/* ---- Google Analytics Code Below */

Friday, May 15, 2020

Automating Threat Detection

Recorded Future talks about thread detection and response.   Recall we tessted some of their methods and wrote about them here in their early days.  Worth a look.   Much more at the link.

Automating Threat Detection and Response With Security Intelligence
• Recorded Future Team

Automating threat detection and response has historically been a very expensive and time-consuming process. However, with the prevalence of restful Application Programming Interfaces (APIs), commercial threat intelligence, and crowd-sourced feeds, it has never been easier and more cost effective to do so. Through careful thought and a little bit of Python, organizations can begin to adopt automation into their defenses.

Whether an organization is just starting to build its security capabilities or looking to bolster existing controls, there is much that can be achieved. By combining automation with security intelligence, and applying that to existing infrastructure, an organization can greatly improve their security posture.

Start Automating Security With DNS

Domain Name System (DNS) is essential to both the internet and private networks, but it’s a common service that can be overlooked when seeking to build a threat detection and response capability. DNS is frequently deployed as a centralized service, with visibility of the clients making requests, as well as the domains and Internet Protocols (IPs) being requested and returned — an ideal candidate when seeking ways to detect and respond to potential threats.

The Response Policy Zone (RPZ) is a function supported by most modern DNS servers, and provides a custom reply for any domain or IP address — aiding automated detection and response controls. If a client makes a request for something that is in the RPZ, a predetermined response can be returned. Combining security intelligence with an RPZ can supercharge what is commonly referred to as a DNS firewall by providing a broad effective coverage, which enables automated detection and response to the latest threats.

The first point of consideration when deciding to deploy an automated DNS blocking capability, is where the domains and/or IP addresses to be blocked can be sourced, and more importantly, how trustworthy those sources are. Crowd-sourced security intelligence is widely available — but might not contain the latest threats that could impact a business. In addition, poorly curated or maintained feeds such as those containing illegitimate destinations may impact an organization’s productivity.

In comparison, a curated intelligence feed — specifically, one regularly maintained in real time through automation — will more likely contain information about current infrastructure used by advanced attackers, along with additional context that can expedite the decision-making processes.  ...  "

No comments: