Cybersecurity has a habit of becoming a cat-and-mouse game that pits security analysts against highly sophisticated hackers with a considerable amount of technical knowledge. Although script kiddies can still be found roaming the dark web, most threat actors are no longer content with basic attacks. They conduct their own reconnaissance. They study their targets and move with precision.
To a security analyst, observing a sophisticated threat actor is a monumental task. It requires connecting the dots to understand not only the ‘who’ but also the ‘why’. Fortunately, today’s analysts are getting help by way of SOAR (Security Orchestration, Automation, and Response) integration. Integrating SOAR allows analysts to move beyond basic alert management to a defensive environment where leverage is automated intelligence.
Connecting the Dots at Machine Speed
SOAR providers, like DarkOwl, give analysts the ability to connect the dots at machine speed. Think of it as following breadcrumbs. Whenever a threat actor breaches a network, he begins leaving a trail of digital breadcrumbs behind him. Those breadcrumbs might consist of:
- A PowerShell script
- A unique file renaming pattern
- A rare IP address
- A geographic location
In a traditional environment not equipped with SOAR, each of the breadcrumbs is trapped in a separate environment. IP-addressed data is siloed by the firewall, the SIEM maintains the log, and you need to look at the EDR for the script.
An integrated SOAR environment pulls all the clues together in a unified environment. Instead of having to manually search various databases to find clues, the platform automatically curates them after simultaneously querying each component:
- SIEM – Has the internal user interacted with the same external IP before?
- Intel Feeds – Is this IP associated with an already known individual or group?
- EDR – What initiated the incident and does it have a known malicious file hash?
All of this happens in the background so that by the time a human analyst gets to the alert, profile building has already begun. The analyst can add to the profile as needed, potentially identifying the threat actor and his motives. Maybe it’s an individual with financial motivations. Perhaps it’s a political group conducting state-sponsored espionage.
Identifying Threat Actor Habits
SOAR integration continues to be beneficial even after identifying threat actor intent. It takes advantage of the fact that hackers are creatures of habit. They tend to use and reuse the same TTPs as long as they can get away with it. This gives security analysts an edge when a SOAR platform is able to map incoming alerts to a framework like MITRE ATT&CK.
Although hackers tend to be creatures of habit, they also have their own deceptive practices. SOAR providers account for that in their software. A good platform has the ability to interrogate a threat actor by way of an automated SOAR playbook designed to:
- Isolate the attack environment in a sandbox
- Deploy a fake, high-value file to see if the hacker takes the bait
- Monitor the hacker’s reaction in real time
Automated playbooks make it possible for analysts to observe what a threat actor is up to with zero risk to the production environment. If a threat actor immediately takes the bait, analysts know they are dealing with a high-level threat. If the hacker immediately starts encrypting files, analysts know that the intent is immediate.
Reducing the Guesswork
When it comes to understanding threat actors and their intentions, SOAR integration reduces the guesswork. SOAR providers and the tools they offer leverage automated data gathering and correlation. Analysts spend more time stopping hackers and less time cleaning up after them.
