to be. On this point, I speak from experience.
Having this visibility into whether or not a specific indicator of compromise (including registry keys, IP addresses, domains, etc) has been seen before really makes an impact. Those Dynamic DNS FQDNs all looked the same after dealing with the onslaught of the Blackhole and Neutrino exploit kits’ prolific usage of DynDNS domains, right? Being able to determine overlaps in incidents can help show how specific threats relate to each other -- maybe how a specific exploit kit tends to continuously drop the same type of malware, or how Cryptolocker is typically spread via ZeuS Gameover (which often comes from malspam). You could also find overlaps and uncover extended undetected access after you thought a previous incident had been remediated -- dare I say "persistent?"
What's one of the biggest benefits of having incident intelligence? It substantially reduces the security operations team’s reliance on your subject matter experts (dedicated malware teams, incident response teams, CERTs, etc). The ability for a SOC analyst to be able to say "yes, we’ve seen this before in incident #99999, it was related to this threat, and this is how we handled it" is incredibly powerful and saves precious time and resources all around.
It is time for incident response to evolve. Companies need processes that give them the ability to recognize if an ongoing incident overlaps with a previous incident. This way, they can immediately reference the past incident to understand the details and the outcome -- all of this information is extremely important in determining the incident response action items.
Armed with this insight into what has been encountered before by leveraging knowledge of past incidents, incident response and security operations teams can completely change their decision making processes and respond to incidents more effectively than ever.
Now that’s incident intelligence.
As a Malware Researcher at Lookingglass, Steven Weinstein combines a deep understanding of malware analysis and incident response to research the latest threats, their impact on organizations and strategies to defend against them. He is also responsible for enrichment of current data sets by producing relevant and actionable malware indicators of compromise at mass scale. Prior to joining Lookingglass, Steven was the lead malware incident responder for Deutsche Bank. He was responsible for day-to-day malware incident handling and investigating high severity incidents involving APT attacks. Steven also created the bank's malware incident handling procedures and trained dozens of security analysts on incident response best practices. Additionally, he aided in the creation of a world-class automated malware triage tool. Steven is a subject matter expert in the fields of incident response and malware analysis. He graduated with honors from Towson University with a degree in Computer Science with a focus in Security.