The Fidelis Threat Research team is comprised of expert security researchers whose sole focus is generating accurate and actionable intelligence to better secure customers. Together, they represent over... Read More
March 30, 2017
Going Back in Time: Investigating Threats Retroactively
Welcome back to reducing detection time from months to minutes. In the first post in this series, we showed how metadata holds the power to quickly disarm one of the most effective cyberattack methods in the attackers’ arsenal – phishing.
But what about detecting threats in the past?
You’ve read the headlines: Ransomware Hits. Data Stolen. E-mails Hacked.
Perhaps a high-profile organization in your industry was compromised, had to report the breach, and a new zero-day exploit is uncovered. No sooner do you get the details about the event when you get a phone call from the CEO, asking, “Has this happened to us?”
Can you say with certainty whether you’ve been affected by the exploit in the past, or not?
Faced with an urgent detection dilemma, it’s natural to turn to threat intel to get details. However, it’s nearly impossible to operationalize your threat intel to investigate retroactively. Yet this is exactly what must happen. Because the dirty truth about threat intelligence is that by the time the details are published, attackers have already been using the tactic for a while.
When you get intel about a new tactic, how can you apply that intel quickly? And specifically, how can you apply it historically to understand if you’ve been compromised?
The answer (again) is metadata.
Rich metadata allows you to apply new threat intelligence and indicators of compromise to all traffic – including historical traffic – to determine if the organization is affected by the threat.
Still have doubts?
Metadata in Action
Referencing a report containing intel (in this case, the FBI Cyber Bulletin) about newly identified malware, we obtain a list of hashes for malicious files observed in the campaign.
Figure 1. FBI Cyber Bulletin: Identification of Locky Ransomware
Using a hashtag from the threat intelligence report, we plug in the hash, select a timeframe and run a search against all metadata stored by Fidelis Collector. Within seconds, you will know with absolute confidence whether this malware has impacted your environment. Searches of 90 to 120 days of metadata deliver results in minutes.
Figure 2. Hash Search Against Stored Metadata
It’s that simple.
Here, the results show us that multiple events have occurred. A quick examination reveals the attacks happened over email. And, if the attacks happened via the web, it would have been found in the same manner.
Figure 3. Results Returned from Seven Day Search of Metadata
Now, with clear eyes on the events within the environment and context around those events, all that’s left is to start the incident investigation and response process.
Figure 4. Metadata Facilitates Incident Investigation and Response
With Fidelis Network, not only can threat intelligence be applied backwards, it can also be applied to future traffic. It’s a simple matter to create a custom rule for the hash fingerprint to operationalize the threat intel. When an event matching the intel occurs in the future, you’ll automatically get an alert.
Figure 5. Custom Policy to Operationalize Threat Intelligence
Without metadata, it’s all but impossible to apply threat intelligence to the past. You can basically forget about identifying – let alone resolving – the incident.
Sure, you can cut and paste snippets of intel from various threat intelligence feeds. But how time-consuming and error-prone is that?
With metadata, applying new threat intelligence to historical data takes only a few clicks. You can detect and resolve both new threats and past compromises in minutes. Not only will it enable you to confidently answer the question, “Are we safe?” the next time the CEO asks, it will equip you to detect attacks other solutions can’t even see.
The choice is yours, but we’d go with the metadata.
Did you know Fidelis automates the collection, analysis and storage of your network data so it’s ready for you to investigate immediately? The rich metadata that Fidelis Network captures about every session on your network makes it possible to investigate suspected incidents in seconds – and gives you answers to questions that were previously impossible to know.
This is part two of a three-part blog series about using metadata to reduce detection time.
See Fidelis platforms in action. Learn how our fast, scalable Fidelis Elevate and Fidelis CloudPassage Halo platforms provide deep insights into the SOC to help security teams worldwide protect, detect, respond, and neutralize even the most advanced cyber adversaries.