Skip to main content Skip to Footer

BLOG


November 27, 2018
Threat Intelligence Support for Rapid Incident Response
By: Josh Ray

Of the many cybersecurity teams within Accenture, our Managed Security Service (MSS) and Incident Response (IR) colleagues were the most enthusiastic in welcoming iDefense to the Accenture family. They were excited to learn that they could now access context-rich iDefense intelligence to accelerate response, prioritize incidents with data, and improve overall cyber resilience.

We wanted to share with you some of their use cases in the hopes of sparking new ideas on how to get the most from our threat intelligence.

Ticket event evaluation, validation and triage

When events are escalated, the Accenture IR team uses iDefense intelligence to evaluate which are false positives and do not require escalation, which pose a risk—and how high—to each client, and how to triage/prioritize each in comparison to other events. To note, evaluations are based on a client’s specific business (industry, geography, security infrastructure, high-value targets) and security (threat actors/groups of interest, previous attacks, industry malware trends, industry domain trends) profiles.

iDefense threat intelligence gives the IR team an almost immediate overview of the threats, campaigns, and threat actors in question while the IntelGraph portal provides a visual overview of the relevant indicators, threat actors/groups and their tactics, techniques, and procedures (TTPs), motivations, motives, infrastructure vulnerability exploit preferences, and attack patterns. With this combined information, they can appropriately calculate risk and prioritize response efforts.

Incident analysis

The IR team sees iDefense intelligence as one of their primary source of context to jumpstart investigations. With it, they can quickly answer the who/what/why/when/how of an attack, attacker, and infrastructure utilized, as well as determine the stage of an attack, identify effects and take rapid corrective action. With the ability to quickly fine-tune iDefense intelligence, the team can also match and use specific client needs to contain, remediate, and thwart an attack and, as applicable, apply that same intelligence to other clients.

Through immediate attacker communication blocking, the IR team can slow an attacker’s progress and disrupt his ability to communicate with his infrastructure. Further, they can utilize iDefense threat actor/group profiles to set up blocking and alerting strategies for similar future attacks.

Hunting and attack surface reduction

The IR process doesn’t end with an attacker’s defeat. Often, threat actors make sloppy mistakes and leave traces of data behind that the IR team can use to build further intelligence on their specific TTPs, motivations and motives. Combined with iDefense intelligence, this information allows the team to conduct proactive hunting activities to reduce a client’s attack surface. For example, they can access the file hashes left behind by a threat actor’s malware, collect all related hashes for similar malware variants in the same malware family, see how and where the malware was acquired, and hunt for similar malware variants on a client’s network with an endpoint agent. In doing so, the team can unearth dormant or active attacks fueled by data from past incidents.

Moreover, upon discovering unknown pieces of malware, the IR team can reach to iDefense directly so that we can perform in-depth analysis and bypass any reverse-engineering obstacles they may face (our clients also regularly send us malware samples for direct analysis). We provide a leading-edge view on the actual malware payload, which heavily boosts the IR analysis process and helps reduce the IR timeline. By applying the operations intelligence derived from these analysis efforts, the IR team can also contain infections.

Plain english defense instructions

Time is one of the most restrictive factor of incident response efforts. If IR teams are stretched thin during a significant incident and lack the time to think through all the various required response measures, some network gaps or system vulnerabilities could stay open too long, inviting additional attacks or campaigns.

iDefense is pleased to say that many of our analysts have spent time in the responder seat and know what it takes to thwart an attack quickly. In fact, our analysts take great pride in providing plain English language instructions with several response options to specific attacks, and both the Accenture IR and MSS teams use these detailed response and networking-hardening instructions to help reduce response times and enhance network security after an attack.

Finally, the teams also use iDefense vulnerability intelligence—for example, insight into what software- or hardware-based products exist on a client network and what zero-day or latent vulnerabilities threat actors may exploit—to more efficiently and proactively remove malware, reverse changes, and remove/patch vulnerabilities.

We hope this information is helpful. If you have any questions, or need help applying your threat intelligence for incident response, don’t hesitate to reach out to the Accenture Security Team.

Popular Tags

    More blogs on this topic

      Archive