Separating the Signal from the Noise

Time is money.
Analysts have precious little of it.

Both people and machines are taxed to the limits ingesting huge volumes of data. Mean time to containment of cybersecurity compromise for most enterprises still lingers between six hours and a week. Analysts can make use of automation, human-machine teaming, and other advanced analytics, but the question becomes what to focus on?

Put yourself in the place of a SOC analyst performing incident response. Test your skills in the following scenario to see if you can select the best signals for investigation. You will also be timed on how quickly you respond.

Introduction

Situation

Corporate network user credentials are stolen in a “free” Wi-Fi hotspot and are used to gain access into the protected network.

Storyline

The credentials are now owned by a criminal organization that would love to infiltrate the corporate network, cause damage, exfiltrate data, and ultimately tarnish the reputation of the company to decrease the stock price.

The Security Analyst level I deals with multiple security alerts that may challenge him/her to determine what needs to be attended to first, making it difficult to identify a real threat. The following is an alert the typical analyst may find at the start of the day.

Decision point

What would be the suggested starting point for further investigation after an alarm is received on a possible case of stolen network credentials within this security incidents dashboard?

  • A. Total Events
  • B. Total Correlated Events
  • C. Average Severity – Correlated Events
  • D. Event Distribution
  • E. Source IPs
  • F. Destination Events
  • G. Events

The correct response is "Average Severity - Correlated Events" because you are looking for what is considered most risky. All other indicators are noise.

As the next step on the initial investigation after the alarm was created, the security analyst identifies abnormal logons from multiple geolocations with the help of McAfee Enterprise Security Manager using the Suspicious Geo Login Events view. Meanwhile, a case is created using the integration with the ServiceNow Security Operations solution for resolution tracking of this detected security incident.

After the initial step during the investigation, it seems like Jason Waters’ account has been compromised with three successful logons from three different countries in a short period.

Does the security analyst need to perform further investigation of these suspicious activities?

  • Yes, investigate
  • No - it's noise

Correct answer is 'Yes' because three logons in a short time from different countries is highly suspicious.

As a result, upon examining the breached account’s IP address, it appears this has been used to execute a fileless malware attack through Microsoft PowerShell injection to gain access into the protected network.

Decision point

What would be the best two actions to continue as a part of the incident response tasks?

  • A. Shutdown all endpoints in the corporate network
  • B. Continue the investigation for identifying the presence of lateral movement and if any malware file has been injected in the victim’s machine by the PowerShell Injection
  • C. Change inbound firewall rules to close the access into the corporate network from the exterior
  • D. Create a correlation rule that triggers when a new connection is successful from all registered countries
  • E. Disable the access of the compromised account
0

Lateral movements are highly suspect on a PowerShell Injection. And, obviously, you want to disable the compromised account.

As a part of a detailed investigation, the security analyst pivots into McAfee Investigator to expose more details on processes and directionality while the investigation is in progress and identify any possible lateral movement of the attack in progress.

If you have not yet viewed the video on how McAfee Investigator extends the investigation, please scroll down to the 'Watch video' button below. Then continue on to the next screen in the investigation.

As a part of a detailed investigation, the security analyst pivots into McAfee Investigator to expose more details on processes and directionality while the investigation is in progress and identify any possible lateral movement of the attack in progress.

Decision point

What would be the next three recommended actions as a part of the incident response?

  • A. Add this new alert and any other relevant security events to the opened incident in progress
  • B. Determine if the unknown file is malicious based on file hash value
  • C. Determine if the unknown file is malicious based on the detonation of the file in McAfee Advanced Threat Defense
  • D. Change the file hash to avoid any further dissemination in case the result is positive
  • E. Verify if any other unknown files have been also convicted into McAfee Advanced Threat Defense
0

You want to continue to collect telemetry on this incident, so A is one correct action. You also need to determine file behavior from ATD - so C is also correct. And you should be proactive and determine if ATD has picked up similar behavior by other files recently. So A, C and E are all recommended actions.

The security analyst pivots into McAfee Advanced Threat Defense where the suspicious file implanted during the PowerShell injection is convicted and detonated.

The file has been identified as malicious during the sandbox deep analysis.

Decision point

Any actions recommended after this step?

  • A. Blacklist the hash file in McAfee Enterprise Security Manager for earlier detection
  • B. Modify the Access Protection and Exploit Prevention default policies on all corporate endpoints to prevent unauthorized PowerShell execution
  • C. Add into McAfee Enterprise Security Manager watchlists the source IPs detected during the infiltration for further monitoring
  • D. All of the above
  • E. None of the above

Blacklisting the hash file, modifying endpoint policies to prevent unauthorized PowerShell execution, and adding the source IPs into SIEM watchlists are all good actions.

Modify the Access Protection and Exploit Prevention default policies on all corporate endpoints to prevent unauthorized PowerShell execution using McAfee ePolicy Orchestrator in conjunction with McAfee Endpoint Security.

Results

Metrics

  • Time spent on resolution:
  • Accuracy of decisions:

The 2017 Ponemon Cost of Data Breach Study identified that the mean time to identify (MTTI) malicious data breaches is 214 days and the mean time to contain (MTTC) data breaches is 77 days. Every day that a breach dwells undetected in your environment costs money. How much?

How about $1 million per data breach? That’s on average what Ponemon says is saved by reducing MTTI to under 100 days and MTTC to under 30 days.

Additionally, here are some of McAfee’s own estimates on savings realized from a trained incident response team using McAfee Enterprise Security Manager, McAfee Investigator, McAfee Advanced Threat Defense, McAfee ePolicy Orchestrator, McAfee Active Response, and McAfee Dynamic Endpoint:

Value of time saved on incident investigations:
$44,000 per year
Savings in reduced IT outages:
$47,000 per year
Reduced staff management for log correlations:
$84,000 per year
Total annual savings:
$175,000 per year

*McAfee technologies' features and benefits depend on system configuration and may require enabled hardware, software, or service activation. Demos document performance of components on a particular test, in specific systems. Differences in hardware, software, or configuration will affect actual performance. Consult other sources of information to evaluate performance as you consider your purchase. Cost and time reduction scenarios described are intended as examples of how a given McAfee product, in the specified circumstances and configurations, may affect future costs and provide cost and time savings. Circumstances and results will vary. McAfee does not guarantee any cost of cost reduction. No computer system can be absolutely secure.

Value Management Analysis

  • Interested in seeing more of this type of analysis applied to your particular operating circumstances?
  • Provide contact details here and a McAfee representative will contact you about preparing an analysis tailored to your organization that you can share and discuss with your colleagues.
Next
About Us | Newsroom | Careers | Blog | Contact Us | Legal Notices

Copyright © McAfee, LLC