December 22, 2020 • The Recorded Future Team
Editor’s Note: Over the next several weeks, we’re sharing excerpts from the third edition of our popular book, “The Security Intelligence Handbook: How to Disrupt Adversaries and Reduce Risk with Security Intelligence.” Here, we’re looking at chapter five, “SecOps Intelligence, Part 2: Response.” To read the entire section, download your free copy of the handbook.
As soon as a security incident is identified, the clock starts ticking. Incident response teams are under enormous pressure to figure out what happened, triage and contain the threat, mitigate the damage, and get back to “business as usual” — fast. There are two major obstacles impeding their efforts: attacks are surging and there simply aren’t enough skilled defenders to stop them.
According to Microsoft research, the first half of 2020 saw an approximate 35% increase in total attack volume compared to the second half of 2019, along with an increase in overall attack sophistication. Meanwhile, 70% of organizations are suffering from the widespread shortage of cybersecurity professionals, found ESG.
Fusing internal and external threat, security, and business insights empowers incident response teams with the advanced warning and actionable facts needed to move out of reaction mode and shift the balance of power to the defenders. Elite security intelligence makes this possible by:
- Automatically identifying and dismissing false positive alerts
- Enriching alerts with real-time context
- Correlating and analyzing information from internal and external data sources, enabling fast and confident alert prioritization and immediate response
- Scoring threats based on the organization’s specific needs and infrastructure
Learn more in the following excerpt from “The Security Intelligence Handbook, Third Edition: How to Disrupt Adversaries and Reduce Risk With Security Intelligence.” In this excerpt, which has been edited and condensed, we’ll explain how security intelligence minimizes reactivity and explore specific use cases that amplify incident response teams’ impact.
After real attacks have been identified, incident response processes kick in. But both of these workflows have become more stressful for security teams. Among the reasons:
- Cyber incident volumes have increased steadily for two decades.
- Threats have become more complex and harder to analyze; staying on top of the shifting threat landscape has become a major task in itself.
- When responding to security incidents, analysts are forced to spend significant time manually checking and disseminating data from disparate sources.
- Containment of attacks and eradication of vulnerabilities continually grow more difficult.
As a result, incident response teams routinely operate under enormous time pressures and often are unable to contain cyber incidents promptly.
While it’s difficult to be precise about the number of incidents experienced by a typical organization, there is no doubt that cyberattack volume is growing rapidly. According to the Malwarebytes Labs “2020 State of Malware Report,” the volume of detected attacks on businesses increased by 13 percent in 2019. While some of this growing pressure is mitigated by preventative technologies, a huge additional strain is nonetheless being placed on incident response teams because of the following factors.
The skills gap
Incident response is not an entry-level security function. It encompasses a vast swath of skills, including static and dynamic malware analysis, reverse engineering, and digital forensics. It requires analysts who have experience in the industry and are able to perform complex operations under pressure.
The highly publicized cybersecurity skills gap has grown consistently wider over the past decade. Cyber Seek calculates that there are currently more than half a million cybersecurity job openings in the United States alone. According to the ISSA-ESG report “The Life and Times of Cybersecurity Professionals 2020,” 70 percent of organizations are negatively impacted by the shortage of cybersecurity professionals.
Rising response times
When you have too few skilled personnel and too many alerts, there’s only one outcome: The time to resolve genuine security incidents will increase. According to the “2020 Cost of a Data Breach Report” from Ponemon Institute and IBM Security, the time to detect and contain a data breach increased from 257 days in 2017 to 280 days in 2020.
Of course, cybercriminals have no such constraints. Once they gain a foothold inside a target network, the time to compromise is usually measured in minutes. We will discuss this more in the next chapter.
A piecemeal approach
Most organizations have security groups that grow organically in parallel with increases in cyber risk. As a result, many only add security technologies and processes then they must address specific needs, and they do so without a strategic design.
While this ad hoc approach is perfectly normal, it forces incident response teams to spend a lot of time aggregating data and context from a variety of security technologies (e.g., SIEM, EDR, and firewall logs) and threat feeds. This effort significantly extends response times and increases the likelihood of mistakes.
