Today we release a brand new module to help cybersecurity teams improve their productivity. Threat Context provides contextualized, qualified threat indicator information, enhancing incident triage, post-incident forensics and red teaming activities.
SOC, Incident Response and Threat Intelligence teams are plagued by information overload, making it difficult to prioritize threats and respond effectively. Each phase demands time and resource, both of which are usually in short supply.
The new module has been designed to accelerate performance with these issues in mind. Threat Context is formed from an ever-expanding database of over 70 million items, continuously updated and providing intuitive information around threat actors, campaigns, IOCs, attack patterns, tools, signatures and CVEs.
Using Threat Context
Security teams need high quality information in as close to real-time as possible, in order to work effectively and protect their organization.
Imagine your Incident Response team detects an incident. The primary action is to try and gather as much information as possible regarding the indicator, and preferably within a single environment. This avoids having to use various tools and systems, an activity which slows down the overall response and remediation processes.
What makes Threat Context so powerful and user-friendly is that users can start an investigation from whichever point they need to start.
Take, for example, a CISO reporting on an APT which has been known to attack the sector their organization sits in. Query the actor and click through for a description – on the Threat Actor profile page, the CISO can find the detail they require, including indicators, historical campaigns, attack patterns, signatures and tools. In effect, they can pivot from page to page to obtain as much contextual information as possible. A scoring feature also enables the CISO to measure the threat level of a particular indicator based on its history, related IOCs and freshness.
A SOC for a major e-commerce site might discover an IP or domain relating to their business that might be compromised. The site has a huge amount of PII relating to their customers, and compromise could damage their reputation among their clients and their bottom line under GDPR. The SOC analyst can enter the suspect IP in the search bar and pivot through the different indicators and attack patterns to reveal potential relationships. Perhaps the threat is from a spearphishing campaign, targeting staff in one of its smaller markets. Once the vulnerability is identified based on CVEs, measures can be taken to remediate quickly.
A smaller Threat Intelligence team might have a couple of hashes or signatures they’re interested in, something one of the analysts stumbled across on a Dark Web forum. They input the hash into the interface, then pivot to explore its context. The hash leads the analyst to a specific IP, which leads to a malware sample that has been analyzed by Blueliv’s sandbox.
The logs from the sandbox are available to the analyst, and combined with the original input information, can be graphically represented as a kill chain. Along with its related IOCs, analysts can trace the flow of execution – the binary hash creates a process, which injects another into the system etc. This forensic analysis of the malware involved is delivered in a user-friendly, easily-manageable manner to accelerate decision-making.
With these interrelationships and pivoting capabilities, analysts can rapidly gather enriched, contextualized information to enhance their cybersecurity processes before, during and after an attack.
Before an attack:
Threat Context provides qualified intelligence around threat actors and campaigns affecting your organization or sector. Graphical representations of kill chains mean that red teams can use Threat Context to execute highly realistic attack simulations ahead of time, patching potential vulnerabilities and minimizing your attack surface.
During an attack:
Organizations in multiple industries face cyberthreats daily, if not hourly. Effectively triaging these threats is critical to handle them effectively. Threat Context provides the sort of qualified information that helps orchestration systems and their operators prioritize relevant IOCs and remediate incidents faster, saving time and money. The information can be extracted to feed other systems, since its accessible via the API, and YARA rules and SNORT signatures are included on the indicators for even faster analysis.
After an attack:
Forensic investigations and post-incident reporting demand a level of detail for a variety of stakeholders. Analysts want to know how it happened, while CISOs and the management want to know it won’t happen again. Threat Context provides accessible information through its pivoting capabilities so that all affected parties can obtain the information they require, at pace.
Empower your security teams to focus on what matters – the right information at the right time.
For a demonstration of Threat Context, get in touch here.