Empowering SOC teams with predictive risk scoring – Part 3: Putting Predictive Risk Scoring into practice

Applying predictive risk scoring in practice

The scores, detailed in our previous blog post can be applied to three general areas:

Application 1 – Security Information Event Management (SIEM) or Threat Intelligence Platform (TIP) enrichment

Popular SIEM and TIP tools can raise events that contain domain names, and when they do, the risk scores for the domains can be seen in a dashboard in the SIEM or TIP. By aggregating data on how many domains of high risk (and/or low age) have been observed over a given time period, these integrations can help analysts triage risks represented by traffic flows to these domains.

Application 2 – Security Orchestration, Automation, and Response (SOAR) playbooks

These playbooks can go beyond SIEM alerts to take specific actions based on risk scores of domains seen in network events. Some of these actions relate to proactive network defense—calling security controls to add high-risk domains to block rules. Other actions can include assisting with triage, response, and threat hunting based on high-risk domains by automatically enumerating the other domains closely tied to the domain in question (more on this below). From a use case perspective, some of these same actions can be automated using low-code or no-code, drag-and-drop playbook builders.

Application 3 – Interactive investigations

When analysts, threat hunters, or incident responders are examining events that involved traffic to known or suspected malicious domains, domain risk scores are a useful tool in quickly triaging which of the traffic flows might represent the highest risk and bear the greatest additional investigation.

Empowering the SOC team

Automated playbooks that reference predictive risk scores put a lot of power into a SOC team’s hands. They can eliminate repetitive tasks, such as creating new alerts, trouble tickets, blocking rules, etc, related to high-risk domains. They can also help tee up investigations that can help the team accomplish two very important things (1) understanding the larger scope of an event that may be represented by a recently-fired alert; and, (2) gaining visibility into the larger, and often still-emerging, campaigns tied to specific malicious actors.

Both of these benefits leverage the fact that almost no domain is a “lone wolf;” operating malicious domains one at a time is not efficient for threat actors, since infrastructure is often identified over time as malicious and added to threat intelligence feeds. Thus, it’s important to assume that every malicious domain is part of something larger. Let’s look more deeply at how these two essential functions are carried out in the SOC.

(1) Understanding the full scope of an event

Let’s imagine that the event that originally fires involves traffic to a domain which we’ll call “domain 1.” By the logic described above, it is likely that there are some other domains, 2-n, under the control of the same entity as domain 1. If a SOAR or other playbook automatically enumerates other domains sharing infrastructure or registration details with domain 1, the analyst can now examine traffic logs from the protected environment to see if there have been previous connections to any of the domains 1-n. The discovery of additional traffic can help clarify the scope, timing, and nature of an unfolding event.

(2) Gaining visibility into the larger campaign

By the same token, gaining visibility into domains 2-n provides a list for potential blocking or, at least, alerting, on future traffic flows to any of those assets. If the nature of the enumerated assets is ambiguous (i.e. the analyst does not see immediate shared characteristics between the other domains and domain 1) then domain risk scoring may be used as a thresholding mechanism to confine future alerts or blocks on these connected assets to the ones with high scores. If an analysis of the connected domains is carried out (for example, in a platform such as DomainTools Iris Investigate), the investigator may also identify patterns that they can use as ongoing future queries to DomainTools in order to spot additional new domains being set up by the same actor, before such domains ever “touch” the protected environment. For example, a pattern involving a particular name server, IP address, SSL certificate, registration email address, etc. could help expose the actor’s future steps early in the development of the attack campaign.

Risk scores pave the way to relevant actions

All of the SOC actions described here can be viewed as having their root in high-confidence risk scoring. Since it’s impossible for any human to use their analytical skills in real time on the domains touching the protected environment, they can take advantage of automated (or partially automated) triage processes to launch and focus investigations. Network defenders can use the scores to directly inform alerting or blocking rules in security controls.

Domains and their related infrastructure always tell a story. Predictive risk scoring helps distill that story down to numerical values that enable humans to efficiently and effectively protect their organizations against malicious actors and the infrastructure they control.

To learn more about the importance of domain reputation threat intelligence data visit our know how series,  ‘Understanding domain reputation‘.