Rediscover threat hunting and investigations

Introduction & Our problem space

Command Zero set out to solve the most significant bottleneck for security operations: investigations.

There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders. (Read more about the problem we’re solving and our unique approach on Dov’s blog post)

To achieve this hefty goal, we’ve built an expert investigations platform for every user. (read more about some of the principles and architectural decisions we’ve made so far on Dean’s blog post)

We do this by encoding the research, the investigatory expertise along with the deep understanding of every unique data source into the platform.

In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.

To demonstrate this, I will walk you through a hypothetical flow that starts with an investigation stemming from multiple alerts, a brief touch on threat hunting and an overview of a complex investigation using the Command Zero platform.

Alert-driven investigations

Command Zero has been deployed in production environments of our early adopters and is being put to the test every day. With this usage, we observed that many investigations start with alerts from security solutions today.

So, building a feature where users can review alerts from the key systems and kick off investigations based on multiple alerts was a natural step for us.

The alert view provides an overview of alerts from multiple connected systems.

Users can initiate investigation based on an alert or multiple alerts.

When a user starts an investigation based on alerts, Command Zero automatically takes the initial steps and asks the most relevant questions to the data sources involved. This not only saves time for the investigation, but also it helps analyst understand the context more quickly.

Command Zero automatically takes initial steps and renames each investigation based on context.

The platform renames the investigation based on discovered context. It also builds a short summary and potential leads for the analyst.

Once an investigation starts, the user has multiple capabilities at their fingertips:

See the investigation summary, review investigation leads.

You can get an overview of the investigation and a summary.

Query multiple sources using pre-built questions to further investigate leads.

Interrogating multiple data sources is done by using pre-built investigation questions.

View previous investigations and notes about the leads in scope.

Past investigations on leads help get up to speed on the historical context.

Notes taken by the analyst or the team help build institutional memory on leads.

Run facets to replicate best practices and save time.

Facets are dynamic playbooks that save time, ensure consistency and build organizational knowledge.

Add questions to timeline.

Users can add noteworthy questions and answers to the timeline for building the narrative of a case.

Each question receives an LLM-generated summary that not only reduces the labor for reporting, but also it ensures that no detail gets missed or overlooked.

Question summaries help better understand results and save time with reporting.

See timeline with notes, add additional notes for reporting.

Auto-generated timelines help communicate the narrative with stakeholders.

See the complete summary of the investigation.

Investigation summaries combine all questions, patterns and timelines.

Reviewing past investigations or current alert-driven investigations on Command Zero is a great way to educate your teams on where the heat map of threats, gaps and overall risk are for our environments.

Wherever you see the most escalated cases is generally where your team needs to hunt more and take a more proactive stance against these threats.

Threat hunting

We all agree that threat hunting is a highly impactful activity for organizations. That stated, unless you have a dedicated team for threat hunting, it is an activity that we’re all doing less frequently than we need.

And when we do threat hunt, we hardly know where to look and which patterns to look for.

Threat hunting has three impediments to properly adopt:

1) Threat hunting expertise,

2) access to systems in the environment,

3) technical expertise on diverse systems in the environment.

Command Zero tackles all three barriers as an expert platform with federated access to universal data sources.

Users can interrogate security and non-security data sources in their environments with pre-built expert questions. They no longer need direct access to data sources at the individual level or be administrator level experts for technologies within the scope of the hunt.

Users can threat hunt across data sources by using pre-built questions.

Traditionally threat hunting was (and still is) an elite activity exclusive to the highly experienced teams. And since these team members are oversubscribed with manual investigations, threat hunting often gets de-prioritized in most organizations.

Command Zero’s fresh approach democratizes threat hunting to all your analysts, regardless of experience levels and technical expertise for target systems.

We believe these capabilities will encourage implementation of more threat hunting programs at all organizations, helping the industry shift to a more proactive stance.

Users can review the responses and identify patterns of interest. They can either interrogate potential leads more before they decide, or they can promote these objects as leads for further investigation.

Users can promote leads in threat hunts to be further investigated.

By utilizing Command Zero for investigation and threat hunts, analysts not only get a better understanding of the overall picture, but they also gain the ability to focus more on problem areas.

The threat hunting and investigation experiences above are significant improvements over the manual, chaotic and labor-intensive experiences for these activities today.

The transformative investigation experience

For each investigation run on the Command Zero platform, every step of the case is documented, visualized and summarized. These capabilities enable transparent collaboration between multiple analysts or teams, coaching opportunities between team members and smooth handovers between teams.

Command Zero is not a case management system. And we don’t intend to build case management capabilities in the platform. Instead, we are integrating with the leading systems in this space like ServiceNow to facilitate the normal workflow.

Command Zero works in tandem with case management solutions, yet the platform provides a record of all current and past investigations to help analyst teams do their best work, within the scope of investigations.

Analysts can review current and past investigations all on one dashboard.

The platform runs autonomous investigations and threat hunts. These activities also appear on the list of investigations. Users can review autonomous investigations, dive deeper into them with additional questions or facets (dynamic playbooks).

Conclusion

To conclude, Command Zero speeds up threat hunting and investigation processes, delivers consistency and enables collaboration for tier-2+ teams. The platform has been a game-changer for our early adopters, and we believe it will make a huge impact for any organization handling investigations.

Please check out www.cmdzero.io to learn more or watch our platform overview video.