Security Automation For Malware Alerts

1
Security Automation

• for Malware Alerts

2
Introduction

• Automating the triage and incident response for
  malware alerts. Here we will discuss the steps to
  automate some of the most common SOC processes.

3
Why Malware?

• Malware makes our list for two main reasons.
  First, malware alerts have inherently low
  fidelity, especially in large organizations. The
  sheer volume of malware-related alerts can easily
  inundate SOC teams, who need to correlate data
  from various sources/alerts to gain context but
  are faced with low signal-to-noise ratios.

4
Malware Infections

• Because some malware infections can contaminate
  several systems in a very short period of time,
  quick response is an absolute necessity. If the
  malware has worm-like attributes, it can spread
  through you network, and even to adjoining
  networks, in just a matter of hours.

5
Automation For Malware

• Security automation can take care of the entire
  data collection process and present analysts with
  actionable information in a fraction of the time
  it would take them to manually aggregate the
  necessary details. Instead of spending a lot of
  time on a swivel-chair interface for data
  integration/correlation, analysts can view all
  the information they need through a single pane
  of glass and go straight to decision-making.

6
Data Gathering

• Before SOC teams can respond to a malware alert,
  they need to go through a time-consuming and
  tedious process that begins with data gathering
  and user or host enrichment. Raw data from a
  single or even a handful of malware alerts is not
  enough to provide actionable information.

7
Threat Intelligence Data

• Youll also need to compare the data you just
  gathered with your threat intelligence and web
  intelligence. What do they say about the hash you
  just obtained? Is it associated with a known
  malware? What do they say about the URL you
  discovered the suspected malware was connecting
  to? Is it a known CC server?

8
Security Integrations

• To get all that information and obtain the best
  context, youll have to run the suspected malware
  through a series of scans, tests and a host of
  other procedures on security orchestration
  integration.
• VirusTotal for a hash
• SEP (Symantec Endpoint Protection) for additional
  context
• Nessus for vulnerability information
• SSCM to get context from asset information
• And so on

9
Automated Analysis

• As not all malware (zero-day threats in
  particular) can be detected through signature and
  basic heuristic-based scans, youll often need to
  send the file to a sandbox like Cuckoo for
  further analysis.
• Security automation and orchestration can save
  time by taking charge of sending the suspicious
  files to the sandbox environment, obtaining the
  results, and delivering them to your screen in a
  concise report.

10
First-level Determination

• First-level determination refers to that stage
  wherein analysts make an initial assessment based
  on the information gathered from the previous two
  stages and then arrive at a decision. Although
  some organizations might opt to do this manually,
  i.e. leaving the decision-making to the analyst,
  its also something that can be completely
  delegated to automation solutions that leverage
  machine learning-powered analytics platforms.

11
Deeper Investigation

• Some cases require deeper investigation. This
  would typically entail things like looking into
  your endpoint tools to obtain other pieces of
  information
• What were the other hosts (if any) in the
  organization where the hash in question
  manifested?
• What were the activities going on in those
  endpoints over the last 10 minutes when that
  specific alert was generated?
• Who were the end users logged in?
• What network connections were involved?

12
Feedback/Remediation

• Last but not the least is the feedback/remediation
  stage. At this stage, SOC teams typically
  perform a series of tasks that improve the
  organizations security posture - blacklisting
  the hash or URL, performing an intelligence
  update, updating security sensors, re-imaging
  systems, and so on. All these - you guessed it -
  can be partially or fully automated, depending on
  the policies within your organization.

13
Conclusion

• Analysts devote so much time processing malware
  alerts. But a substantial portion of that time is
  consumed by mundane tasks such as data
  collection, basic analysis, forwarding of files,
  and several others that can actually be delegated
  to malware security automation.