Threat intelligence support for rapid incident response
November 27, 2018
Of the many cybersecurity teams within Accenture, our Managed Security Service (MSS) and Incident Response (IR) colleagues were the most enthusiastic in welcoming iDefense to the Accenture family. They were excited to learn that they could now access context-rich iDefense intelligence to accelerate response, prioritize incidents with data, and improve overall cyber resilience.
We wanted to share with you some of their use cases in the hopes of sparking new ideas on how to get the most from our threat intelligence.
When events are escalated, the Accenture IR team uses iDefense intelligence to evaluate which are false positives and do not require escalation, which pose a risk—and how high—to each client, and how to triage/prioritize each in comparison to other events. To note, evaluations are based on a client’s specific business (industry, geography, security infrastructure, high-value targets) and security (threat actors/groups of interest, previous attacks, industry malware trends, industry domain trends) profiles.
iDefense threat intelligence gives the IR team an almost immediate overview of the threats, campaigns, and threat actors in question while the IntelGraph portal provides a visual overview of the relevant indicators, threat actors/groups and their tactics, techniques, and procedures (TTPs), motivations, motives, infrastructure vulnerability exploit preferences, and attack patterns. With this combined information, they can appropriately calculate risk and prioritize response efforts.
The IR team sees iDefense intelligence as one of their primary source of context to jumpstart investigations. With it, they can quickly answer the who/what/why/when/how of an attack, attacker, and infrastructure utilized, as well as determine the stage of an attack, identify effects and take rapid corrective action. With the ability to quickly fine-tune iDefense intelligence, the team can also match and use specific client needs to contain, remediate, and thwart an attack and, as applicable, apply that same intelligence to other clients.
Through immediate attacker communication blocking, the IR team can slow an attacker’s progress and disrupt his ability to communicate with his infrastructure. Further, they can utilize iDefense threat actor/group profiles to set up blocking and alerting strategies for similar future attacks.
The IR process doesn’t end with an attacker’s defeat. Often, threat actors make sloppy mistakes and leave traces of data behind that the IR team can use to build further intelligence on their specific TTPs, motivations and motives. Combined with iDefense intelligence, this information allows the team to conduct proactive hunting activities to reduce a client’s attack surface. For example, they can access the file hashes left behind by a threat actor’s malware, collect all related hashes for similar malware variants in the same malware family, see how and where the malware was acquired, and hunt for similar malware variants on a client’s network with an endpoint agent. In doing so, the team can unearth dormant or active attacks fueled by data from past incidents.
Moreover, upon discovering unknown pieces of malware, the IR team can reach to iDefense directly so that we can perform in-depth analysis and bypass any reverse-engineering obstacles they may face (our clients also regularly send us malware samples for direct analysis). We provide a leading-edge view on the actual malware payload, which heavily boosts the IR analysis process and helps reduce the IR timeline. By applying the operations intelligence derived from these analysis efforts, the IR team can also contain infections.
Time is one of the most restrictive factor of incident response efforts. If IR teams are stretched thin during a significant incident and lack the time to think through all the various required response measures, some network gaps or system vulnerabilities could stay open too long, inviting additional attacks or campaigns.
iDefense is pleased to say that many of our analysts have spent time in the responder seat and know what it takes to thwart an attack quickly. In fact, our analysts take great pride in providing plain English language instructions with several response options to specific attacks, and both the Accenture IR and MSS teams use these detailed response and networking-hardening instructions to help reduce response times and enhance network security after an attack.
Finally, the teams also use iDefense vulnerability intelligence—for example, insight into what software- or hardware-based products exist on a client network and what zero-day or latent vulnerabilities threat actors may exploit—to more efficiently and proactively remove malware, reverse changes, and remove/patch vulnerabilities.
We hope this information is helpful. If you have any questions, or need help applying your threat intelligence for incident response, don’t hesitate to reach out to the Accenture Security Team.
Accenture Security is a leading provider of end-to-end cybersecurity services, including advanced cyber defense, applied cybersecurity solutions and managed security operations. We bring security innovation, coupled with global scale and a worldwide delivery capability through our network of Advanced Technology and Intelligent Operations centers. Helped by our team of highly skilled professionals, we enable clients to innovate safely, build cyber resilience and grow with confidence. Follow us @AccentureSecure on Twitter or visit us at www.accenture.com/security.
Accenture, the Accenture logo, and other trademarks, service marks, and designs are registered or unregistered trademarks of Accenture and its subsidiaries in the United States and in foreign countries. All trademarks are properties of their respective owners. All materials are intended for the original recipient only. The reproduction and distribution of this material is forbidden without express written permission from Accenture. The opinions, statements, and assessments in this report are solely those of the individual author(s) and do not constitute legal advice, nor do they necessarily reflect the views of Accenture, its subsidiaries, or affiliates. Given the inherent nature of threat intelligence, the content contained in this report is based on information gathered and understood at the time of its creation. It is subject to change. Accenture provides the information on an “as-is” basis without representation or warranty and accepts no liability for any action or failure to act taken in response to the information contained or referenced in this report.
Copyright © 2020 Accenture. All rights reserved. Accenture, its logo, and High Performance Delivered are trademarks