Block High Confidence Score Indicators
Category: Network Security, Email Gateway, Endpoint
Cyware Products Used:
Orchestrate
Intel Exchange
Third-Party Integrations Used:
AWS WAF: To block threat indicators on the AWS firewall.
pfSense: To block malicious IPs on the pfSense firewall.
Symantec Endpoint Protection Manager: To block malicious hashes on Symantec Endpoint Protection Manager EDR solution.
Crowdstrike EDR: To block malicious hashes.
Cisco ESA: To block malicious domains and emails on the Cisco Email Security Appliance solution.
Problem Statement
Organizations continue to integrate threat intelligence feeds into their security architecture to better detect threats to specific systems and focus more on improved threat detection and response capabilities. However, the improvements to detection and response processes come with a unique set of challenges such as a large volume of alerts, less time to respond, and false positives.
Today’s analysts and threat intelligence teams require a solution that is smarter, and faster in analyzing, triaging threat indicators, and automatically responding to threats.
Solution
Intel Exchange Confidence Scoring engine allows analysts to filter out irrelevant intel and automatically prioritize critical threat indicators using a score. Furthermore, analysts can configure an orchestration playbook to automatically block the indicator in technologies such as firewalls, email gateway, EDR, and proxy servers. This document explains the process of automatically blocking threat indicators that have high confidence scores.
How do we solve this problem?
Retrieve High Confidence Score Indicators: The playbook starts by retrieving the latest indicators that have a high confidence score. The margin for the score can be configured by analysts in the playbook. This retrieves indicators such as IP, domain, hash, URL, and Email.
Block Malicious IPs: The playbook now filters all the IPs and domains from the list and blocks them on the firewall. For example, IPs and domains are blocked on AWS and Pfsense applications. The playbook also updates the respective IP and domain data in Intel Exchange with the Blocked on AWS tag.
Block Hashes: The playbook now filters all the hashes from the list and blocks them on the endpoint detection and response tool. For example, hashes are blocked on the Crowdstrike EDR or Symantec Endpoint Protection Manager application. The playbook also updates the respective hash data in Intel Exchange with the Blocked on Crowdstrike tag.
Block Emails: The playbook now filters all the domains and emails from the list and blocks them on the email gateway. For example, domains and emails are blocked on the Cisco Email Security Appliance. The playbook also updates the respective domain and email data in Intel Exchange with the Blocked on Cisco ESA tag.
Block URL: The playbook now filters all the domains and URLs from the list and blocks them on the proxy server. The playbook also updates the respective domain and URL data in Intel Exchange with the Blocked on Cisco ESA tag.
Send a Consolidated Report: After the actions are completed, the playbook notifies the security teams with the list of successfully blocked and failed to block indicators.
Benefits
Confidence Scoring Benefits
CTIX Confidence Scoring engine helps analysts to filter out irrelevant data and automatically prioritize threat indicators that are critical. This supports the overall process of continuous collection of threat indicators from sources, reusing existing intelligence from tools, and automatic confidence score calculation.
Accelerated Incident Response
Cyberattacks can cause severe damage to the data and intellectual property of an organization. Hence an automated playbook plays an important role in countering the threat at machine speed instead of relying on slower, manual processes.
Reduced MTTD and MTTR
The solution helps organizations to reduce both Mean Time to Detect (MTTD) and Mean Time to Respond (MTTR) by validating and remediating security alerts within minutes.