8 Ways SOC & IR Teams Can Use ThreatConnect’s Workflow Capability

ThreatConnect’s Workflow capability enables users to continuously improve security processes with a single Platform for process documentation, team collaboration, and artifact enrichment. With Workflow, teams gain efficiencies by streamlining and automating discovery, investigation, monitoring, and response activities.

This blog will go over some common use cases SOC and IR teams can accomplish leveraging ThreatConnect Workflow.

Let’s get started exploring some of the most commonly seen use cases for Workflow!

#1 Alert Prioritization and Investigation

It’s frequently discussed how security teams struggle with an overwhelming number of alerts. Prioritizing the investigation of the most important alerts seems impossible due to lack of context and not enough resources. Tasks like these are time consuming and oftentimes frustrating to the analyst.

Organizations have multi-layer defenses causing an overload of alerts. SOC teams struggle to weed out false positives, understand the relevant threat intelligence context, and prioritize alerts for investigation.  As a result, the dwell time of the attacker is increasing to months and sometimes years.

In ThreatConnect, triage and automate alert management from your SIEM, EDR or other security controls – checking for false positives and auto-closing the alerts that don’t matter.  Your alerts in ThreatConnect are enriched with threat intel context including the severity of the Indicators, what malware family or Threat Actor is this attributed to, associated vulnerabilities, and much more. Automate bringing in additional context from your Asset management tool,  User Context from Active Directory, and Vulnerability context from Vulnerability Assessment or Vulnerability management tools with Workflow Playbooks. Having all this context in one place helps save plenty of time for the analyst spent on looking up multiple consoles.

Using  Threat Assess, CAL scores, and 3rd party enrichment tools you can prioritize the most important alerts and use analyst time to more efficiently investigate.

With ThreatConnect, you can access the right intelligence on your alerts immediately.  The benefit of having the Threat Intelligence Platform (TIP) integrated into the same tool used by the SOC for triage and investigation is that both TI teams and SOC teams share knowledge and use the power of collaboration.

#2 Phishing Reporting & Analysis

Organizations spend way too much time investigating phishing alerts.  Oftentimes, the easiest entry point for an attacker to gain footprint into an organization is through a phishing email. Phishing emails are detected by  Email Security products or by users reporting it to an Abuse mailbox.  Below, let us focus on the emails that get reported as phishing by end users and how we can automate this process using Workflow in ThreatConnect:

    1. Using ThreatConnect Workflow, you can ingest the Phishing emails as cases in ThreatConnect.
    2. The Cases are automatically enriched with relevant Threat Intelligence.
    3. If there are other relevant alerts or emails linked to the Indicator, you would see them right away as related cases in ThreatConnect.
    4. Using Workflow, you can auto detonate any attachments with your Sandbox of choice and bring back context to the case.
    5. If malicious Indicators are found, automate notification to the user and inform them their case is being investigated and the steps to take.
    6. Then you are able to automate the action of searching other mailboxes and endpoints for the indicators to see if other users or systems have been compromised. Create tickets to other teams to investigate further or to auto pull the emails from other compromised systems.

#3 Threat Hunting

Threat Hunting is the process of proactively searching your networks/systems to detect and/or contain threats that evade the security defenses. Automated Threat Hunting can save significant Analyst time in querying the security stack and hunting for threats.

Suppose you found an observable in your environment or external threat intelligence reporting emerging threats affecting your Industry. In that case, you may want to proactively hunt your systems to make sure threats do not go undetected. You may also want to search for the observables in your TIP to see if additional context is available. If you create a Hypothesis and want approval from your lead before automating the hunting, you can do that as well with Workflow!

Search Netflow log and Endpoints, DNS logs (and more!) for Hashes and/or IOC’s to detect and uncover threats that your security stack did not catch. Automate response actions such as disabling users, expiring passwords, blocking IPs, and quarantining endpoints (with humans in the loop as necessary).

Avoid spending unnecessary analyst time on these repetitive tasks when they can be automated.

Want more information about Workflow? Check out this blog, “Take a Deep Dive into ThreatConnect Workflow Capabilities.”

#4 Consistent Incident Response

SOC teams are struggling to find skilled resources for Security Operations and Incident Response teams.  Using Workflow, you can document consistent processes for Incident Response based on the type of Incidents. Your Senior analysts can document a process in ThreatConnect as a template for various Incident types. Then, they can apply templates to the case and the junior analyst can follow the predetermined steps to investigate the Incident. Parts of the process can be the automation of enrichment activities so the analyst does not have to switch screens or use multiple tools. With this capability, a distributed team of Incident Responders and Threat Intel Analysts can all collaborate on the same platform.

#5 Vulnerability Context and Response

Attackers are always looking to exploit known vulnerabilities and unpatched systems. Security tools (both on-premises and cloud) can cause severe damage if not taken seriously. Correlating incidents and alerts with Vulnerability information from Vulnerability Assessment tools and threat intelligence from ThreatConnect puts into context which hosts are vulnerable and are currently being exploited. This will put the alert as a high priority for analyst investigation and remediation.

Suppose you are using a Cyber Risk Quantification solution like the recently released ThreatConnect RQ 5.0. In that case, you can now understand the vulnerabilities that will have the greatest financial impact if exploited based on the applications they affect and the controls your organization has in place to protect those applications.  Enrich the alerts to have the business criticality context on the asset provided by RQ to help prioritize which vulnerability to focus on based on potential financial impact to the business.

#6 Endpoint Investigation

You can use ThreatConnect as the platform for driving processes related to endpoint investigation. Bring EDR alerts into ThreatConnect and enrich them with threat intelligence from a variety of sources. This includes adding in necessary context related to Asset and User. Based on criteria set in ThreatConnect, automatically close the alerts if believed to be a false positive. Then, prioritize investigation based on relative severity and isolate endpoints if an alert is determined to be a known bad.

Additionally, using Workflow, ping unmanaged or unresponsive endpoints and initiate a restart. If endpoints cannot be reached, automatically open up a Case for appropriate teams to follow-up and take action if necessary. Query the Asset database and Active Directory to add context of the user and the asset so everything you currently know about the situation at hand is presented to you in one, single place. While this is happening, you’re also able to notify the User and the Audit teams immediately.

#7  Managing Hybrid Deployments

Hybrid deployments are not uncommon, and managing security across them can oftentimes be complex. With ThreatConnect, you can manage alerts from both on-premises as well as private and public cloud environments from a single console. With the context to prioritize and investigate the alerts, you can identify false positives and investigate and respond to threats faster. This saves your analyst time when looking up or managing multiple consoles.

You can even initiate cloud compliance checks periodically and create cases and assign team members or kick off Vulnerability assessments and discover misconfigurations and open S3 buckets that can be remediated automatically or with human involvement.

#8 Automated Certificate Management

Using Workflow, you can query a certificate management tool to check endpoints for SSL certificates that have expired or are nearing expiration. Then, pull user details from the Active Directory of the affected user and send an automated email to inform them about certificate expiration and the process to update. Check the status at predetermined intervals to confirm if changes have been made. If a certificate is nearing expiration and notifications have not been acted on, automatically escalate to a case and include appropriate parties to ensure the expiration date does not pass prior to updating.

Wrapping Up

This is just a first glimpse into the new and exciting use cases that are now available with Workflow. We will explore each of these use cases like these in depth in a following series of blogs so stay tuned! If you would like to see a demonstration of some of these use cases, please contact sales@threatconnect.com.

About the Author
Priya Gajendran

Priya Gajendran is a Strategic Product Manager for SOC/IR at ThreatConnect.