<img height="1" width="1" style="display:none;" alt="" src="https://px.ads.linkedin.com/collect/?pid=2180921&amp;fmt=gif">

After the Hunt

So, what’s next? You’ve had a successful hunt, uncovered some type of threat or anomalous behavior on your network, and now you need to do something about it. We felt it was important to include additional details on all the automation and escalation functionalities that are available to users so they can respond to threats sooner in the future - after the hunt. 

If you missed our introduction to the SSP Guided Threat Hunting Interface you can go back to read more about enriched hunting with SSP and the various features available to users who wish to take a more proactive defensive stance to protect their organization and search for specific threats, alerts, or behaviors. That article kicks off the beginning of our “Discover SSP” series, which will detail a different guided threat hunting filter every week. 

Automation and Escalation Overview

One of the most useful and enabling features built into the Stamus Security Platform (SSP) is the integrated guided threat hunting. This “Stamus Enriched Hunting” empowers hunters to investigate, classify, automate, and escalate vast amounts of event data, alerts, and contextual metadata.

In many cases, hunting is driven by a hypothesis and infused by knowledge and expectation with the specifics of their organization in mind. Any of these hypotheses an analyst might have can be formulated into an SSP automation, and the results can be classified or automatically escalated.

The ability to turn a hypothesis into an automated hunt that is driven by context and knowledge is greatly appreciated among SOC team members and management alike, as it allows security practitioners to lower their time to act, respond, and make decisions. Security teams can respond sooner when they are empowered by the capabilities of SSP because they are able to detect threats faster, more accurately, and with greater context. 

Oftentimes, organizations already have some tools, software, or integration mechanisms that support automation. The good news is that Stamus Security Platform is 100% RestAPI enabled and natively integrates with such technologies. 

In this article we will describe some ways security teams can benefit from augmenting the the hunting filters with automation on the Stamus Security Platform to save time and effort and enable more seamless knowledge transfer while leveraging existing tools and technology. 

Integrations

Integrations enable any escalated event to trigger a follow up action. These actions might include a simple notification message in a chat channel, populating and logging an incident response ticket, or triggering a playbook response in a SOAR.

Stamus Security Platform allows users to simply configure integrations. Whether it is e-mail, SOAR , opening an incident response ticket or a webhook, or more, security analysts using SSP can integrate with just a few clicks. This ability to automate the final action or notification is arguably more important than the automation of the hunt itself. 

To set up integrations, access the options from the drop down Administration menu on the top left of the screen. 

Post Image 1

Let’s explore a few integration examples below: 

Email

Email is a more traditional method of communication, but for many security teams it represents an important integration.

Post Image 2 Obfuscated

Webhooks

Webhooks provide a very versatile and easy method of notification. Stamus Networks provides extensive documentation which covers a myriad of possible variables and customizations that range from simple IoCs to connection-specific and hostInsights information. 

Post Image 3

For example, configuring a webhook automatic notification is a simple one-time setup action.

Post Image 4 Obfuscated

Security teams can configure a webhook notification into any supporting messaging platform like Discord, Slack, Mattermost, Microsoft Teams..

If you are interested in seeing a live feed from one of our QA lab systems, check out our public Stamus Labs feed channel on Discord. See screenshot below: 

Post Image 5

Here are a couple of examples in which SSP delivers a message via webhook to a Mattermost channel:

MalDoc

Post Image 6Emotet

Post Image 7

SOAR

Stamus Security Platform provides a full RestAPI  with extensive documentation of hundreds of actual examples. In the examples below, we show the documentation for how to query the “Host Insights” function for information about a specific host.

Post Image 8

Using the API, it is also possible to query the system and a specific tenant for the presence of specific network services is also possible:

Post Image 9 Obfuscated

It can also be enriched with details about encrypted communications,, hostnames, user agents, or server roles that have been observed:

Post Image 10 Obfuscated

Incident Response

Automated response capability is important. However, it is essential that automated responses auto-populate with all the needed information in order to inform better decision making and information sharing within security teams.

Below is an example showing the one-time setup of an automated incident response integration with The Hive. Once completed, the integration allows an escalated event to create incident response tickets per DoC. 

Post Image 11 Obfuscated

See the resulting IR ticked logged in The Hive.  The automation populates the ticket logged supporting documentation, explanation, and any observables needed like URLs, FQDNs, and more.

Post Image 12 Obfuscated

 

Post Image 13 Obfuscated

 

Other

There are tons of possibilities when it comes to integrating Stamus Security Platform with other technologies in the security team’s stack. SSP can be used natively with platforms like Splunk, ServiceNow, or any other software that supports Webhook technology. 

Post Image 14

Conclusion

What comes after “After the Hunt”? Well, another hunt I suppose. These escalation and automation features can be used with any of our guided threat hunting filters. Armed with these capabilities, an analyst can know more, respond sooner, and mitigate risk to their organization. 

If you would like to learn more about Stamus Security Platform (SSP) or the Stamus Enriched Hunting interface, click on the link below to schedule a demo.

Peter Manev

Peter Manev is the co-founder and chief strategy officer (CSO) at Stamus Networks. He is a member of the executive team at Open Network Security Foundation (OISF). Peter has over 15 years of experience in the IT industry, including enterprise-level IT security practice. He is a passionate user, developer, and explorer of innovative open-source security software, and he is responsible for training as well as quality assurance and testing on the development team of Suricata – the open-source threat detection engine. Peter is a regular speaker and educator on open-source security, threat hunting, and network security at conferences and live-fire cyber exercises, such as Crossed Swords, DeepSec, Troopers, DefCon, RSA, Suricon, SharkFest, and others. Peter resides in Gothenburg, Sweden.

Schedule a Demo of Stamus Security Platform

REQUEST A DEMO

Related posts

In the Trenches with NDR: NDR Discovers Crypto Wallet Stealer on U.S. University's Network

Tl:DR: A Large U.S. university lacked sufficient visibility into a large segment of its environment...

In the Trenches with NDR: K-12 School District Maximizes Visibility While Avoiding Alert Fatigue

TL;DR: An American school district needed to monitor over 5000 school-owned student devices, making...

In the Trenches with NDR: European MDR Designs Advanced NDR into Their Product Offering

TL;DR: A European managed security service provider seeking to launch an MDR service chose Stamus...