Case Study - Automated Incident Handling
See how ThreatPipes is used to defensively to monitor your perimeter and to identify potential breaches.
Your SIEM, incident response platform, or one of the many other tools in your security stack probably generates a lot alerts.
Am I right?
Many will be benign. Others more severe.
It’s not always easy to identify threats at first glance. Threat intelligence platforms can help, but often struggle to keep up with the ever changing and complex relationships between malicious indicators.
ThreatPipes is used to compliment existing tools to increase their effectiveness.
Taking the information from a security incident, ThreatPipes will uncover everything the world knows about it, including, if threat intel feeds have reported any of the indicators (like Bambenek, AlienVault or many more…), relationships to other potentially malicious sources, attack behaviours, known threat actors, and so on.
Instead of just responding with a single confidence score for a threat, ThreatPipes takes thousands of data points and analyses the relationship between them to look beyond the obvious.
If a malicious target is identified, ThreatPipes will return its relationships to other targets.
Often ThreatPipes will uncover an early attack in the delivery phase, 9-times-out-of-10, a phising email.
By scanning the internet and darkweb, ThreatPipes will uncover much more information than simply telling you it’s unsafe.
The attack group might be linked to a known group of actors. That group might use other known domains in their phising campaigns. Those domains might host payloads belonging to different malware strings.
You get the idea.
This is important because it gives you as a picture of what an attacker might do next.
At this point you can jump back to your other tools to see if the other pieces of intelligence have also been observed in your network.
Knowing your adversaries helps your organisation stay one step ahead with a proactive security posture. If you know their next step, you can take appropriate action to defend against it, rather than resolve afterwards.
Collaboration is also important. Nothing beats final analysis from a human (…yet).
ThreatPipes can be used by the whole of your SOC team to raise, manage, and share the outcome of investigations like the one described above.