Silo provides enrichment and context for threat alerts escalated from the SOC
A U.S.-based technology company places a premium on security – their business model relies on collecting, processing and storing personally identifiable information for thousands of customers. The SOC is equipped to provide immediate response to threat alerts – with on-call analysts available 24/7 to triage incidents. If additional investigation is required, the analyst team escalates tickets to the threat intel group, which uses Silo to determine the nature and origin of the threat and make recommendations on further actions.
Before the restructuring, the company’s security operations personnel often resorted to personal devices and home labs to investigate potential threats. And while virtual machines provided some level of protection, detonating malware to retrieve and examine artifacts was still inherently dangerous and required analysts to maintain multiple sandboxes and dedicated environments. Silo for Research has become an integral part of the security team’s workflow – threat intel specialists use it daily to investigate suspicious URLs, examine malicious pages, and find linked artifacts that may warrant further investigation. The threat intel team also cross-references information they uncover using Silo against the threat indicator platform (TIP) to help provide additional threat enrichment and context.
“Before Silo, we would need to use a VPN and set up a lab in case we encounter malware – now we have a safe environment available at any time to do all our research quickly and anonymously.”
-Teams use Silo to anonymously research threats and investigate individuals who threaten brand integrity
When alerts come in, whether they are generated by a TIP or reported by employees or customers, a SOC analyst is assigned to triage it and determine if the threat requires remediation. But addressing the immediate risk is only a part of the response – the alert information is often passed to the threat intel team to gather additional information about the threat. Even if a breach attempt is unsuccessful, the intel team gets involved to try and determine if a particular threat is related to any known malware or can be attributed to recognized malicious actors.
“If I am investigating a phishing incident, and an email contains a URL, I run it through Silo to see if it redirects to a malicious site,” explains an Intelligence and Threat Management team manager. “From here, I look at the source code of the page to see if there are linked directories and other artifacts. I examine all indicators and pivots that I can find – for example, domains linked to a malicious site. We may look at whether any of our internal machines have been making calls to these domains and analyze what's going on.”
The threat intel team gathers all available evidence to enrich an alert and see if it’s related to anything that they have experienced before or has been flagged by the security community. Even if no malicious links are found, they still research suspicious emails to see if it shows signs of social engineering or an attempt to compromise the company’s integrity or damage its brand. “We use Silo to anonymously go to LinkedIn, for example, to check out the sender’s profile – we look at how long the profile has been in place, how many connections this person has, do they really work for the company that they claim they work for,” continues the team manager. “We may visit sites that this person is affiliated with. Before Silo, we would need to use a VPN and set up a lab in case we encounter malware – now we have a safe environment available at any time to do all our research quickly and anonymously.”
The company’s brand protection team has recently started using Silo to perform background checks, verify claims from individuals and business affiliates and investigate any threats against the company posted on social media. They routinely uncover fake accounts that impersonate legitimate businesses and credit Silo for allowing them to visit websites of suspicious threat actors – domestic and international – without putting their networks and people in danger.