Recently I was having a discussion about the importance of ensuring proper context, relevance and intelligence is provided when performing analysis of cyber related activities. Fortunately for me, a few days after, this article was published. While the article makes for very interesting read, the quote I like the most is “Network defenders who rely solely on lists of assets to protect are running a fool’s errand.”
As cyber security professionals or responsibilities start with first identifying the business’s critical assets not identifying the next new shiny technology and or tool. Once, we identify and understand our critical assets then we identify the technologies which may help the business protect and or secure those assets. Once we have cleared the two previous hurdles making the best use of the technology and securing the business and its assets goes beyond just the technology.
Most of the tools you will use, will generate some type of events which may result in an alert. The question is when you get that alert what do you next. Do you simply accept that alert and decide whether to act or not?! What is the context of the alert? What about relevance? Is the message which is generated relevant to your environment? Is the alert seen across one or more of your tools? Do you have full packet capture to look into the payload to ensure clarity? What additional intelligence do you have to support your conclusion? The point here is to ensure that you have as much data/intelligence from as much possible sources. It is very important that we understand that the sources of intelligence can be from one or more blacklist of bad IPs, domains and or URLs. It can be from end users who detected something of concern. It could be from a business partner. It can be from vulnerability data. It can be from … well you get the message. It can come from anywhere. However, no matter where it comes from, make sure it is relevant to your environment and identify the context within which it relates to your environment
Ultimately as a result of the alerts received from your tools, you should have only one of two end result. You should either be tuning out the alert if it is a false positive or act on it (take the host off the network, take a memory dump for later analysis, wipe, run antivirus, perform live analysis, etc) if it is a true positive. There should be no instance in which you simply ignore the message, it will do neither you nor the business any good.