The Reactivity Problem
Once an alert is flagged, it must be triaged, remediated, and followed up as quickly as possible to minimize cyber risk. Consider a typical incident response process:
- Incident detection — Receive an alert from a SIEM, EDR, or similar product.
- Discovery — Determine what has happened and how to respond.
- Triage and containment — Take immediate actions to mitigate the threat and minimize damage.
- Remediation — Repair damage and remove infections.
- Push to BAU — Pass the incident to “business as usual” teams for final actions.
Notice the reactive nature of this process. For most organizations, nearly all the work necessary to remediate an incident is back-loaded, meaning it can’t be completed until after an alert is flagged. Although this is inevitable to some degree, it is far from ideal when incident response teams are already struggling to resolve incidents quickly enough.
Minimizing Reactivity in Incident Response
To reduce response times, incident response teams must become less reactive. Two areas where advanced preparation is especially impactful are identification of probable threats and prioritization.
Identification of probable threats
When an incident response team identifies the most commonly faced threats in advance, it enables them to develop strong, consistent processes to cope with them. This preparation dramatically reduces the time the team needs to contain individual incidents and prevent mistakes, and it frees up analysts to address new and unexpected threats when they arise.
Not all threats are equal. When incident response teams understand which threat vectors pose the greatest level of risk to their organization, they are able to allocate their time and resources accordingly.
To find out how security experts use security intelligence to reduce reactivity in incident response, watch the joint Recorded Future and LIFARS webinar “Fuel Incident Response With Security Intelligence to Lower Breach Impact.”
Strengthening Incident Response With Security Intelligence
It should be clear from our discussion so far that security technologies alone can’t do enough to reduce pressure on human analysts.
Security intelligence reduces the demands on incident response teams and addresses many of the issues we have been reviewing by:
- Automatically identifying and dismissing false positive alerts
- Enriching alerts with real-time context from across the open web and dark web
- Assembling and comparing information from internal and external data sources to identify genuine threats
- Scoring threats according to the organization’s specific needs and infrastructure
In other words, security intelligence — especially SecOps intelligence — provides incident response teams with exactly the actionable insights they need to make faster, better decisions, while holding back the tide of irrelevant and unreliable alerts that typically make their job so difficult.
SecOps Intelligence in Action
Let’s look at three use cases and one abuse case that show how SecOps intelligence affects incident response teams in the real world.
Use case: Prepare processes in advance
As noted earlier, typical incident response processes are highly reactive, with most activity happening only after an incident occurs. This extends the time needed to scope and remediate incidents.
SecOps intelligence empowers incident response teams to prepare for threats by providing:
- A comprehensive, up-to-date picture of the threat landscape
- Information about popular threat actor TTPs
- Highlights of industry- and region-specific attack trends
SecOps intelligence empowers incident response teams to develop and maintain strong processes for the most common incidents and threats. Having these processes available speeds up incident discovery, triage, and containment. It also greatly improves the consistency and reliability of actions across the incident response function.
Use case: Scope and contain incidents
When an incident occurs, incident response analysts must make quick determinations about three factors:
- What happened
- What the incident might mean for the organization
- Which actions to take
These factors must be analyzed as quickly as possible with a high degree of accuracy. SecOps intelligence makes a measurable impact by:
- Automatically dismissing false positives, enabling teams to focus on genuine security incidents
- Enriching incidents with related information from across the open and dark web, making it easier to determine how much of a threat they pose and how the organization might be affected
- Providing details about the threat and insights about the attacker TTPs, empowering the team to make fast and effective containment and remediation decisions
Use case: Detect data breaches sooner
It’s common for organizations to take a long time to realize a breach has occurred. According to the IBM “Cost of a Data Breach Report 2020,” the average time to identify a data breach is 207 days.
Not surprisingly, stolen data and proprietary assets often turn up for sale on the dark web before their rightful owners realize what’s happened.
