Processing alerts quickly and efficiently is the cornerstone of a Security Operations Center (SOC) professional’s role. Threat intelligence platforms can significantly enhance their ability to do so. Let’s find out what these platforms are and how they can empower analysts.

The Challenge: Alert Overload

The modern SOC faces a relentless barrage of security alerts generated by SIEMs and EDRs. Sifting through these alerts is both time-consuming and resource-intensive. Analyzing a potential threat often requires searching across multiple sources before finding conclusive evidence to verify if it poses a real risk. This process is further hampered by the frustration of spending valuable time researching artifacts that ultimately turn out to be false positives.

As a result, a significant portion of these events remain uninvestigated. This highlights a critical challenge: finding necessary information related to different indicators quickly and accurately. Threat data platforms offer a solution. These platforms enable you to look up any suspicious URL, IP, or other indicator and receive immediate insights into its potential risk. One such platform is Threat Intelligence Lookup from ANY.RUN.

Threat Intelligence Platforms to the Rescue

Specialized platforms for SOC investigations leverage their databases of threat data, aggregated from diverse sources. Take, for example, ANY.RUN’s Threat Intelligence Lookup (TI Lookup). This platform collects Indicators of Compromise (IOCs) from millions of interactive analysis sessions (tasks) conducted within the ANY.RUN sandbox.

The platform offers an additional dimension of threat data: logs of processes, registry and network activity, command line contents, and other system information generated during sandbox analysis sessions. Users can then search for relevant details across these fields.

Threat Intelligence Platforms Benefits

Deeper Visibility into Threats

Instead of relying on scattered data sources, such platforms offer a single point of access to search for IOCs across various data points. This includes URLs, file hashes, IP addresses, logged events, command lines, and registries, allowing for more comprehensive threat identification and investigation.

Faster Alert Investigations

When a security incident occurs, time is of the essence. TI platforms help gather relevant threat intelligence data rapidly, enabling a deeper understanding of the attack’s nature, affected systems, and compromise scope. This can significantly speed up and improve response efforts.

Proactive Threat Hunting

Threat intelligence platforms empower teams to actively hunt for known IOCs associated with specific malware families. This proactive approach can help uncover hidden threats before they escalate into major incidents.

They can provide access to data that might reveal potential vulnerabilities associated with known threats. This information can inform risk assessments and help organizations prioritize security efforts based on the most pressing dangers.

Threat Analysis and Decision-Making

Armed with detailed insights into malware behavior, teams can more accurately analyze threats and make informed decisions about containment, remediation, and future preventative measures. This continuous learning cycle strengthens the overall security posture and team competency.

Threat Intelligence Platform Query Examples

Searching with Individual Indicators

Imagine you suspect a compromised system within your network is downloading malicious files. You pinpoint a specific IP address as the potential source and decide to investigate further. Enter the IP address into the search bar of a threat intelligence platform. Instantly, the platform flags the address as malicious and linked to the Remcos malware, offering info on domains, ports, and even files associated with this IP.

It also provides access to analysis sessions where this IP address was involved and lists Tactics, Techniques, & Procedures (TTPs) employed by malware in these sessions.

You can study every session in detail by simply clicking on it. The system will take you to the session’s page in the ANY.RUN sandbox, where you will be able to explore all the processes, connections, and registry activity, as well as collect the malware’s config and IOCs or download a comprehensive threat report.

Flexible Search with Wildcards

Another useful feature of threat intelligence platforms like TI Lookup is the ability to submit wildcards and combined queries.

For instance, the query “binPath=*start= auto” uses the asterisk wildcard and searches for any command line with “binPath=” followed by any characters that end with “start= auto”.

The platform returns a hundred sessions where the same fragment appeared. A closer examination of the search results indicates that this specific command line artifact is characteristic of the Tofsee malware.

Combined Search Requests

Another option for conducting an investigation is to pool together all available indicators and submit them to the threat intelligence platform to identify all instances where these criteria appear collectively.

