Tuesday, August 13, 2019


Threat Detection and Incident Response without Enrichment 

Why SOAR spends so much time gathering artifacts and what we can do to improve it

As an IT executive, I see SOC analysts frustrated with the incident response process on a daily basis.  From the SOC analyst’s perspective, the key requirement of any security analytics system is to easily take in and process telemetry data from a broad spectrum of logged activity across the enterprise and then easily and effectively communicate what the threat is, where to look for it, who owns the asset(s), and how to remediate it.  However, that’s not the incident lifecycle most SOC’s are living.  
Telemetry data is supposed to be helpful and answer more questions.  Sources for this data include network, host, application, end-point, external intelligence sources, and many, many more.  In other words, if it logs activity, collect it, and use it.  I’ve found that a SOC analyst expects three (3) primary deliverables from the analytics performed on all of this data when identifying a security incident:

  1. Detect – often times the information found in an incident or an alert from your SIEM vendor is enough to warrant further investigation. Without this step, we’re back in the Stone Age.
  2. Validate – This is where we get stuck.  While the alarm, alert, incident or event (depending on your nomenclature), may have potential indicators of compromise, often times it warrants additional investigation about the context of this data.  Which application executed this?  What are the user’s permissions? Is this device joined to the domain? Which organization is it related to? Who is its asset owner? When was the last time this account was used? Have I seen this before?
  3. Prioritize – While most of us get stuck on “validate”, prioritization can also be difficult when a large number come in a short period of time. Where should we start? Patient Zero? Our Business Process Services?
As broad a spectrum as there is for the sources of the data, the expected results are simple: accuracy.  It is a fact, that better data drives better decision making and that goes for analytics engines as well.  In the case of security analytics, the best, most accurate decisions are made when the inbound streaming telemetry data has been enriched.
Based on the definition by Techopedia, data enrichment is the process by which raw data is improved so that it can be better and more easily utilized. For the purposes of security analytics data enrichment is the first step in the process feeding the analytics or machine learning engines. Data extrapolation is also considered data enrichment, filling in gaps and holes in the telemetry data to conform with the mathematical models. Data enrichment allows for data to be fed into a system in a format that is easily understood by the algorithms to ensure that proper context is maintained throughout the process.
Further enrichment comes in the form data augmentation. While collecting the data might be enough for some, to get the real benefit out of data enrichment, information must be adding to the data in the form of metadata. Using data collection points to collate, arrange, and categorize data makes for a much more robust data enrichment system. This sets the data up for use in analytics and machine learning engines to render accurate, timely indication of an actual breach or determine that the anomalous behavior is not malicious.
Let’s take some real-world business use cases for enrichment and how it helps to make better decisions:

Use Case #1A: Organization and Escalation Management
For our first example, I’ll start by helping to address organization and escalation needs.  When we have an issue, more specifically with a user’s account, an immediate first step for many SOC analysts is to gather more information about this user from local data sources including Active Directory, Office365, CASB, and many more.  That is, if you’ve provided your SOC or your MSSP, with access credential permissions to make these types of requests.  In many MSSP examples, this is not a real-world option and is only possible via secure credential management and real-time enrichment.
By enriching the event with the new additional fields for the provided username, more data is available in real-time. Often times, gathering further user information, such as location, organizational unit, or management information, can help when measuring and/or quarantining an internal threat.  Some organizational strategies can include looking for remote desktop connections from users in departments that do not use RDP for any of their applications.

Example information (User A/D):
    City      : Dallas
    Country      : United States of America
    Department      : Information Technology Services
    EmailAddress      : tshelton@hawk.io
    EmployeeID : 1
    HomePhone      : (555) 867-5309
    State      : Texas
    StreetAddress      : 5057 Keller Springs Rd #100 
    Manager      : Phil Lesh
    PostalCode      : 75001

Use Case #1B: Information relative to threat analysis
Additionally, information enrichment can be used for real-time analytics for looking for anomalies in login patterns.  One example could be an account that has not authenticated in over 30 days may be a greater risk.  Other examples include having the user’s permissions available for validation against changes, looking for deviations. Finally, new users that have never logged in before may also be of additional risk.  By referencing the lastLogon field, you can simply determine whether or not this user has ever logged in before.      

Example information (User A/D):
    LastLogon                           : 0
    LastLogonDate                    : 5/21/2019 10:46:06 AM
    LastBadPasswordAttempt : 5/29/2019 1:02:18 PM
    MemberOf         : {CN=Performance Log
    Users,CN=Builtin,DC=hawkio,DC=local, CN=Group Policy Creator
    Owners,CN=Users,DC=hawkio,DC=local, CN=Enterprise
    Admins,CN=Users,DC=hawkio,DC=local, CN=Schema
    Admins,CN=Users,DC=hawkio,DC=local...}


Use Case #2: Device Information – Asset Tracking and Threat Analysis
By leveraging CASB, A/D Computer sources, and many other device management solutions, we have a multitude of additional fields available to us.  By using enrichment sources such as A/D for domain joined devices, along side flat files or csv to manage network devices, a simple enrichment process can be put into place to enrich events with additional information when available, and when not available, it then can be treated as an unknown or new device on your environment, providing greater visibility to what devices are on your network.
Additionally, by having the detailed Operating System information, we can help better determine if IDS/HIDS exploit detection should be further escalated, depending on if the source host is vulnerable to the given threat (if applicable).

Example information (Computer A/D):
    isCriticalSystemObject               : True 
If TRUE, the object hosting this attribute must be replicated during installation of a new          replica.
    OperatingSystem                      : Windows Server 2016 Standard
    OperatingSystemHotfix             :
    OperatingSystemServicePack  :
    OperatingSystemVersion          : 10.0 (14393)

Use Case #3: Threat Intelligence Enrichment – Advanced Decision Making

By leveraging any of the multitude of public or private threat intelligence feeds, a world of analytics and classification comes to life.  Separating threat intelligence feeds and enriching events based upon host, domain, url or any imaginable lookup field allows us to diversify its application.  Simple examples include enriching threat or reputation data based upon host information, which can help to further contribute to avoiding an incident escalation altogether or further provide evidence for the investigation.

The basic point of enrichment is that it lends itself to strengthening the initial detection, without relying on secondary systems to pick up the pieces.

Accuracy is the common goal of both the buyers and providers of security analytics platforms and services.  Those who achieve the highest accuracy have demonstrated the ability to overcome very difficult challenges associated with ingesting raw telemetry from a broad array of systems, devices, applications, etc.  For customers and clients, security analytics accuracy is the essential core requirement for organizations to trust and rely moving forward to automate incident response with confidence.  

For product and security analytics developers and service providers, accuracy requires innovation in data enrichment to capture the true context of the events that make up security incidents.  Precise analytics are driven by well-enriched telemetry data that factor in the environment’s risk factors and will drive reliable incident response.

Next up in the on “Trusting Analytics Enough to SOAR” blog mini-series is a deeper dive into the requirements of meaningful data enrichment of security telemetry.  Check it out!