The sum of details at hand equals the quality of a cyber threat investigation
Bali Kuchipudi, product marketing manager at RSA writes on details a security analyst can use to improve the speed of investigation, and, importantly, put in place an effective response plan.
Just like any detective investigating a crime scene, security analysts need to be able to access all the information pertaining to any threat incident they are investigating.
Bali Kuchipudi, product marketing manager at RSA, The Security Division of EMC, with these details a security analyst can both improve the speed of investigation, and, importantly, put in place an effective response plan.
With its focus on supplying the sub-Saharan-, East- and West African markets with technology solutions that address converged technology, data centre, networking, and security landscapes, Networks Unlimited distributes RSA security solutions in the region. Anton Jacobsz, managing director at Networks Unlimited says: "No matter where in the world you operate, when it comes to cybersecurity your defence against further and stronger attacks is strengthened by every, even minor, fact you possess."
Kuchipudi explains that the first step in obtaining these details is to automate threat detection and provide the analyst with details on why that threat poses a risk to the organisation. "For example, detection of Command and Control (CC) can be automated, but providing the next level of detail on a CC event will help the analyst drill down and investigate faster to develop an effective response plan."
Also, during an investigation if a security analyst is able to obtain additional context automatically, that will further reduce the number of clicks to find the context and in this way speed up the investigation and response.
Kuchipadi points out how how this enrichment can benefit the security analyst during an investigation with a few examples:
Analyst is investigating a host based on some CC activities:
· The business context of the asset as of the highest importance, organisation and applications running on the host will give the analyst a quick view of what sensitive information the attacker is targeting.
· The endpoint context as what operating system (OS) and suspicious file or process activities can help the analyst figure out the remediation plan for the host. For example, the OS might need to be upgraded or the suspicious file and process need to be blocked and removed.
· If a suspicious process or file are found on the host being investigated, quickly find which other hosts are compromised with the same process or file. This will provide a fast view of how far and laterally the attacker has moved within the organisation. It is also important that? the remediation plan includes these affected hosts.
· The host being investigated has a privileged account created named "Admin1strator" for backdoor access, to quickly find what other hosts have the same privileged account created. This provides a view of the attacker lateral movement.
· Lateral movement of the attacker in a Windows environment is detected by a sequence of events, such as executable copied to a file share, executable is used to create a new service and the service started within five minutes. The sequence of events may indicate an attacker moving laterally by executing a backdoor on a victim machine from an already compromised system.
· The questions of what previous incidents have been investigated on this host and what the remediation plan was need to be asked. This will help the analyst to zero in on the root cause and remediation plan if a similar incident was seen before.
"The above are just a few enrichment examples that can help an analyst speed up the investigation process. Providing the analyst with the ability to ‘right click' and get access to this enrichment data will make the overall investigation process more efficient and faster," Kuchipadi points out.
"We are continuously keeping an eye on RSA Security Analytics, in order to provide our customers in Africa with the ability to improve speed of investigation with both automation and enrichment," adds Jacobsz.