For example, you can construct a query that searches for all tasks (sessions) categorized as “file,” run on Windows 7, with a 64-bit operating system, connecting to port 50500 and containing the string “schtasks” in the command line.

The platform then identifies numerous sessions that meet the specified criteria and additionally provides a list of IPs tagged with “RisePro,” highlighting the malware responsible.

Try Threat Intelligence Lookup

Threat Intelligence Lookup from ANY.RUN lets you investigate threats with precision. Analyze processes, files, network activity, and more. Refine your search with 30+ fields, including IPs, domains, logged events, and MITRE techniques. Combine parameters for holistic understanding. Use wildcard queries to expand your reach.

Request a trial to receive 50 free requests to explore the platform.

Incident response (IR) is a race against time. You engage your internal or external team because there’s enough evidence that something bad is happening, but you’re still blind to the scope, the impact, and the root cause. The common set of IR tools and practices provides IR teams with the ability to discover malicious files and outbound network connections. However, the identity aspect – namely the pinpointing of compromised user accounts that were used to spread in your network – unfortunately remains unattended. This task proves to be the most time-consuming for IR teams and has become a challenging uphill battle that enables attackers to earn precious time in which they can still inflict damage.

In this article, we analyze the root cause of the identity of IR blind spots and provide sample IR scenarios in which it acts as an inhibitor to a rapid and efficient process. We then introduce Silverfort’s Unified Identity Protection Platform and show how its real-time MFA and identity segmentation can overcome this blind spot and make the difference between a contained incident and a costly breach.

IR 101: Knowledge is Power. Time is Everything

The triggering of an IR process can come in a million shapes. They all share a resemblance in that you think – or are even sure – that something is wrong, but you don’t know exactly what, where, and how. If you’re lucky, your team spotted the threat when it’s still building up its power inside but hasn’t yet executed its malicious objective. If you’re not so lucky, you become aware of the adversarial presence only after its impact has already broken out – encrypted machines, missing data, and any other form of malicious activity.

That way or the other, the most urgent task once the IR starts rolling is to dissolve the darkness and get clear insights into the compromised entities within your environment. Once located and validated, steps can be taken to contain the attacks by quarantining machines, blocking outbound traffic, removing malicious files, and resetting user accounts.

As it happens, the last task is far from trivial when dealing with compromised user accounts and introduces a yet unaddressed challenge. Let’s understand why that is.

Identity IR Gap #1: No Playbook Move to Detect Compromised Accounts

Unlike malware files or malicious outbound network connections, a compromised account doesn’t do anything that is essentially malicious – it merely logs in to resources in the same manner a normal account would. If it’s an admin account that accesses multiple workstations and servers on a daily basis – which is the case in many attacks – its lateral movement won’t even seem anomalous.

The result is that the discovery of the compromised account takes place only after the compromised machines are located and quarantined, and even then, it entails manually checking all the accounts that are logged there. And again – when racing against time, the dependency on manual and error-prone investigation creates a critical delay.

Identity IR Gap #2: No Playbook Move to Immediately Contain the Attack and Prevent Further Spread

As in real life, there’s a stage of immediate first aid that precedes full treatment. The equivalent in the IR world is to contain the attack within its current boundaries and ensure it doesn’t spread further, even prior to discovering its active components. On the network level, it’s done by temporarily isolating segments that potentially host malicious activity from those that are not yet compromised. At the endpoint level, it’s done by quarantining machines where malware is located.

Here again, the identity aspect needs to catch up. The only available containment is disabling the user account in AD or resetting its password. The first option is a no-go due to the operational disruption it introduces, especially in the case of false positives. The second option is not good either; if the suspected account is a machine-to-machine service account, resetting its password is likely to break the critical processes it manages, ending up with additional damage on top of the one the attack has caused. If the adversary has managed to compromise the identity infrastructure itself, resetting the password will be immediately addressed by shifting to another account.

Identity IR Gap #3: No Playbook Move to Reduce Exposed Identity Attack Surfaces That Adversaries Target Within the Attack

The weaknesses that expose the identity attack surface to malicious credential access, privilege escalation, and lateral movement are blind spots for the posture and hygiene products in the security stack. This deprives the IR team of critical indications of compromise that could have significantly accelerated the process.

