Blog
Tackle the Human Side of Incident Response with SOAR and Threat Intelligence
It’s easy to overlook the human elements behind cyber-threats and cyber-attacks. We tend to focus our time analyzing the technical mechanics behind executed attacks, their vulnerabilities and exploits, and their potential mitigation techniques.
On this Thursday, December 3, 2020, Flashpoint is sponsoring and speaking at Siemplify SOCstock 2020 with a session on The Human Side of Incident Response. This blog post covers the major themes, but you’ll have to join us on Thursday for an ever deeper look! This page was also cross-posted on the Siemplify blog site.
Technical IOCs Only Take You So Far
It’s easy to overlook the human elements behind cyber-threats and cyber-attacks. We tend to focus our time analyzing the technical mechanics behind executed attacks, their vulnerabilities and exploits, and their potential mitigation techniques.
While all important factors, they don’t account for the people behind the threat. This ultimately leaves us exposed and without crucial context to aid us as we allocate security resources and evaluate assets likely to be targeted.
Know Your Adversary’s Next Move
Remember: people are behind every cyberthreat. People with different skill sets and tendencies, who operate in different regions across the globe and are driven by a range of financial, political, and ideological motivations.
By honing in on these human behaviors, we can develop detailed threat profiles that include context about:
- Motives to unearth why and what attackers are after. Understand why attackers are attacking you. Are they singling out your organization or is your exposure based larger, distributed attack campaigns (e.g., WannaCry)?
- Tendencies to identify which exploits and attack methods they’ll use. Threat actors have their preferences when it comes to tactics, techniques, and procedures (TTPs), as well as the targets they choose as a result. Whether it’s out of familiarity, skill set, or historical success, these tendencies provide the context you need to set your security strategy and prioritize mitigating controls.
- Targets to assess your value at risk (VaR). Based on the above context, you can further inferences as to which digital and physical assets may be vulnerable, as well as the financial and reputational value to the business that’s potentially at stake.
Use SOAR to Accelerate Threat Intelligence Action
Intelligence is only as valuable as the decisions and outcomes that it facilitates, as well as the velocity at which these actions are taken.
When threat intelligence is coupled with security, orchestration, automation, and response (SOAR) technology—such as with our Flashpoint-Siemplify Integration—you unlock drastic improvements to operational and strategic tasks. More specifically, by supercharging your threat intelligence with SOAR, you can:
- Accelerate threat detection and response. Based on a range of predetermined parameters and threat indicators, you can trigger threat alerts and entire SOAR playbooks simultaneously. This ensures timely stakeholder notification, review, and response. And, as a result, it improves operational performance metrics, such as mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR).
- Enrich CVE and other security data with deeper threat context. In addition to net-new threat identification, threat intelligence also offers valuable threat context about previously identified CVEs, IOCs, or other relevant security, access, and event data. With the right SOAR playbooks, you can unify security event data with deeper contextualized results.
- Eliminate manual analyst work, inefficiencies, and redundancies. Security automation relieves SOC analysts of mundane, repetitive tasks and reduces the number of dashboards and portals they need to use. In addition, SOAR playbooks can execute entire process workflows, which is particularly valuable for dealing with an overabundance of low-priority incidents.
- Extend threat intelligence to the security tools and applications you already use. Siemplify offers a wide array of security technology integrations for quick, easy implementations. They enable the continuous exchange of security data and threat intelligence to any one or more of these tools, as well as to any disconnected, in-house systems and applications you might also manage.
Join Us at Siemplify SOCstock 2020
On this Thursday, December 3, 2020, Siemplify kicks off its global SOCstock 2020 event. For an even deeper dive on this topic, we hope you’ll join us for our session The Human Side of Incident Response at 4:30PM EST. We hope to see you there!