Security Operations and DFIR

SOC, SOAR, Threat Hunting, SANS 6-step IR, The Diamond Model of Intrusion Analysis, Cyber Threat Intelligence, MaGMa Use Case Framework

Improve your SOC: SOAR or Threat Hunting or both?

June 23, 2020

Based on the sophistication and constant change of the threat landscape in the cyber space, many mature organizations have identified the necessity to improve the detection, analysis and response capabilities of their Security Operation Center (SOC). Currently, security analysts are often engaged with trivial copy-paste or other annoying low-level tasks rather than gaining a deep understanding...

Continue Reading
IBM Resilient SOAR, QRadar, Carbon Black Response, QRadar, A10 Proxy, MITRE ATT&CK

Resilient Playbook and automated actions for Threat Hunting and DFIR

March 31, 2019

Some initial triage task instructions are listed under the Stage 1 Analysis phase of the incident which are processed by the Security Operations team. Once completed, the incident is handed off to the Threat Hunting team for scoping the attack and developing further intelligence. As you can see, all the TTP task instructions regarding APT28 have been loaded into the Stage 2 Analysis phase of this playbook...

Continue Reading
IBM Resilient SOAR, QRadar, Carbon Black Response, QRadar, A10 Proxy

Threat Hunting – a relatively new discipline in Cyber defense

February 28, 2019

The idea behind Threat Hunting is to shift from a reactive IR model to a proactive approach. In Security Operations, a detection team hands off an alert to an Incident Response team which validates the incident and responds to it in case it’s a true incident. The goal with Threat Hunting is to proactively engage a team and hunt for known adversaries including their applied TTPs in an organization’s networked computing environment...

Continue Reading
IBM Resilient SOAR, QRadar, MITRE ATT&CK

Resilient Workflows and Playbooks

January 3, 2019

How we are implementing the individual TTP detection and mitigation instructions with workflows and playbooks. For this, we will firstly integrate with additional Cyber Security systems and tools and secondly we will extend our solution draft in building Stage 1/2 Analysis capabilities. The goal is to help Security Operations and DFIR in streamlining deep security and forensic analysis, drastically reducing analysis and response time as well as understanding and keeping track of the full scope and complete impact of an attack...

Continue Reading
IBM Resilient SOAR, Recorded Future CTI, STIX

Implementation – STIX knowledge and relevance graph – steps 16-21

December 28, 2018

In order to generate the knowledge graph we are first checking whether a related Threat Actor has been provided as part of the CTI, and if yes, we are mapping it out to the MITRE Intrusion Set. Next we are searching recursively what tools and malware are utilized by that specific Intrusion Set. Then we are creating a STIX file that includes all the identified Tool SDOs and Malware SDOs along with the Intrusion Set SDO, all provided by MITRE. Next, we are further...

Continue Reading
IBM Resilient SOAR, Recorded Future CTI, STIX

Implementation – Related IP Addresses – steps 11-15

December 23, 2018

Now we want to take advantage of our actionable CTI. The goal is to verify the related IP addresses of the two RF matched destination IP addresses 81.7.11.83 and 93.184.220.29 that have been communicated as part of their corresponding CTI. We are verifying all related IP addresses against the QRadar Ariel database and are only considering the ones that have a local relevance, i.e. local-to-remote network traffic that matched against a related IP address. Finally we are taking those matching related IP addresses into the Resilient Incident Artifacts tab...

Continue Reading
IBM Resilient SOAR, STIX, QRadar, QNI

Implementation – STIX bundle – steps 7-10

December 21, 2018

As part of this solution draft we are expressing the CTI provided IOCs in STIX Indicator SDOs and their local relevance in STIX Observed Data SDOs. We are further generating Sighting SROs in order to visualize that we sighted IOCs in the local context. We are also leveraging the Identity SDO in order to specify Recorded Future as an organization that we are receiving indicators from and myself – Rukhsar Khan, Security Analyst – as an individual. In order to put the Identity SDO into a relationship with other SDOs we are making use of the Relationship SRO. For generating a visualized graph...

Continue Reading
IBM Resilient SOAR, MITRE ATT&CK, Recorded Future CTI, IBM QRadar SIEM, QRadar Network Insights (QNI)

Implementation – Overview – steps 0-6

December 17, 2018

Our core implementation of the MITRE ATT&CK framework is performed in the IBM Resilient SOAR platform. In order to converge Security Operations and DFIR in this single platform we have defined two stages, namely Stage 1 Analysis and Stage 2 Analysis. Stage 1 Analysis corresponds to a Secops Level1 and Level2 team whereas Stage 2 Analysis applies to a DFIR team....

Continue Reading
IBM Resilient SOAR, MITRE ATT&CK, Recorded Future Cyber Threat Intelligence, STIX

Solution Draft

December 13, 2018

Based on the experience we’ve made in the last decade with dozens of large customers and new emerged market technologies like Security Information and Event Management (SIEM), Endpoint Detection and Response (EDR), sophisticated CTI and advanced tools and products for computer and network forensics, our claim is, that Security Operations and DFIR need to converge. Both disciplines have strengths and weaknesses, so the goal should be to merge the strengths and shun the weaknesses of both in a single platform. And what would be the most suitable for this other than a SOAR platform...

Continue Reading
Cyber security, DFIR, Incidentresponse

Current Security Operations and DFIR problems

December 11, 2018

If you give an attacker 100 days of time to move freely in your environment after he has compromised it the evidence is fairly strong that your organization is pretty bad at Security Operations. This is what currently happens in a lot of organizations. According to a Forrester report the median breach confirmation time in 2017 was 101 days. So basically it took 101 days for Security Operations to confirm a breach and hand it off to the DFIR team...

Continue Reading
Executive Summary

Operationalizing the MITRE ATT&CK framework for Security Operations, Threat Hunting and DFIR

December 7, 2018

Cyber attackers are constantly becoming more and more subtle while Security Operations (SOC, CERT and CSIRT) continues to scratch on the surface. It doesn’t matter whether that’s a large enterprise, bank or government institution. The evidence is fairly strong that most organizations are pretty bad at security operations . Why are there so many global high-profile breaches? Why can organizations today not adequately detect and respond to breaches while they have spent millions in their Cyber Security defense? You don’t have to be a genius to figure out that there must be vital gaps in the defense ecosystem of organizations. But how to identify these gaps and what course of actions are required?...

Continue Reading