Prominent examples are vulnerable authentication protocols like NTLM (or, even worse, NTLMv1), misconfigurations like accounts set with unconstrained delegation, shadow admins, stale users, and many more. Adversaries feast on these weaknesses as they make their Living Off The Land route. The inability to locate and reconfigure or protect accounts and machines that feature these weaknesses turns the IR into a cat herding, where while the analyst is busy analyzing to see if Account A is compromised, the adversaries are already leveraging compromised Account B.

Bottom Line: No Tools. No Shortcuts. Just Slow and Manual Log Analysis While the Attack is in Full Gear

So, that’s the status quo: when the IR team needs to finally discover who the compromised user accounts are that the attacker is using to spread in your environment. This is a secret no one talks about and the true root cause as to why lateral movement attacks are so successful and hard to contain, even when the IR process is taking place.

This is the challenge Silverfort solves.

Silverfort Unified Identity Protection for IR Operations

Silverfort’s Unified Identity Protection platform integrates with the identity infrastructure on-prem and in the cloud (Active Directory, Entra ID, Okta, Ping, etc.). This integration enables Silverfort to have full visibility into any authentication and access attempt, real-time access enforcement to prevent malicious access with either MFA or access block, and automated discovery and protection of service accounts.

Let’s see how these capabilities accelerate and optimize the identity IR process:

Detection of Compromised Accounts with MFA with Zero Operational Disruption

Silverfort is the only solution that can enforce MFA protection on all AD authentication, including command line tools like PsExec and PowerShell. With this capability, a single policy that requires all user accounts to verify their identity with MFA can detect all compromised accounts in minutes.

Once the policy is configured, the flow is simple:

1. The adversary attempts to continue its malicious access and logs into a machine with the account’s compromised credentials.
2. The true user is prompted with MFA and denies that they have requested access to the specified resource.

Goal #1 achieved: There’s now evidence beyond doubt that this account is compromised.

Side Note: Now that there’s a validated compromised account, all we need to do is filter all the machines that this account has logged into in Silverfort’s log screen.

Contain the Attack with MFA and Block Access Policies

The MFA policy we’ve described above not only serves to detect which accounts are compromised but also to prevent any additional spread of the attack. This enables the IR team to freeze the adversary’s foothold where it is and ensure that all the yet non-compromised resources stay intact.

Protection with Operational Disruption Revisited: Zoom-in On Service Accounts

Special attention should be given to service accounts as they are heavily abused by threat actors. These machine-to-machine accounts are not associated with a human user and cannot be subject to MFA protection.

However, Silverfort automatically discovers these accounts and gains insights into their repetitive behavioral patterns. With this visibility, Silverfort enables the configuration of policies that block access whenever a service account deviates from its behavior. In that manner, all of the standard service account activity is not disrupted, while any malicious attempt to abuse it is blocked.

Goal #2 achieved: Attack is contained and the IR team can rapidly move to investigation

Eliminating Exposed Weaknesses in the Identity Attack Surface

Silverfort’s visibility into all authentications and access attempts within the environment enables it to discover and mitigate common weaknesses that attackers take advantage of. Here are a few examples:

• Setting MFA policies for all shadow admins
• Setting block access policies for any NTLMv1 authentications
• Discover all accounts that were configured without pre-authentication
• Discover all accounts that were configured with unconstrained delegation

This attack surface reduction will usually take place during the initial’ first aid’ stage.

Goal #3 achieved: Identity weaknesses are mitigated and cannot be used for malicious propagation.

Conclusion: Gaining Identity IR Capabilities is Imperative – Are You Ready?

Compromised accounts are a key component in over 80% of cyber attacks, making the risk of getting hit an almost certainty. Security stakeholders should invest in having IR tools that can address this aspect in order to ensure their ability to respond efficiently when such an attack happens.

To learn more about the Silverfort platform’s IR capabilities, reach out to one of our experts to schedule a quick demo.