Content index
Active Threats
Welcome
Project Management
Renaming your workspace
What’s The Difference Between A Manager, Team Member, And Collaborator?
Add A Tea m Member To Your Workspace
FAQs
Welcome
Basic ConceptsBasic Concepts
Identity Security Posture ManagementIdentity Security Posture Management
Identity Threat Detection & ResponseIdentity Threat Detection & Response
ConfigurationConfiguration
Account Insight
User Insight
Active Threats

Active Threats

Overview

In the realm of cybersecurity, the methods employed for threat detection play a pivotal role in securing digital assets. Rule-based systems, relying on predefined Indicator of Compromise (IoCs), have a long been the stalwarts of security. However, with the advent of Machiine Learning-driven Indicators of Behaviors (IoBs), a paradigm shift is underway.

Sharelock assists in checking for active threats through a detailed and systematic process that combines modern technologies and strategic frameworks within its Identity Threat Detection and Response (ITDR) module. 

Here's how Sharelock.ai handles active threats detection and response:

1. IoBs as Behavioral Sensors: Sharelock ITDR uses Indicators of Behavior (IoBs) as behavioral sensors that continuously analyze activities to detect potential anomalies. These IoBs can detect the presence of specific techniques, leveraging machine learning to identify behavioral anomalies, thus providing a dynamic method for threat identification.

2. Detection of Threats: The system combines signals from various IoBs to suggest potential threats, with improved accuracy in threat detection. It draws connections to threat intelligence sources like MITRE tactics, offering a detailed picture of potential risks.

3. Customizable Threat Detection: Sharelock ITDR comes with pre-loaded IoBs and threats aligned with the MITRE ATT&CK framework, but it also allows for customization. Organizations can tailor their own IoBs and threats to their specific operational needs.

4. Responses to Active Threats: When a threat like a MITRE TACTIC is detected, Sharelock.ai employs a range of automated and manual responses, such as sending emails for identity confirmation, triggering audits, initiating recertification campaigns, enforcing multi-factor authentication, and notifying the Security Operations Center (SoC). In severe cases, the system can disconnect users or disable accounts to prevent further risk.

5. Threat Staging Concept: To balance security, business continuity, and the workload on security operators, Sharelock.ai uses a Threat Staging concept, categorizing threats into levels that dictate the severity of responses. This ensures an effective response without disrupting normal operations unnecessarily.

Sharelock ensures a vigorous security posture, adapting to evolving threats and maintaining business continuity while minimizing unnecessary strain on security teams.

Dashboard Insights

Incidents are situations where multiple tactics (therefore also multiple threats) are found on the same Subject. Suppose the same Subject is experiencing multiple MITRE tactics. In that case, there will likely be an escalation of events that will shortly lead to an impact and which, therefore, must be immediately investigated and remedied.

In the Incidents section, you can find all ongoing incidents, and by clicking on them, you can go into detail for the analysis and investigation phase.

You can also find the list of ongoing incidents by clicking on the Incidents menu item. There is key information for each incident in this list, including the time stamp, the entity involved, and the tactics activated to get an overview of the situation. By clicking on the individual incident, you enter the analysis and investigation phase details.

In the "Active Threats summary" section, you can find the number of currently active threats detected by the system and the number of users or entities involved in these threats. In the "Active Threats by type" section, the threats are divided by type, and it is possible to have a first idea of the health of the system and the assets under attack.

By clicking on Active Threats or directly the threats type, you directly access the list of threats to investigate.

By clicking on the Threats menu item, you access the list of active threats detected by the system and sorted by severity.

The page initially offers active threats, but it is also possible to view closed threats by removing the "Status: Active" filter in the search filters section. Each threat tab contains the primary information to overview the threats present. In particular, we can find the threat identifier, the identity involved, the lifetime of the danger, the progress of the playbook associated with the containment of the threat, the stage, the related tactic, and, obviously, the status.

We can go into detail for the investigation and analysis phase by clicking on the threat card.

The threat detail view presents all the information and insights to investigate and remediate incidents. Sharelock offers information and detail that allows security operators to drastically shorten investigation and response times by trying to minimize the attack's impact as much as possible.

In the first section of the view, we can find basic information about the current threat. In particular, we can find:

- Threat identifier;

- Tactics: MITER tactics involved in the threat;

- Stage: the severity of the threat;

- Detection: the number of anomalies detected;

- Anomaly Summary: the type of anomalies found;

- Subject Details: the detail of the entity involved in the threat;

- Created on: the date when the system detected the threat;

- Lifetime: how long the threat has been in the "Active" state on the system;

- First Anomaly: when the first anomaly involved in the threat was detected;

- Last Anomaly: when the last anomaly involved in the threat was detected;

- Last Update: When the threat was last updated

You can archive the threat and close it by clicking on the "Archive" button.

Another fundamental piece of information in threat management is the playbook. The playbook is the sequence of actions (automatic and otherwise) that the system must carry out in response to a threat and goes from simple notifications, ticket openings, and workflows on SIEM and SOAR to proactive actions on Identity Management systems such as account blocking or user lockout. Each threat can be associated with a configurable and customizable playbook depending on customer needs and particular company business processes. Once all the steps of the playbook are completed, the threat has been analyzed, managed, and remedied and can, therefore, be closed.

The heart of the investigative phase of an active threat is the kill chain of the ongoing attack, in which there is information about the behavior indicators triggered, the relative severity, and the Timeline in which the behavior indicators can be analyzed and investigated.

In the Timeline, we find all the behavioral indicators that led to activating the threat and the associated playbook. The indicators produce individual anomalies, which, when correlated, become a risk the system recognizes as an ongoing threat. On the cards of the individual indicators, we can find the essential information to contextualize the anomaly:

- The identifier of the Behavior Indicator with the relevant MITRE technique to which it refers;

- Information regarding the algorithm used for the analysis of that specific behavior;

- The subject of the analysis.

Use the Download Icon to download the raw data file already filtered by timestamp and applications to accelerate the last level of analysis on the original logs further.

By expanding the card of the Indicator of Behavior, we access the detail where we find a graphic representation of the anomaly detected. Below the chart, the system offers us the Risk Score associated with the anomaly and a description of the incident for greater contextualization.

In the Sharelock Identity Security Platform, the concept of threat is separate from the notification alert. Once detected, the threat has its life cycle and remains active until the remediation playbook is completed or an operator closes it manually. For each subsequent anomaly that the system encounters relating to that particular attack pattern, the security analysts will be notified if and only if the situation worsens, therefore if the total risk of the threat increases, or if a minor stage is moved to a major one. This mechanism is to avoid overloading the work of security operators but to alert them only when strictly necessary.

Account Insight

Navigate to the Account Insights section to find out how Sharelock helps you analyze accounts behavior.

User Insight

Navigate to the User Insights section to find out how Sharelock helps you analyze users behavior.

Active Threats

Navigate to the Active Threats section to find out how Sharelock helps you manage attacks.

LOG IT ALL, DETECT ANYTHING AND RESPOND QUICKLY

Check our Website!