It is important for security analysts to have all the details of the incident when investigating. By having the details, a security analyst can improve the speed of investigation but most importantly the investigation is effective to put in place a response plan.
How can the security analyst get these details? The first step is to automate threat detection and provide the analyst details on why that threat poses a risk to the organization. For example, detection of Command and Control (CC) can be automated, but providing the next level of detail on CC event will help the analyst drill down and investigate faster to develop an effective response plan.
Additionally, during an investigation if a security analyst is able get additional context automatically, that will further reduce the number of clicks to find the context and speed the investigation and response.
Let's take a look at how this enrichment can benefit the security analyst during an investigation with a few examples:
- Analyst is investigating a host based on some CC activities:
- Business context of the asset as criticality, organization and applications running on the host will give the analyst a quick view of what sensitive information the attacker is targeting.
- Endpoint context as what Operating System (OS) and suspicious file or process activities can help the analyst figure out the remediation plan for the host. For example, the OS might need to be upgraded or the suspicious file and process need to be blocked and removed.
- If a suspicious process or file is found on the host being investigated, quickly find what other hosts are compromised with the same process or file. This will provide a quick view of how far and laterally the attacker has moved in the organization. It is also important the remediation plan includes these affected hosts.
- The host being investigated has a privileged account created named "Admin1strator" for backdoor access, quickly find what other hosts have the same privileged account created. This provides a view of the attacker lateral movement.
- Lateral movement of the attacker in a Windows environment by detecting a sequence of events, i.e., executable copied to a file share, executable is used to create a new service and the service started within 5 minutes. The sequence of events may indicate an attacker moving laterally by executing a backdoor on a victim machine from an already compromised system.
- What previous incidents have been investigated on this host and what was the remediation plan? This will help the analyst zero in on the root cause and remediation plan if a similar incident was seen before.
The above is just a few enrichment examples that can help an analyst speed the investigation process. By providing the analyst the ability to "Right Click" and get access to this enrichment data will make the overall investigation process more efficient and faster.
Category: RSA Fundamentals, Blog Post
Keywords: Context, Enrich, Incident Response