November 2, 2017 By Jamie Caffrey 2 min read

As recent attacks targeting sensitive, personal information at a number of high-profile institutions have demonstrated, it is not a matter of if, but when you will have to investigate a security breach. The law enforcement and intelligence communities are increasingly called upon to investigate and mitigate cyberthreats, often applying the same tools and meticulous techniques they have developed over decades.

By moving beyond the reactive, day-to-day operations of the security operations center (SOC) and the hundreds of offenses that are generated daily by various security information and event management (SIEM) tools, more skilled analysts can dive deeper to investigate specific offenses, hunt for threats based on current threat intelligence and known threat actors, test out hypotheses, and proactively look for vulnerabilities and indicators of compromise (IoCs). This type of investigation requires analysts to bring together disparate data sources to gain a better understanding of what is happening, what has happened and the overall sequence of events.

The Tedious Task of Threat Analysis

The task of data collection, curation and loading can be time-consuming and laborious. An analyst may need to write scripts in a variety of tools and languages to gather data from systems or read a number of threat intelligence reports to gain insights about campaigns occurring that day. They might then need to load this data into manual analysis tools to look for patterns, trends and outliers. It can take as much time to collect, normalize and correlate the data as it does to analyze it.

Quickly, the task becomes more about data curation, which is too large a task to carry out for all but the biggest incidents in the largest institutions. But this needn’t be the case. By utilizing investigative analysis software, organizations can come to grips with their investigations, conduct more thorough analyses and proactively hunt for threats.

A Proactive Strategy to Mitigate Cyberthreats

An organization might initially start this journey by looking for threats not typically picked up in the day-to-day operations of the SOC, such as latent threat discovery, campaign analysis or even pattern recognition. By bringing together a few data sets, such as SIEM data, threat intelligence from both open source and commercial vendors, internal investigation data and potentially some basic open source intelligence (OSINT), an organization can identify and mitigate cyberthreats lurking on their networks.

By applying enterprise intelligence tools to techniques already used by many fraud and criminal investigation units around the globe, security professionals can move from data collection and curation to threat analysis and investigation in a collaborative, organizationwide manner. This can ultimately feed back into your security policies, rules and automation to further protect your organization and allow your teams to focus their efforts on proactive protection and threat hunting.

More from Incident Response

X-Force uncovers global NetScaler Gateway credential harvesting campaign

6 min read - This post was made possible through the contributions of Bastien Lardy, Sebastiano Marinaccio and Ruben Castillo. In September of 2023, X-Force uncovered a campaign where attackers were exploiting the vulnerability identified in CVE-2023-3519 to attack unpatched NetScaler Gateways to insert a malicious script into the HTML content of the authentication web page to capture user credentials. The campaign is another example of increased interest from cyber criminals in credentials. The 2023 X-Force cloud threat report found that 67% of cloud-related…

Tequila OS 2.0: The first forensic Linux distribution in Latin America

3 min read - Incident response teams are stretched thin, and the threats are only intensifying. But new tools are helping bridge the gap for cybersecurity pros in Latin America. IBM Security X-Force Threat Intelligence Index 2023 found that 12% of the security incidents X-force responded to were in Latin America. In comparison, 31% were in the Asia-Pacific, followed by Europe with 28%, North America with 25% and the Middle East with 4%. In the Latin American region, Brazil had 67% of incidents that…

Alert fatigue: A 911 cyber call center that never sleeps

4 min read - Imagine running a 911 call center where the switchboard is constantly lit up with incoming calls. The initial question, “What’s your emergency, please?” aims to funnel the event to the right responder for triage and assessment. Over the course of your shift, requests could range from soft-spoken “I’m having a heart attack” pleas to “Where’s my pizza?” freak-outs eating up important resources. Now add into the mix a volume of calls that burnout kicks in and important threats are missed.…

SIEM and SOAR in 2023: Key trends and new changes

4 min read - Security information and event management (SIEM) systems remain a key component of security operations centers (SOCs). Security orchestration, automation, and response (SOAR) frameworks, meanwhile, have emerged to fill the gap in these capabilities left by many SIEM systems. But as many companies have begun reaching the limits of SIEM and SOAR systems over the last few years, they have started turning to other solutions such as extended detection and response (XDR). But does this shift spell the end of SIEM…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today