Team: Huntress Security
Product: SOC Investigations
Summary: Investigations by the SOC are visible for all data sources and linked to hosts and cloud identities.
Signals investigated by the Huntress Security Operations Center (SOC) highlight potential security threats that a SOC analyst manually investigated to determine if an attacker has compromised one of your managed endpoints or identities.
In this article:
- What is a Signal?
- Monthly/Quarterly Summary Reporting
- Why don't I see Ransomware Canary Signals?
- Investigation Context
What is a Signal?
Simply put, Signals are interesting events to SOC analysts. They alone are NOT confirmed security threats. They are used to highlight interesting user or system behaviors that an analyst can reference during a cyber investigation. A detected signal could be as broad and low risk as the detection of a command line user running `whoami` OR it could be as specific and high fidelity as detecting a known malware file.
Each month, tens of thousands of signals can be detected per account by the Huntress Platform via automated and human analysis, but not all signals are the same. A majority of signals are low fidelity, used for contextual purposes only and do not require investigations when detected in isolation. However, in context with other higher fidelity, suspicious signals they become useful for sussing out attacker tradecraft. Signals investigated (in contrast to all signals) highlight the potential security threats that a Huntress SOC Analyst will investigate to determine malice before making a reporting decision.
Events Analyzed: Represents all the data ingested and analyzed by the Huntress Platform. This includes automated analysis and in some cases an actual human hunting through the telemetry events, looking for suspicious behaviors. Events include autoruns, monitored canary files, EDR antivirus events, EDR process events, Microsoft 365 cloud events, and other telemetry sources.
Signals investigated: These are the potential security threats that a Huntress SOC Analyst manually investigated to determine malice before making a reporting decision. Signals are the leads that kick off a cyber investigation within the Huntress SOC. When a high fidelity, suspicious signal enters the triage queue it will be investigated by a SOC analyst.
Incidents Reported: Each report communicates a likely compromise to one of your managed endpoints or identities. One or more Signals Investigated was indicative of malicious behavior leading to an incident report. Remember, not all signals are reported (see Investigation Context).
Monthly/Quarterly Summary Reporting
Going forward the Events Analyzed, Signals investigated, and Incidents Reported metrics will be communicated in the Monthly & Quarterly Threat Reports sent from the Huntress Portal to MSPs and, optionally, their end clients. These reports also include the total count of all signals detected, in addition to just the suspicious signals a SOC analyst investigated.
Why don't I see Ransomware Canary Signals?
Ransomware Canary files are unique, they are analyzed via agent survey processing. When these files are "tripped" (modified or missing) by ransomware the Portal skips the signal investigation stage and immediately opens a draft incident report for the SOC to review and send. This review process is different than the standard investigation workflow and this is why there aren't any Ransomware Canary signals in the Huntress Portal.
Why do we do it this way? Time is of the essence when evidence of ransomware has been detected. These draft incident reports become top priority for our SOC so we can quickly notify partners of ransomware incidents and they can begin remediation and recovery.
In the future, Huntress is considering updating the analysis pipeline so there are signal artifacts for Ransomware Canaries.
Investigation Context
In cases where no incident report is generated, the Huntress SOC will provide investigation context to explain why a given signal was closed and not reported. The below are the possible context values and what they mean:
- Pen-testing: This signal was generated by known pen-testing at the partner organization.
- Business Accepted Risk: This signal was generated by system behavior that an administrator of this organization had previously acknowledged and accepted the risks.
- False Positive: After a thorough analysis, this signal was determined to be a false positive. If these signals re-occur, the Huntress Security Operations Center will suppress them from triage until Detection Engineering can refine the detection logic from generating these signals.
- Benign True Positive: This signal was generated correctly due to system behavior, however analysis indicates the activity is benign/non-malicious in nature.
- Previously Reported: The Huntress Security Operations Center previously reported this behavior. This signal was closed to prevent duplicate incident reports.
- Malware Artifact: This signal was generated by artifacts from a past infection which is no longer active. This is not considered an operational risk.
- Backup File: This signal was generated by a file that was backed up which could contain malicious indicators. However, because the file was not executed, there is no perceived operational risk.
- Agent uninstalled: The Huntress agent has been uninstalled. As this endpoint was most likely re-imaged, the signal was closed out. If you believe the agent was uninstalled due to nefarious activity, contact Huntress Support and a SOC analyst will investigate
- Legacy Autorun Investigation: This signal was closed automatically through a legacy autorun investigation workflow that did not require a context value to be set. If you have questions, contact Huntress Support.
Comments
0 comments
Please sign in to leave a comment.