A powerful SecOps intelligence capability provides a tremendous advantage by alerting you to a breach and providing early warning that your assets are exposed online, or someone is offering those assets for sale.
Obtaining this intelligence in real time is vital because it enables you to contain the incident as quickly as possible and identify when and how your network was breached.
Abuse case: Half measures are worse than nothing
We want to caution you about one abuse case where security intelligence may actually undermine incident response.
At the start of their security intelligence journey, some organizations opt for a minimalist solution such as a SecOps intelligence solution paired with a variety of free threat feeds. They might believe that this “dip our toes in the water” approach will minimize up-front costs.
While this type of implementation arms incident response teams with some actionable intelligence, it generally makes things worse by forcing analysts to wade through vast quantities of false positives and irrelevant alerts. To fully address the primary incident response pain points, a security intelligence capability must be comprehensive, relevant, contextualized, and integrated.
Essential Characteristics of Security Intelligence for Incident Response
Now it’s time to examine the characteristics of a powerful security intelligence capability, and how they address the greatest pain points for incident response teams.
To be valuable to incident response teams, security intelligence must be captured automatically from the widest possible range of locations across open sources, technical feeds, and the dark web. Otherwise analysts will be forced to conduct their own manual research to ensure nothing important has been missed.
Imagine that an analyst needs to know whether an IP address has been associated with malicious activity. If she is confident that her security intelligence has been drawn from a comprehensive range of threat sources, she is able to query the data instantly and be sure the result will be accurate. If she isn’t confident, she will have to spend time manually checking the IP address against several threat data sources. Figure 5-1 shows how SecOps intelligence might connect an IP address with the Trickbot malware. This kind of intelligence can be correlated with internal network logs to reveal indicators of compromise.
It’s impossible to avoid all false positives when working to identify and contain incidents. But SecOps intelligence empowers incident response teams to quickly identify and purge false positives generated by security technologies such as SIEM and EDR products.
There are two categories of false positives to consider:
- Alerts that are relevant to an organization but are inaccurate or unhelpful
- Alerts that are accurate and/or interesting but aren’t relevant to the organization
Both types have the potential to waste an enormous amount of an incident response analyst’s time.
Advanced security intelligence products are now employing powerful algorithms and analytical processes to identify and discard false positives automatically and draw analysts’ attention to the most important (i.e., most relevant) intelligence.
If you don’t choose your security intelligence technology carefully, your team is likely to waste a great deal of time on intelligence that’s inaccurate, outdated, or irrelevant to your organization.
Not all threats are created equal. Even among relevant threat alerts, some will inevitably be more urgent and important than the rest. An alert from a single source could be both accurate and relevant, but still not particularly high in priority. That is why context is so important: It provides critical clues about which alerts will most likely matter to your organization.
Contextual intelligence related to an alert might include:
- Corroboration from multiple sources that the same type of alert has been associated with recent attacks
- Confirmation that it has been associated with threat actors known to be active in your industry
- A timeline showing that the alert occurred slightly before or after other events linked with attacks
Modern analytics and algorithms make it possible for a security intelligence solution to consider multiple sources concurrently and determine which alerts are most important to a specific organization.
Among the most critical characteristics of a security intelligence product is its ability to integrate with a broad range of security tools, including SIEM and incident response solutions. Through integration, the product is able to examine the alerts they generate and:
- Determine whether each alert should be dismissed as a false positive
- Score the alert according to its importance
- Enrich the alert with valuable extra context
Effective integration eliminates the need for analysts to manually compare each alert to information found across their ecosystem of security and security intelligence tools. Even more important, integration and automated processes are able to filter out a huge number of false positives without any checking by a human analyst. Saving time and avoiding frustration are perhaps security intelligence’s greatest benefits for incident response teams.
Get ‘The Security Intelligence Handbook’M/h3>
This chapter is one of many in our new book that demonstrates how to disrupt adversaries and measurably reduce risk with security intelligence at the center of your security program. Subsequent chapters explore different use cases, including the benefits of security intelligence for brand protection, vulnerability management, third-party risk management, security leadership, and more.