How ThreatQ helps Incident Response Teams Disarm Threat Actors FasterPOSTED BY LIZ BUSH
According to Ponemon Institute’s 2017 Cost of a Data Breach Report, on average it takes more than six months (206 days) for an organization to detect an intrusion and another 55 days to contain the breach. As weeks and months go by, threat actors have plenty of time to steal data, cause damage and disruption, hide their tracks and even establish a foothold from which to launch future attacks.
As an incident responder you’re the last tier of defense for an organization, charged with detecting and stopping threat actors that have infiltrated your organization as quickly as possible to mitigate damage. The challenge is that many incident response teams are hampered by time-consuming tasks – like relying on various browsers to manually consolidate threat intelligence – and are overwhelmed by data overload, noise and false positives. They end up wasting valuable time chasing ghosts, instead of focusing where they need to – investigating truly malicious events and conducting active threat hunting to identify the source of the threat and better protect the organization in the future.
The ThreatQ Threat Intelligence Platform transforms how incident response teams work so they can confidently deliver on their mission. ThreatQ aggregates all your global and internal threat and event data in a central location and automatically adds context, relevance and prioritization for your organization. A process that previously started with raw threat data that IR teams had to manually lookup, consolidate and analyze, becomes groups of campaigns and malware families based on the code base or indicators, how the malware and campaigns are used, and the infrastructure involved. Context around campaigns validates that something bad is really happening and not a false positive so that you can scope and remediate incidents and breaches.
To further accelerate response, campaigns can be grouped by attribution. With these groupings, you can start with an indicator found on the network and learn more about the attack so you can look for related indicators that those adversaries use and maintain adversary dossiers. Knowledge of how adversaries and campaigns operate, and the infrastructure used, can help you minimize adversary dwell time and make sure it doesn’t happen again.
For example, if an adversary typically targets the HR department and expands across the organization through the mail server, the IR team can know where to look and how to scope and prevent future attacks. Information about related campaigns – those executed by the same adversary – can help the team do intel pivoting to see if they have missed any similar attacks in the past and remediate. With deeper, centralized intelligence, IR teams can evolve their situational awareness to situational understanding – continuously assessing threats and accelerating future incident response.
Learn more about how ThreatQ helps incident response teams detect and disarm threat actors before they do more damage to an organization and infrastructure.