Threat and incident response – closing the loop in cyber defense

Two of the Gartner’s 2019 top 10 security projects involve threat detection response and incident response. This highlights the importance of remediation and response aspects in cyber security, they are the last steps taken to close the loop in threat and attack defenses.

Threat or incident response refer to the techniques and processes as well as the remediation actions that are taken based on the analytical conclusions together with the forensic evidences and other threat detection enrichment from threat intelligence. The purpose is to throttle the attacks in progress, break the attack kill chain, isolate or confine any collateral damages as the result of these attacks.

Once an attack alert is triggered or an abnormal behavior is detected, the security analyst or admin must conduct threat analysis to validate the threat alert, remove any possible false positive, assess the risks this have brought to the attacking surfaces and take proper actions. This is the threat and incident response process, It usually contains several stages:

  • Forensic evidence collections and threat data enrichment:

  • Various techniques and tools are used to collect forensic evidences including getting information from the associated packets captures, extracting metadata from the network and traffic logs, retrieving files or process information from the end points, collecting global threat event feeds from the cloud etc.

    On the continuous monitoring system, which most systems are today, these information usually have already been collected, cleansed, normalized and stored in the security data lake, and for a certain period of time. With necessary data available, threat hunting can be conducted to zoom in the offending sources of the attacks as well as to prepare the any forensic evidences.

    Threat enrichment usually involve integrating threat intelligence feeds from internal or external sources, such as IP, domain names or URL reputations, IP GEO information, DNS registration, WHOIS information, various blacklists and reputation data, also importantly, any possible relationships in the past and present. Threat enrichment can be great helps in assisting the threat analysis process, improve the accuracy of detection and strengthen the confidence of the findings.

  • Triage and analysis:

  • In this stage of the process, various techniques, tools and algorithms are applied to the threat data assembled earlier. This generally includes statistical based analysis as well as behavioral based analysis. These mechanisms are used to correlate traces of the attacker over time and space spectrums, connect all the dots together, reconstructs kill chains and provide security analysts and admins insights of the attacking in progress and provide conclusive evidences that a real threat attack has occurred and either host machine or server assets have being compromised.

    Many companies and products utilize machine learning and AI driven analytical mechanisms to derive final predictions based on either big data analysis or user behavioral analysis (UEBA). This has been a very active area in threat analysis and have quite number of products. ML and AI based mechanisms have been effective in assisting to find and detect unknown malware or malware with mutations as well as preventing 0-day or more sophisticated, hidden attacks.

  • Decision making and action taking:

  • In this stage, various remediation actions can be taken as the result of analysis when necessary, these can include:

    • Firewall policy generation and enforcement
    • Global signature update
    • Compromised host or server machine isolation and quarantine
    • Incident ticket generating process and notifications
    • Network situation awareness and risk assessments

Effective threat and incident response can be challenging. As the result, the wide adoptions of the threat and incident response platforms largely depend on the effectiveness.

Most of the products in this space today still focus on the alert reporting, visibility and other presentation optimizations. On the other hand, incident response often largely conducted manually which is often resource consuming, tedious and ineffective.

The rudimental requirements for effective threat and incident response include:

  • Accuracy and effectiveness:

  • Technologies must be in place to extract those real valuable threat data out of vast amount of information, much of them are usually normal traffic data but considered noises to the threat analysis. There are also requirements for threat attack visibility to provide more clear and focused visibility to security analysts and admins to avoid distractions or get bogged down by either false positives or false negatives.

  • Non-disruptive to normal business:

  • It is critical that the remediation actions taken based on the threat analytical process should not cause disruptions to normal business. Any misfires or disruptions to normal business will eventually undercut the purpose of threat incident response. In real deployments, remediation actions should be prioritized and in some cases, use two steps confirmations to ensure accuracies. Today, more companies are adopting cloud based analytical platform to conduct multi-dimension threat analysis on global bases to ensure threat accuracy and effectiveness.

  • Automated analysis and response process:

  • Threat data need to be collected on a continuous bases in order to establish any possible threat and attack contexts over a period of time. It becomes infeasible to do efficient threat data mining or threat analysis manually.

    Automating analysis process has becoming vital to help to quickly find out the root cause of the threat alerts among ocean loads of data, free security analysts and admins from daily workloads and those repetitive jobs and instead, to focus energies and resources on high value and high priority targets. This is particular true after large scale security analytical platforms mature. Threat incident response automation tools and process has formed a new sector in cyber security called Security Orchestration and Automation Response (SOAR) where the processing workflows are defined in so called playbooks. Each playbook can be used to handle certain types of threat incident analysis and response.

Threat and incident response products can come in a standalone, all in one form, it can also be part of the security analytical platform or SOC/SIEM based platforms. These days, most security vendors are using cloud based platform to collect threat feeds from different sources globally, conduct analysis and update results to the deployed entities globally.

This year at RSAC 2019, quite a few security vendors are coming to 2019 to showcase their products which integrate threat and incident response capabilities.

The intelligence capabilities on Hillstone Networks iNGFWs and breach detection system carry multiple detection engines that can conduct conventional signature based detection as well as behavioral based analysis using machine learnings, after threat alerts are triggered, threat analysis are conducted, either manually or automatically, after mitigation actions can be done at the iNGFW or endpoints upon admin’s confirmation.

In the near future, there will be more threat and incident response capabilities from Hillstone Network’s security product portfolios.