We all know security teams continue to struggle with too many alerts and far too much noise to be able to identify what really matters. The ultimate goal is to quickly and clearly get to what needs attention first - an obvious statement and yet a goal that remains just out of reach for many, despite ongoing staffing and tooling investment. Security practitioners still routinely scroll through data to manually investigate and compare alerts to understand what they might need to do, which wastes time and further risks missing the real attack (or finally identifying and managing it after prolonged dwell time).
The focus of this piece is on how we can help security teams better understand the impact of a threat on an organization – what is the risk to the business? Comparing different attack types on various attack surfaces is complex and while advanced teams may automate portions of this effort with scripts and tools, it is a heavy lift that many SOC teams are unable to implement. So how can we help security practitioners quickly understand where they need to focus to address impending risk?
To distill the scale and variety of data, a multi-layer and multi-factor automated scoring model is needed to effectively assess the risk to the organization. The goal: a more precise evaluation of threats with a model that embraces the multitude of factors that establish the confidence level in our understanding of an activity to be malicious, in combination with an assessment of the severity level that reflects potential damage to the organization. Such a model enables organizational risk to be embedded in the prioritization of threats.
Hunters Risk Score is the resulting methodology that pairs confidence and severity to evaluate the urgency and fidelity of security attacks in the organization. Using a multi-layer approach based on cyber security factors as well as business context, the new scoring provides an optimal risk assessment and will allow security teams to better prioritize attacks according to organization risk evaluation, reduce the noise of low fidelity leads in the organization, and customize the risk evaluation according to the organization’s risk management, core assets, and operation.
Risk Score enables security analysts to:
- Assess the risk of a specific threat to the organization
- Clearly understand the necessary urgency of response based on the risk assessment
- Allow analysts to prioritize incidents based on their urgency
- Customize scoring to fit the risk profile of the organization
- Add business context to increase precision and reduce the noise
Risk Score helps reduce the noise
Hunters uses a confidence evaluation to verify the threat in the context of the organization to understand how common it is, if it is a known legitimate behavior in the organization, and to help with initial triage and investigation if this threat is worth the attention of the team.
From this confidence evaluation, security teams can filter out low fidelity attack leads from the SOC monitoring queue and focus on the attacks which are more likely to be malicious. Further, with Hunters' new capability, security teams can expand their threat coverage easily by monitoring and managing all the threats in the SOC queue that are considered high fidelity (strong confidence level) with one click, and avoid missing the real attack.
Enabling global alert threshold recommendations
Global Alert Threshold settings allow security practitioners to tune the confidence model for their organization:
- Filter for Leads with Confidence Very Likely
- Triage and verify leads are interesting and indeed Malicious
- Enable and configure the Global Threshold
- Configure specific Alert generation threshold per Analytic as needed
Risk Score simplifies urgency assessment and prioritization
With the severity evaluation, Hunters allows to align and compare all threat types over a variety of attack surfaces by leveraging the MITRE ATT&CK framework. All attack leads are mapped to MITRE ATT&CK TTP. During the initial investigation and evaluation of the threat, the identified TTP will impact the severity of the lead.
With the multi-layer capabilities of Hunters’ Risk Score, additional factors are considered to impact the severity of the lead, allowing a precise assessment of the potential damage and impact on the organization. By evaluating the affected assets and related business context, Hunters adjusts the severity score of the threat. Hunters Risk Score also allows security teams to manage and enrich Hunters identified leads with more business context and asset importance to further tune results to their specific environment.
Confidence and severity pair to surface risk level
With a Confidence score and a Severity score of each threat, Hunters Risk Score applies a matrix to calculate the overall risk with simple scale: Low, Medium, High and Critical. The resulting simplicity from the multi-layer scoring allows the security team to focus on the hot threats and prioritize their efforts on the Critical attack leads first.
Final Risk of a CrowdStrike-originated alert in the Hunters Platform
An important aspect in gaining a clear understanding of a risk assessment is transparency -or explainability- of the threat, Hunters Risk Score assessment is visible to the security team, allowing them to learn why the threat was incriminated and scored in a particular way. This transparency boosts the triage process by allowing them to understand at a glance the essence of the threat.
Alerts in the SOC Queue Risk Score breakdown and explainability
Context and clarity simplify prioritization
Prioritization of alerts is not new, and yet triage efforts are still inhibited by volumes of alerts and noise. The new Hunters Risk Score capability brings clarity to the prioritization effort, infusing risk assessment with explainability and thereby accelerating security teams’ understanding of threats and the appropriate response measures to employ.
Interested in learning more about Hunters Risk Score? Schedule a demo with us today.