Security automation can take care of the entire data collection process and present analysts with actionable information in a fraction of the time it would take them to manually aggregate the necessary details.
Security automation and orchestration can save time by taking charge of sending the suspicious files to the sandbox environment, obtaining the results, and delivering them to your screen in a concise report.
Read More - https://www.siemplify.co/blog/security-automation-for-malware-alerts/
2. Introduction
Automating the triage and incident response for malware alerts. Here we
will discuss the steps to automate some of the most common SOC
processes.
3. Why Malware?
Malware makes our list for two main reasons. First, malware alerts have
inherently low fidelity, especially in large organizations. The sheer volume
of malware-related alerts can easily inundate SOC teams, who need to
correlate data from various sources/alerts to gain context but are faced
with low signal-to-noise ratios.
4. Malware Infections
Because some malware infections
can contaminate several systems in
a very short period of time, quick
response is an absolute necessity. If
the malware has worm-like
attributes, it can spread through you
network, and even to adjoining
networks, in just a matter of hours.
5. Automation For Malware
Security automation can take care of the entire data collection process
and present analysts with actionable information in a fraction of the time
it would take them to manually aggregate the necessary details. Instead of
spending a lot of time on a swivel-chair interface for data
integration/correlation, analysts can view all the information they need
through a single pane of glass and go straight to decision-making.
6. Data Gathering
Before SOC teams can respond to a
malware alert, they need to go through a
time-consuming and tedious process that
begins with data gathering and user or
host enrichment. Raw data from a single
or even a handful of malware alerts is not
enough to provide actionable
information.
7. Threat Intelligence Data
You’ll also need to compare the data you just gathered with your threat
intelligence and web intelligence. What do they say about the hash you
just obtained? Is it associated with a known malware? What do they say
about the URL you discovered the suspected malware was connecting to?
Is it a known C&C server?
8. Security Integrations
To get all that information and obtain the best context, you’ll have to run
the suspected malware through a series of scans, tests and a host of other
procedures on security orchestration integration.
● VirusTotal for a hash
● SEP (Symantec Endpoint Protection) for additional context
● Nessus for vulnerability information
● SSCM to get context from asset information
● And so on
9. Automated Analysis
As not all malware (zero-day threats in particular) can be detected through
signature and basic heuristic-based scans, you’ll often need to send the file
to a sandbox like Cuckoo for further analysis.
Security automation and orchestration can save time by taking charge of
sending the suspicious files to the sandbox environment, obtaining the
results, and delivering them to your screen in a concise report.
10. First-level Determination
First-level determination refers to that stage wherein analysts make an
initial assessment based on the information gathered from the previous
two stages and then arrive at a decision. Although some organizations
might opt to do this manually, i.e. leaving the decision-making to the
analyst, it’s also something that can be completely delegated to
automation solutions that leverage machine learning-powered analytics
platforms.
11. Deeper Investigation
Some cases require deeper investigation. This would typically entail things
like looking into your endpoint tools to obtain other pieces of information
● What were the other hosts (if any) in the organization where the hash
in question manifested?
● What were the activities going on in those endpoints over the last 10
minutes when that specific alert was generated?
● Who were the end users logged in?
● What network connections were involved?
12. Feedback/Remediation
Last but not the least is the feedback/remediation stage. At this stage, SOC
teams typically perform a series of tasks that improve the organization’s
security posture - blacklisting the hash or URL, performing an intelligence
update, updating security sensors, re-imaging systems, and so on. All these
- you guessed it - can be partially or fully automated, depending on the
policies within your organization.
13. Conclusion
Analysts devote so much time processing malware alerts. But a substantial
portion of that time is consumed by mundane tasks such as data
collection, basic analysis, forwarding of files, and several others that can
actually be delegated to malware security automation.