DIY “dirty” network not sufficient for SOC, advanced threat hunting
Our customer is among the world’s largest manufacturers of equipment and heavy machinery, serving clients on every continent. The company’s security team relies on an integrated set of tools to trigger alerts when suspected malware enters the network, followed by a coordinated effort of a dedicated team of threat hunters to determine the nature of the threat, its origins and appropriate mitigation strategies.
When the SOC detection and mitigation team receives a warning that someone might have accidentally downloaded a suspicious file or been exposed to a phishing email, they start by running automated tests against suspicious site’s elements and services. The results may help explain where the malware came from and how it was executed, but the scanner information alone is not sufficient to determine the true intentions of the site’s owners.
To dig deeper, security analysts would use a homegrown “dirty” network to access the site and look around. And while a dedicated connection provided a barrier between the investigators’ activities and the corporate network, the DIY “dirty” network didn’t have the features needed to conduct a thorough examination and required continuous monitoring and maintenance.
What’s more, once the company switched to remote work during the COVID-19 pandemic, investigators lost their dedicated connection, halting their ability to follow up on threats beyond initial analysis and making it outright dangerous to investigate malicious sites for fear of introducing malware to the company’s core network.
The DIY “dirty” network didn’t have the features needed to conduct a thorough examination and required continuous monitoring and maintenance.-
Silo For Research fits into SOC workflow, provides actionable results
Silo for Research provides a platform for isolated browsing, accessible from anywhere, without the need for a “dirty” network. The detection and mitigation team has incorporated the use of Silo for Research into their daily workflow, relying on its many features, such as screenshot capture and shared storage, to research threats and recommend preventative measures.
The solution allows investigators to interact with all types of content safely on the cloud, protecting company’s assets and keeping researchers’ actions secure and anonymous. With Silo for Research, investigators can safely dig deep inside any site to look for hidden features, such as redirects to other locations.
Analysts appear as in-region visitors to avoid geo-blocking
As a global company, the manufacturer needs to be able to research threats that originate in different parts of the world. Silo for Research offers a full array of translation features, as well as the ability for investigators to customize their location, time zone and keyboard settings, to appear to be connecting from anywhere in the world. The company’s detection and mitigation team used Silo’s different egress nodes to investigate threats that are designed to target certain geographies — like the Russian-origin malware specifically aimed at the users in the U.K. Silo also proved valuable when performing penetration testing to evaluate the security of the company’s own web-based systems around the world.
Storage, capture and dev tools built for the job
When the automated ticketing system receives an alert of potential phishing exposure and flags it for further investigation, the detection and mitigation team immediately opens the suspicious site within Silo for Research and uses developer tools to look into the HTML code that’s responsible for credential harvesting.
The goal is to find where the stolen information is going, so they can update the list of blocked sites to prevent them from launching phishing campaigns in the future.
Similarly, when investigating malware reports, researchers can access malicious sites within Silo for Research and safely download suspicious files, even if they have already been deleted from the machine of a user who stumbled upon that malware first.
All evidence and other items of interest are documented as screenshots and attached to the service ticket, which are subsequently reviewed by the team of intelligence analysts, who determine which URLs must be blocked to keep the company’s networks safe.