This is the fifth article in a series starting with “Critical Capabilities of a Modern SOC”. In the last article, I talked about the “monitoring” capability, and in this article, I talk about the fourth capability discussed, namely, “security investigation.”
Investigating threats, whether it be a security event, security incident or other issue requiring analysis, is a critical capability that relies substantially on the people element of a SOC. While an alert may be triggered by a system to flag a potential threat, it is only by conducting a detailed security investigation to interpret the data that the scale, impact and severity of that threat can be understood. This responsibility primarily falls to Tier 2 and Tier 3 analysts.
Once an alert is escalated from the triage stage, it should be verified as valid and not a false positive.
The next step is to perform in-depth investigative work into the case – typically the role of a Tier 2 analyst. Various tools should be used to support analysis, with specific actions typically prescribed in workflows and playbooks.
Additional data should be gathered to understand the full context and establish whether a security incident should be raised. Data can be collected via SOC tools, such as the SIEM and sensors, or by accessing additional security tools such as the EDR to dig deeper into the specific systems involved. Other relevant sources include contextual business information, threat intelligence feeds, asset information, knowledge “wikis” and external information (e.g. from government agencies or special interest groups).
Once the data has been enriched with context and threat intelligence, the case should be reviewed to determine if it should be classified as a security event or security incident.
In response to a security event, any additional work and relevant notifications should be carried out, then the case can be closed. If deemed a security incident, further investigation may be required to establish its scale, impact and severity, so that an appropriate classification can be assigned. This can entail assessment of who perpetrated the attack (also known as “attribution”), their intent, how the incident happened, where it initiated, what else has been affected, the timeline of the attack and what the next steps of the threat actor might be. Security investigations should extend to a wider analysis of the environment, not just the assets directly. This can be achieved through basic searching or threat hunting.
For advanced investigations, such as forensic or malware analysis, the case may be escalated to a Tier 3 analyst, CSIRT or an external specialist (e.g. on a retainer agreement) – particularly if it is a major incident.
As an investigation progresses, actions for responding to the incident should be recommended and relevant information shared to assist the incident response team.
How we do it at LMNTRIX: At LMNTRIX, we have three teams that manage each phase of the security investigation process around the clock. Threat Detection, Threat Response, and Threat Hunting teams. A Threat Intelligence Team is also available during business hours. This is a costly strategy, but it’s the only way we could scale and provide continuous, high-quality service to a quickly expanding global client base. The development of our XDR platform and tech stack, which we insist on using for every deployment, was one of the most important aspects of extending our operation. This platform enables us to automatically validate and enrich events, create the incident, and present it to analysts as a story by consolidating relevant data from all our Detections that cover multiple threat vectors, such as machine and underground intelligence, EDR, NDR, network forensics, 3rd party logs, deceptions, cloud, and mobile security.
Security event: an observed occurrence on a system or network that is perceived as abnormal behaviour. This
occurrence could be minor (e.g. minor malware infection cleaned by anti-virus tools and therefore no need to escalate as an incident). In some instances, it may turn out to be an operational event or incident rather than a security incident.
Security incident: an event or chain of events that compromise the confidentiality, integrity or availability of information or systems.
Advanced Analysis Capabilities
Forensic and malware analysis can be essential aspects of investigating a security incident but require specialist tools and are performed by analysts with highly specific technical skill sets. Depending on the organisational structure, these capabilities may be aligned to the CSIRT rather than the SOC.
Forensic analysis: an investigative and analytical technique to identify the perpetrators of a malicious act, collect evidence (both electronic and physical artefacts), create a timeline of the security incident, and preserve the audit trail for the purposes of possible legal proceedings in the future.
Malware analysis: a method to understand the origin, attack vector, purpose, functionality and impact of a given malware sample (e.g. computer virus, worm, Trojan horse, spyware, botnet software, ransomware) so it can be detected and blocked. This analysis can be performed by comparing a malware sample to details of known malware, or reverse engineering a piece of malware to examine how it operates and may propagate across a network.
Threat hunting: Threat Hunting involves the proactive, stealthy, and methodical pursuit and eviction of adversaries that may already be in your network – all without relying on IOCs.
Traditional defenses can’t keep up with new attacker techniques, leaving companies vulnerable to hacks. Even if the good guys could match their adversaries’ offensive measures, there would still be times when their defenses would fail. Inevitably, an employee will click on malicious link in an email or visit a dicey website or a firewall will be improperly installed. Unlike traditional, reactive approaches to detection, hunting is proactive. With hunting, security professionals don’t wait to take action until they’ve received a security alert or, even worse, suffer a data breach. Instead, hunting entails looking for opponents who are already in your environment. Hunting leads to discovering undesirable activity in your environment and using this information to improve your security posture. These discoveries happen on the security team’s terms, not the attacker’s. Rather than launching an investigation after receiving an alert, security teams can hunt for threats when their environment is calm instead of in the midst of the chaos that follows after a breach is detected.