“Wisdom consists of the anticipation of consequences.” – Norman Cousins
In the cybersecurity industry, we’ve become a lot wiser in the face of relentless and increasingly crafty adversaries. It is now a widely held tenet that it is not a matter of if, but when and how we’ll be attacked. In anticipation of these consequences, security operations centers (SOCs) are transforming into detection and response organizations. How we measure the efficiency and value of detection and response is by the speed and effectiveness with which it is done. So, alongside this transformation, we’re now seeing security organizations put together anticipation teams to proactively drive down time to detect and respond and reduce exposure. What do those teams look like?
Within the context of security operations, anticipation teams use internal and external threat and event data across their security infrastructure for context and analytics and to become more proactive. Being data-driven allows defenders to zero-in on potential attacks to their organization, understand the impact, and prevent or mitigate risk. We see these anticipation teams focused on many use cases, but the two primary use cases are threat prevention and threat hunting.
1. Proactive threat prevention means that you can anticipate what may be happening within your environment so you can quickly contain it and prevent it from happening again by sending threat intelligence and data to different systems for a unified defense. This could be initiated by internal data that could reveal malicious behavior, or analysis of past incidents.
In the first instance, let’s say you see an IP address you don’t recognize in your intrusion prevention system (IPS). You query other systems to see if any of your other security tools have detected communication back to that IP address, but without context you can’t have a full picture of what is happening. So, you look at external threat intelligence where you may see that the IP address that triggered suspicion is associated with a specific adversary. Now you can pivot to that adversary and learn that there are numerous additional IP addresses related to that adversary to search for and block. Digging deeper across additional threat intelligence sources, you may find other associated artifacts you can look for in other tools to respond comprehensively and quickly.
In the second instance, any new learnings are integrated into your prevention policies so you can proactively strengthen defenses and prevent a repeat attack by the same adversary or campaign.
Proactive threat prevention hinges on the ability to gain a contextualized understanding of what is going on and strengthen defenses comprehensively and quickly. Instead of just blocking the first IP address or waiting until a threat actor targets you again, you can be anticipatory to limit the scope and prevent attacks in the future – automatically sending intelligence to your defensive infrastructure to generate and apply updated policies and rules, even if additional indicators have not yet materialized in your environment.
2. Proactive threat hunting starts from external information (report, news, other) without an internal alert being fired. Using the data and information from the report, you hunt for associated indicators within your environment in anticipation of an attack. For example, you may learn of malware currently being used to target your industry, so you go to any number of intelligence sources – government, industry, open source or commercial – and frameworks like MITRE ATT&CK, to learn about the technical details, potential indicators of compromise, and possible related system events that you can hunt for within your environment. Depending on the potential risk exposure for your organization, you may decide to take advantage of this intelligence to proactively block these indicators across your defensive infrastructure immediately. Either way, you then open an investigation, formulate a hypothesis about a specific campaign or adversary that may have infiltrated your network and pivot to test your hypothesis. Once you confirm or disprove malicious activity you take appropriate action to mitigate risk or prevent the attack.
In both use cases, it is extremely time consuming to sift through logs manually to determine which are relevant and to correlate logs with massive volumes of external threat intelligence and other internal data to identify malicious activity. Organizations can end up with a few high-value resources spending inordinate amounts of time potentially chasing ghosts.
With a platform that aggregates, normalizes and correlates internal and external data, you can tap into the richness of all available data to get a complete picture of what is going on. You can setup data-driven playbooks triggered either by new intelligence linked to past incidents for proactive prevention, or by intelligence about new threats you are proactively hunting. With the scope of malicious activity and all impacted or potentially targeted systems identified and confirmed, you can orchestrate a comprehensive and coordinated response. You can perform the right actions across multiple systems and send associated data out to the right tools across your defensive grid immediately and automatically. Malicious activity is proactively prevented, and detection and response happen faster so dwell times are shortened. Furthermore, data and findings are sent back to a central repository so that protections and your security posture continue to improve over time.
It is true that wisdom consists of the anticipation of consequences. For security teams, the next step is to proactively mitigate any negative consequences. That’s where today’s anticipation teams are focused, with a data-driven approach to help accelerate risk mitigation and strengthen security posture.
