Security Operations

The Accuracy and Scoping of Today’s Cybersecurity Incidents

Alexa Rzasa
by Alexa Rzasa
category Security Operations

During my time as an incident responder and after spending many years working with various teams of Security Operation Center (SOC) analysts, I’ve realized just how many pet peeves I’ve been developing. As I’m sure many of you know, there’s nothing quite like receiving a phone call in the middle of the night for an incident that was quickly and easily determined to be a false positive.

In the analyst’s defense, I must acknowledge that SOC teams face a ton of challenges including:

  • Staff shortages
  • Large alert volumes
  • Incomplete context
  • Long shifts
  • SIEM content (that isn’t very accurate or interesting from a security standpoint).

Aside from 2 a.m. wakeup calls, another pet peeve is that SOC analysts are not armed with, given access to, or do not have knowledge of the tools that would help them fully scope an incident across the enterprise.  In an ideal world, a SOC analyst could call me and tell me exactly how many systems are involved in an incident, which of those systems are most critical and have a recommendation ready for remediation. The process that a SOC analyst typically follows when investigating a potential issue is as follows:

  1. Analyze alerts in the SIEM console
  2. Manually decide which alerts or events are related to each other
  3. Identify the systems that appear to be involved
  4. Determine if the attack is theoretically possible
  5. Escalate accordingly

In many cases, this approach (especially steps 1 through 3) falls short of ensuring that an incident is accurately and completely scoped.  Without clear visibility into each endpoint and network segment, it isn’t possible for the SOC analyst to truly understand the scope of an incident.

The job of scoping an incident is then left to the Incident Response (IR) team and ultimately increases the overall time to remediation.  These days you may have the luxury of a threat intelligence or a hunt team as a resource. These teams can expedite the IR process by determining, for example, if an indicator of compromise is found on multiple systems across the enterprise. However, these teams are typically only available during normal business hours and not always when an IR engagement kicks off.

Whether you’re dealing with a group of sophisticated attackers or the latest variant of ransomware, the results of incorrectly scoping an incident can be devastating.  The most common unintended consequence is that the attacker is not completely removed from the environment. Other consequences of an inaccurately scoped incident could be that the attacker attempts to hide their presence by destroying data and tampering with forensic artifacts.  It may even result in early data exfiltration leading your organization into breach territory.

With the Respond Analyst and the advent of the Security Response Center (SRC) I have hope that these pet peeves will soon be a thing of the past.  Respond is not only able to accurately determine if an incident should be escalated, but also scopes incidents much earlier in the response lifecycle compared to human-only SOCs. How does the Respond Analyst scope an incident?

  • By leveraging key telemetry from existing network devices, such as IDS/IPS
  • Collecting information about each endpoint at the time of incident escalation
  • Cross referencing indicators such as process names, file hashes and IP addresses that are collected at the time of incident escalation with systems that exhibit the same behavior and contain the same artifacts

This comprehensive picture is easily brought into focus with Respond’s analyst modules and the resulting information is seamlessly handed over to the IR team for immediate action.
Welcome to the end of the console.