Mitigating risk in SOC investigations with managed attribution

Cloud-based web isolation neutralizes cyberthreats in employees’ everyday web activity — but how do SOCs secure their own online investigations that require them to interact with malicious content and bad actors?

In a recent blog post, I discussed the persistent problem plaguing cybersecurity:

“One of the greatest risk drivers is the use of conventional web browsers. ... Increased user awareness and training has been a favored way to combat this risk. But homegrown and even specialized third-party training only reduces the risk slightly. There is still the potential for a user to click on a malicious link from an email, or they could browse to a malicious website that could download malware, such as ransomware, or cause a malicious redirect to occur.”

me, Adam Huenke

This scenario should be all too familiar to security operations centers (SOCs): A user either accidentally clicked on a malicious link or inadvertently visited a malicious website. As part of their cybersecurity policy, that user reported the incident to their SOC. Now, the SOC needs to understand where the user went to identify additional information or indicators of compromise (IOCs). 

But how can the SOC safely investigate cybersecurity incidents without themselves introducing risk to their organization — or jeopardizing the investigation by the means of conducting it? 

Web isolation is a key component of the solution, but it also requires specialized capabilities for SOC analysts: managed attribution.

Hurdles to a successful SOC investigation

Cloud-based web isolation can protect general users as well as SOC analysts from malware threats in everyday web use, executing malicious code on cloud servers so that it never impacts the endpoint. 

Learn more: Risk mitigation with web isolation >

But there’s another level of risk encountered while investigating malware or other cyberthreats. Threat analysts and security researchers need to configure and customize their browsing environment to blend in with the crowd on sites they’re researching, thereby concealing their identity during their research.

Incomplete anonymity 

SOCs often provide their investigators with non-dedicated “dirty” lines connected with a VPN. This parallel infrastructure allows them to have numerous egress nodes as well as achieve some basic level of anonymity. But with today’s threats, basic just doesn’t cut it.

While VPNs can conceal an analyst’s IP address, they leave out other key elements of the user agent string that create a “location narrative” — language and keyboard settings, time zone, even browsers, device types or operating systems common to the region of egress. 

If all of these details don’t add up, investigative targets could grow suspicious and feed analysts disinformation or simply disappear.
 
Learn more: What VPNs and Incognito Mode still give away in your online identity >

Disconnected workflow

Some SOCs may be manipulating these details in cumbersome ways, using a separate computer to conduct specific research. This DIY approach creates another issue: How do you get the data you collected onto a system that allows for further analyzation and reporting? The transfer is an opportunity for risk and creates inefficiencies. 

Insecure dark web access

A final hurdle to many SOC investigations is access to the dark web. The dark web can provide a wealth of information to complement OSINT investigations. But it’s filled with all sorts of threats that can put an analyst or their organization at risk. Understandably, analysts as well as IT/IS teams may be hesitant to venture into the dark web.

Learn more: 3 things to consider before you start your dark web investigation >

Some organizations rely on the “dirty” lines mentioned above and use them to access the dark web via Tor (The Onion Router). But this still exposes investigators to high-risk malicious content and the issue of how to analyze, share and report on collected information persists.

Achieving secure, anonymous online SOC investigations

By building on top of the security aspects that cloud-based web isolation brings, SOCs can have a secure, anonymous browsing environment where they can collect, analyze and report on information — gleaned from the surface, deep or dark web.

Attribution fit for the job

By applying managed attribution to an isolated web browser, analysts can customize how they appear to sites and people they interact with online through the manipulation of their digital fingerprint. Aligning language and keyboard settings, browser type, OS and other device details — as well as the point of presence (internet egress location) — to those common for typical visitors on sites of interest will avoid tipping off the site’s operator/owner that they are under investigation.

Showing a local IP address and the right device details will limit the likelihood that: 

• The analyst's work is attributed back to them or their organization
• The site’s owner/operator will block or disinform the analyst
• The site’s owner/operator will retaliate against the analyst or their organization (e.g., cyberattacks)

Cloud-based storage for malicious content

Once the SOC analyst can safely access needed sites, they need to capture information and potentially download malicious content. By utilizing cloud-based storage, collected information can go from the cloud-based browser to a secure environment without ever touching the endpoint or the organizational network.

Organizations should consider policy when deciding to store malicious files, even if it is in the cloud. Only specific users or groups should be entrusted with such capabilities, and they need to be clear on proper protocols for upload, sharing and downloads to sandboxed environments. 

Seamless collection and analysis workspace

Isolated browsing, managed attribution and secure cloud storage all empower SOC analysts to conduct their investigations safely from any device on any network. This means their standard work laptops — where all their analyzation and reporting mechanisms are — can take the place of “dirty” machines to access the surface, deep and dark web. Pivoting between these webs requires only the click of a button rather than changing machines or even locations, making initial research and corroboration easier.

And if all the work is taking place in the same environment, it should be equipped with the proper, built-in tools for online SOC investigations:

• Translation that runs unbeknownst to the site being translated
• Screenshot and annotation with the ability to include URL and timestamp
• Pre-configured workflows for faster searching
• Automated, remote collection in-line with tradecraft (so the analyst can keep normal waking hours)
• Full manipulation of user agent string with multiple configurations
• A large selection of egress nodes to match the areas being researched by the analyst

With all of these capabilities baked into an isolated, cloud-based browning environment, SOCs can drastically improve the quality, efficiency and security of their investigations to reduce risk to their organization.

Visit Experience Silo to learn how Silo for Research isolates analysts from toxic content and provides a purpose-built solution to manage online identity and conduct investigations without ballooning IT costs.