How to develop efficient and advanced triage and investigation capabilities

To mature beyond the foundational elements of their security operations, SOC teams are pursuing more advanced means of triaging (i.e. grading and prioritizing) threats and launching rich, effective investigations.

This is made possible by harnessing threat intelligence to fill-in a clearer picture of their threat landscape, respond to better effect and enable proactive ‘threat hunting’ capabilities.

The role of threat context and correlation

Systems that are not under stress have little need for triaging their caseloads. Triaging in the medical sense is best practice for directing finite healthcare resources at times of emergency.

Similarly, everywhere in cybersecurity is the challenge of information overload; not only the millions of internal logs ingested by SIEM systems but the cumulative avalanches of threat data produced when you tune-in to the many available external intelligence sources from social media to the dark web.

But this is all still just information; symptoms of underlying issues that professionals need to assess at speed and scale in order to produce intelligence and make ‘life or death’ decisions.

In truth, threat intelligence solutions are part human intervention and part machine automation. There is simply no other way of coping with the volume of data. Blueliv’s threat context module embodies this combination perfectly, leveraging continuously updated threat insights to provide contextualized, qualified threat intelligence; enhancing incident triage, vulnerability prioritization , post-incident forensics and red teaming activities.

Let’s take an example: an analyst has stumbled across the user credentials of an employee that have been stolen by a known botnet malware. Their first and only move might be to revoke those credentials so they cannot be misused, before filing a report and moving on to the next perceived priority. A comprehensive threat intelligence solution will be able to inject significant additional context, exploring historical data to identify associations specific actors, campaigns, IOCs, attack patterns, tools, signatures and CVEs – enabling a wider and more strategic response that potentially discovers further compromised credentials and informs the hardening of security defenses that might otherwise have been assumed to be robust.

Without a capability like Threat Context, security teams are less efficient, less conscious of ‘the bigger picture’ and more likely to be distracted by prescribed risk calculations that may not apply to the unique circumstances of the organization at hand.

But even triaging cannot always prevent the nightmare scenario of being inundated; witness the imposition of nationwide lockdown measures to stop national healthcare systems being overwhelmed by the COVID-19 pandemic, for instance. Organizations increasingly understand the need to be proactive about combating cyber threats; hunting them down rather than simply detecting and remediating them.

Where threat intelligence fits in the arsenal of the threat hunter

Threat hunting is the act of fighting back against cyber attacks. Threat hunting is not about gathering threat intelligence per se; rather it needs intelligence to investigate, secure against and ‘take out’ specific threats and protagonists.

Even when threat hunting does not successfully eliminate a threat, the act of pursuing threats enables the organization to respond better for future attacks. According to the most recent (2019) SANS Threat Hunting Survey , 61% of threat hunting respondents reported that the approach resulted in at least an 11% measurable improvement in their overall security posture. Fewer than 2% said it provoked no improvement.

The same survey points to the importance of ‘hypothesis-based hunting’, which allows organizations to evaluate specific risks such as those pertinent to their industry sector or with similar business characteristics. Such advanced approaches net the greatest results but are wholly reliant upon the consumption of fresh, accurate threat intelligence. It is unsurprising, therefore, to see “improved integration and normalization of multiple data sources” ranked second on respondents’ wishlist for upcoming threat hunting investments.

The future of threat hunting as part of a complete cybersecurity approach

One of the prominent misconceptions of threat hunting is its equivalence with endpoint security solutions – largely owing to the eagerness of EDR (endpoint detection and response) vendors to conflate their somewhat limited offerings with full spectrum threat intelligence. EDR is certainly useful , but threat hunting it is not.

‘Threat hunting’ complements the more reactive functions of a security team to enable the proactive discovery and pursuit of specific cyber threats. So, whereas SOC analysts will be managing alerts and incident response (IR) will be dispatched to close down minimise the impact of emerging attacks, a threat hunting function exists to fill in the remaining gaps.


The worst cyber threats are arguably those hardest to locate. And even as SOC teams mature in their ability to detect and repel threats, gaps can still be left open where attacks can develop quickly, or lie in wait for weeks or months to commit a major data breach. This is the backdrop to a growing appetite among organizations to go beyond their standard SOC functions and embrace more advanced triage and investigation capabilities that equip them for genuine ‘threat hunter’ status.

The problem with threat hunting yourself is the lack of available cyber skills. Hence leveraging a threat intelligence service or taking a modular approach to implementing a tailored threat intelligence solution are increasingly popular. These efficiently deliver the combined capabilities of human capital and machine automation without the need for organizations to recruit and retain very rare skills or build their own TI capabilities from the ground up.

The post How to develop efficient and advanced triage and investigation capabilities appeared first on Blueliv.

*** This is a Security Bloggers Network syndicated blog from Blueliv authored by Ariadna Miret. Read the original post at: