Security Orchestration - Threat Containment and Operations
Introduction: What is Security Orchestration?
In the time it takes to watch this video, your tier 1 security analyst must triage security alerts and collect the necessary contextual data and intelligence to determine if the alert warrants tier 2 investigation, is sufficiently thwarted by existing defenses, or is a false positive.
In essence, your tier 1 analyst is managing your organization’s cyber risk. Security orchestration is the functional, effective, and efficient teaming of people, process, and technology towards a repeatable end state. Automation is also crucial to the process but cannot be a replacement for security orchestration. Automation augments each of the components of security orchestration as a measured unit of time and scale.
This is a notional organization chart depicting both personas and functional roles. Each team is comprised of people and technology executing defined processes. The security operations team uses automation to gain visibility to the enterprise, and technology to see through the noise. The threat intelligence team uses automation to gather valuable intelligence from many sources, both internal and external. The attack surface group on the right works in concert with the enterprise infrastructure teams, often in IT, to maintain compliant resource availability. Security orchestration is the art of bringing all of those functions together to operate and defend the enterprise. For the sake of this discussion, this notional network represents our enterprise environment. We’ve deployed all the usual security tools, from gateway to the endpoint. In this example, all the relevant Syslog data is automatically routed and processed within security operations.
Security Orchestration In Action
Let’s demonstrate a scenario where security automation and orchestration would provide more context around alerts and act with preconfigured triggers and responses. An endpoint has just been compromised by an exploit embedded within an email attachment. No alarms were triggered on the endpoint. The exploit loads itself onto disk and injects itself into an existing process whereby it attempts to call home, sending environmental metadata, and receive additional files and instructions. The compromised system makes a DNS query to contentupdate.org.
Infoblox’s ActiveTrust, being the DNS traffic cop, checks to see if the domain is okay to visit or if the DNS header information matches the heuristics of a malicious attempt to exfil data via the DNS protocol. But we’re not there yet. In this case, the domain is certainly in question. Now, ActiveTrust will automatically act based on the user configure parameters such as block, redirect, sinkhole, etc. It will also notify the security ecosystem in parallel.
Transactional log data is shared with the SIEM to trigger a new, or enrich an existing alert. Carbon Black is notified of a threat on a host. The process is identified, then killed, and associated files are hashed and quarantined. The Carbon Black endpoint distributes those hashes with its enterprise manager to identify any other endpoints with the same file and process information. All log data is appended to the records in the SIEM and/or case management system.
The Infoblox products will further enrich the alert with actual network and threat indicators. But hold on. This domain is linked to an APT actor, which makes this a credible threat. How does Infoblox help? Our core DDI systems, coupled with our active trust DNS-based threat detection, mitigation, and threat investigation suite, further enhance the ecosystem of security products, from endpoint protection to security incident and event monitoring systems, and threat intelligence platforms, to firewall devices, all protecting the on-premise, off-premise, and cloud-enabled enterprise.
Infoblox has partnered with some of the leading security companies to help clients realize immediate returns on investment. With partners like Carbon Black, Qualys, Splunk, FireEye, Cisco and others, automation occurs virtually out-of-the-box. Security orchestration occurs when people define and execute processes utilizing technology automation. At this point, we need to escalate and consult with the threat intelligence team. The two industry standard models for understanding an attack are the Cyber Kill Chain and the Diamond Model of Intrusion Analysis.
The threat intelligence team uses these to identify adversary tactics, techniques and procedures, or TTP’s. Most notably, the Diamond Model is the methodology we’re going to build on today. The ActiveTrust dossier threat investigation tool enables an analyst to research known indicators, pivot on the results, expanding their understanding of the adversary capabilities, and associate those newly discovered indicators to more comprehensively defend the network.
Now most likely declared an incident, the incident response and threat intelligence teams can review the full context of the threat, understand the actor’s TTPs, and discover additional vectors of attack. The initial attack has been defended, but now we’re going to shift from a reactive to a proactive state by threat hunting. The incident response and hunt teams can use the newly discovered indicators to feed back to the SIEM, identifying if any host ever communicated with the previously unrelated domains. In the event the answer is yes, the Infoblox DDI suite can identify which host was assigned the internal IP address at the time of communication. From there, the Carbon Black endpoint for that affected host can be triggered to search for additional indicators of compromise. And the process of hunting continues until all attack vectors are investigated, systems are patched, and management has been informed.
Conclusion: Security Orchestration & Automation Work Together to Help Defend Against Threats
Security orchestration helps remove fear, uncertainty, and doubt when defending a network. Automation collects and correlates that data into actual information. Security defenders take that information with context and apply that knowledge to defend against this threat, while gaining foresight into the next.