Posted
Today’s post begins a series on Polarity Security Operations Center (SOC) use cases; demonstrating how Polarity enables you to see the story in your data without sacrificing thoroughness or speed.
Understanding the reputation of a domain that appears in an event presented to an analyst for investigation is a critical step in identifying malicious activity. The sheer number and ephemeral nature of URLs is nearly impossible for a human to retain much less recall on the fly during event analysis. This becomes even more problematic with the advent of Domain Generating Algorithms. Before now, analysts would have to pivot to third party reputational databases to obtain this data. Analysts have to identify any URL/URI information contained within the event or log and also determine the domain’s legitimacy as well as how it relates to the expected traffic to and from their network.
Polarity has multiple resources to validate integrity and determine an organization’s historical relationship with a domain prior to making a well informed decision. Polarity provides analysts dynamic and immediate information derived from multiple points of reference and expedites the conclusion as to what additional analysis or response actions need to be taken.
Capabilities:
- Polarity can augment the analyst view with information sourced directly from multiple domain intelligence platforms. Examples of integrations with free sources include: URLScan, URLHaus, and VirusTotal.
- Polarity can also overlay open-source and commercial threat intelligence that is specific to the domain.
- Polarity ensures that the most recent information is pulled, not only the information that was pulled at the time of ingestion.
- Polarity automatically demonstrates historical relationships between the enterprise and the domain (e.g. via immediate query to proxy logs).
- Polarity highlights whether the IP addresses associated with the domain have been observed from enterprise firewalls.
- Via channels or integrations, Polarity can create awareness as to the business relationships between the domain and the enterprise (e.g. Entity: “Polarity.io” Annotation: “Is a trusted partner”).
- Polarity initiates actions against domains. For example:
- If integrations support scan requests (e.g. URLScan), scans can be kicked off.
- If SOAR playbooks exist, drive by simulations may be initiated.
As shown in the graphic above, the Polarity platform provides real time Domain provenance data derived from any number of authoritative domain reputational services. Here we see information provided by The Hive, RiskIQ, urlscan.io and URLhaus. You are certainly not limited to these repositories, any data feed to which you are subscribed or use frequently can be provided to your analysts in real time, no lookups, no clicking around, no shifting tabs and no cut & pasting. Information when you need it and where you need it. You are threat hunting you shouldn’t be forced to hunt for your data as well.
Real time domain awareness with Polarity has several benefits including:
- Higher quality, more informed decisions as a direct result of available context sourced from multiple sources.
- Increased efficiencies as the effort to perform desperate searches no longer monopolizes opportunities for more scrutiny and detail-oriented analysis.
- Analysts can immediately determine the relevance of a domain to the enterprise.
Meet the expert: Terry McGraw
Background: Terrence “Terry” McGraw is a retired Lieutenant Colonel from the United States Army and now serves as the President and principal consultant, of Cape Endeavors, LLC, with over 20 years of providing expertise in cyber security architectural design and operations in both commercial and government sectors.
Terry previously served as the Vice President of Global Cyber Threat Research and Analysis for Dell SecureWorks and President of PC Matic Federal. He retired from the United States Army in 2014 completing 27 years of service; the last 10 years of his Army career were leading key Cyber initiatives for the Army’s Network Enterprise and Technology Command, Army Cyber Command and the National Security Agency (NSA). He has multiple combat tours with his culminating assignment, serving as the Director of Operations, Task Force Signal Afghanistan, 160th Signal Brigade (FWD), providing all strategic communications infrastructure in the theater of operations.
Education: BA in History, MSA in Information Systems Engineering, and a graduate of the prestigious US Army School of Information Technology’s Telecommunication Systems Engineering Course.
Relevant Experience: Terry’s work in the Army leading and operating some of the world’s largest and most complex networks as well as 6 years as Vice President of Global Cyber Threat Research and Analysis for Dell SecureWorks providing managed cyber security services to over 4,000 commercial clients and leading it’s six Counter Threat Operations Centers gives him a deep and broad understanding of the Cyber Threat Landscape. His entire professional career has been in designing and managing resilient network architectures ensuring the operational readiness thereof.