Responding to Threat Detections

The tool that you, as a security analyst, will use to deal with detected threats and potential threats in the Arista NDR Platform is the Situation. This chapter addresses what Situations are, how they are created, and how you can view, track, and act on them.

The following topics are covered in this section:

Situations

Situations are a body of knowledge, a repository where you can find, or add or keep all the details about one of your security investigations.

Any information available in the entire Awake Platform can be added to a situation to provide more context in the investigation. This allows for better analysis, sharing, and final reporting on the results of the investigation contained within the situation.

One can think of the process of building a situation as analogous to the process used by a lawyer to build a case. The information gathered answers the questions; what happened, what proof do we have, what was the impact and what additional investigational or response actions should be taken?

Once an anomalous activity is identified and added to a Situation (either manually or automatically), information about that activity is collected and analyzed using AVA, the Arista Virtual Assist, giving you, the analyst, tools to determine whether there was a legitimate attack on your organization.You can create, access, and update Situations through any area of the Arista NDR Platform by clicking the Situation Overlay icon near the bottom of the main navigation bar, running vertically down the left of the screen. Context menus on SKG entities and activities also provide the ability to access related situations or create a new one.

This section describes situations and how to use them. It includes:

Automatically Created Situations

In addition to leveraging situations to manually gather and document information related to suspicious behavior found manually by an analyst, where AVA will automatically detect changes in the situation and continue to build out the details, the Awake Platform also creates and updates situations for you, automatically.

Adversarial models, with additional AML creation skills, are able to autonomously create a situation for you. Once created, AVA detects the newly created situation and, as with the manually created situations, enrich the situation with additional information such as device-domain relationships, domain reputation, related activities etc.

In many cases, Automated Situations with automatic creation fully autonomously detects threats in your network that are summarized, updated, and shown in the situations dashboard for your review and response, without requiring any analyst investigation. In addition, the analyst can freely adjust the information in these situations at any time, with AVA responding to those changes, creating a true collaboration between the human analyst and automated virtual assist capable of finding the most evasive and sophisticated threats.

Automatically created situations are initially given a special “Developing” status to indicate that the automation is still collecting and developing the information in the situation to fully document the potential threat. When AVA concludes, and there is sufficient data to substantiate a threat, the status changes to “New” and at that point the situation will appear in the Current Situations tab of the Situations list view to indicate it is ready for analyst review and response. If an analyst is curious about the potential threats the system has automatically created and is currently working to develop, they can be viewed in the Developing Situations tab instead. Keep in mind that not all developing situations will ultimately become an active situation. If further evidence indicates there is not a threat AVA, will close the automatically developing situation .

When to Create a New Situation

Situations are created automatically by the system when network activity matches certain adversarial models. In addition to these automatically generated Situations, any user of the system can create Situations.

Here are some reasons to create or add to a Situation:
  • In order to track any activity that appears suspicious.
  • To address a network-wide security hygiene issue such as:
    • Outdated operating systems on the network that present a vulnerability.
  • Whenever it is appropriate to gather and track a specific security-related issue on the network.
  • If the issue is already addressed by an existing situation, additional information can be added to it at any time.

Creating a New Situation

How to create a new situation.

To create a new Situation:
  1. Click the Situation Overlay button at the bottom of the left navigation panel. This opens the Situation Overlay.
    Figure 1. Situation Overlay

  2. In the Situation Overlay menu, click Create a New Situation, or the Plus icon at the bottom of the screen:
    Figure 2. Plus Icon

  3. Awake opens the Create a New Situation dialog box:
    Figure 3. Create New Situation

  4. Give your Situation a name and click Save. The situation name is populated by default into the Investigator field. Awake opens a new Situation with the given name. You can now provide other information.
    Figure 4. New Situation

  5. Most of the fields shown are blank, but as you fill them in, this screen will populate. As more is known about this Situation, AVA, the Arista Virtual Assist, also fills in the blanks. For details on AVA, see AVA: The Arista Virtual Assist.
  6. Note the icons to the right of the initial column of data about the Situation. Each icon provides a different perspective on the Situation. Also note the icons across the bottom of the screen. They provide you with single-click access to a list of the Situations and to previously created situations:
    Figure 5. Situations List

  7. Existing situations can be accessed by clicking the first icon, which shows the Situation List. You can click any one of them to get additional details, and modify the information on that Situation to reflect your current knowledge. AVA acts as an additional threat researcher running in the background and may add additional information to the Situation. While adding content to an existing situation, you can always add a new situation with the Plus icon as described above.

Adding Content to a Situation

There are two main ways to add content to a situation:

  1. Through the dropdown icons located next to most metadata found in the Arista NDR Platform. These dropdowns show the options associated with the metadata. Situations options show at the bottom of the list. Select Add to a Situation to open a workflow and add the selected item to your desired Situation. If an appropriate Situation does not exist, a new Situation can be created at this stage in the process.
  2. You can also add an Adversarial Model or Skill to a Situation by clicking the save icon to the right of the AML dropdown, then selecting Add Model to Situation and specifying examples to attach. Note that you can do this only with the currently selected Adversarial Model or Skill.

Adding Artifacts to a Situation

In addition to attack information and content drawn from throughout the system, you can add custom artifacts to help clarify and explain an existing Situation. Artifacts can be Actions, Objects, Documentation, or Child Situations.

  1. Click Supporting Artifacts.
  2. Then click + Add Artifact.
  3. Select the type, and follow the instructions to add the artifact to the Situation.
Figure 6. Add Custom Artifact

Adding Arbitrary Files to a Situation

You can add files to a situation for reference. Note that files are not parsed or analyzed by the system, but can be added to provide other analysts with additional information.

Figure 7. Custom Action Artifact

Attack Details for a Situation

Once you have expanded your view of an attack, you can view the following details about the attack:

  • Where it originated
  • How it spread, step by step
  • The time and IP address of all affected machines
  • Any payloads that were delivered in the process

All of this is depicted graphically, and you can pin any details for revisiting and further investigation.

Here is an example, showing a sequential Attack Map, beginning with an acceptable use move, visiting a watering hole. Here is the beginning of the attack sequence:
Figure 8. Sequential Attack Map

Click Overview to get a summary of the attack, along with more fields.
Figure 9. Summary of Attack

Looking at the fields visible on screen, you can see that this has been added to Pinned Situations, and has a clear textual summary overview, drawn from the Description field:

"It seems as though one user within Dogfood Co was compromised while visiting a site they usually visit. After the initial stage is successful, another stage is downloaded, which allowed the attacker to move laterally within the network. Mediation is ongoing."

In the center of the screen, the attack is shown graphically, a step at a time, with a detailed summary alongside.
Figure 10. Detailed Summary

Additional attack details can be added in real time and shared with other security researchers.

Awake also provides a list of unique investigatory steps for each generated Situation. Navigate to the Investigation Options section in the Situation details. It displays a checklist of different types of actions you can take for further analysis.
Figure 11. Investigation Options

Using the Quickbar

Existing situations can be pinned to the Situation Quickbar to provide immediate access from the lower left-hand corner of the Situation overlay.

You can pin a Situation to this Quickbar in two ways:
  1. In the Situation List, click the icon in the first column (labeled P.) next to the Situation you want to pin.
  2. On the Situation Details page for the Situation you want to pin, click the toggle marked Pin to Quickbar in the Overview section.
The Quickbar displays five Situations at a time; if there are more pinned, used the arrows on either side of the list to scroll.
Figure 12. Quickbar

Remediation Options

Once you see a threat defined in your system, you need to decide on what to do about it. Awake knows some of the options available, and describes them for you to take action to implement remediation.

 

Situation Options: The Attack Map

The Attack Map provides a graphical view of the entities involved in the Situation, showing device names, IP addresses, functions, and other details of the entities involved, whether data was transferred and in what direction, and more.

Figure 13. Attack Map

The toolbar on the left of the Attack Map provides access to the supporting artifacts and audit log, as well as the impact on affected devices and any suggested investigation or response options.

Figure 14. Toolbar

AVA: The Arista Virtual Assist

The Arista Virtual Assist (AVA) is an AI-enabled virtual assistant that uses big data, artificial intelligence, and the input from Arista's MDR threat researchers to automate the investigation of Situations.

For the latest on AVA, see our blog post: Meet AVA, Your Newest Coworker: Advanced AI Security in Action.

Adversarial Model Details

The AML Query Panel functions as a list of Adversarial Models. It includes other tools and a list of the top ten AML queries that have been run.

It looks like this:
Figure 15. Query Panel

This screen shows the unacknowledged Adversarial Model Matches sorted by risk order, highest risk score first. From this example you can conclude that "Credential Access: Suspected Kerberos Password Bruteforce" is constantly being found, with over two trillion hits on two devices, the most recent hit happening just a few days ago. Delve into the details of the numbers shown on the Adversarial Models display to see exactly which Adversarial Models have matched, when they matched, and the device(s) and activities that produced the "hit."

Though only the most recent run is shown, you can go back in history to see earlier runs, and conduct analysis on the differences over time, or compare the results across devices and destinations.

Adversarial Model Matches

Adversarial model matches are detections of suspicious behaviors that may be associated with malicious behavior or policy violations.

In many cases these detections may be ambiguous in the sense that individual model matches may occur in activity that could be acceptable usage within the organization. However, when multiple model matches, especially representing different attack tactics occur for the same entity in a short period of time the likelihood of an active threat increases dramatically. The situations feature (add link here) assists with this kind of correlation analysis both automatically and in response to analyst actions. When there are no active situations to investigate, the analyst can use uncorrelated model matches as a starting point to hunt for possible threats, as described in this section.

Arista distributes a large library of Adversarial Models and Skills tuned to discover the threats common to the current threat environment. You can view the Arista models and create your own using the Adversarial Modeling Language as described in the Managing Threat Content section.

IOC Matches

Domain, IP, and file hash indicators can be imported into the Arista NDR as described in the Managing Threat Content section.

Matches to Indicators of Compromise (IOC) are shown in context in the workbench and Security Knowledge Graph pages with an orange dot next to any reference to an artifact contained on an IOC list. A tool tip with more information about the IOC list or lists containing the artifact. The IOC Matched dashboard dataset allows visualizing match counts over time and selecting matches from the associated pivot list for investigation in the workbench.