Today we’re thrilled to roll-out new IoC search functionality on the TruSTAR platform.
Security analysts are visual creatures. We are able to process new information and recall old information better when it is presented with graphics or images. This is especially true when it comes to searching for indicators during incident triage or threat hunting. Seeing the results as a visualization makes it so much easier to pinpoint interesting patterns and quickly assess the full scope of your analysis. And this is exactly what we are launching today!
Starting today our search results will return IoCs (like an IP address or a malware name like Jaff, WannaCry) in addition to the incident reports. You can visualize the results of your IoC search and see how it relates to TruSTAR reports across various sectors, closed source intelligence (like FS-ISAC and listservs) and open source intelligence.
What is different about this new capability?
TruSTAR had previously offered an IoC search capability, but users could only visualize results by seeing a list of reports that contained the IoC. This did not allow our users to visualize how a specific IoC connects to other reports on TruSTAR, which meant our users were not able to take full advantage of the the unique way we store IoCs and the relationships between IoCs and reports.
How can it help me in my analysis?
The real value of this feature comes from what you can do with the results of the searches. Here are a couple of examples:
- Incident/Event Triage: Effective incident response relies on how quickly you can mitigate a threat. With our new search function, SOC operators can search for indicators and quickly see all the reports and intelligence connected to that specific indicator, from their own enclave and from the TruSTAR Community. Having access to the full context helps SOC operators quickly determine if they have evaluated this IoC in the past and what other TruSTAR members are saying about it, prompting a faster mitigation response.
- Cyber Threat Hunting: It is extremely important for threat hunters to quickly establish the quality of intelligence available for a specific indicator. By visualizing the context around specific indicators, threat hunters answer specific questions like how many other users are seeing this indicator, when was it first seen on TruSTAR, what information is available from intelligence sources, etc. This information can guide their hunt and get more targeted in their mission.
How do I use it?
When you search for a term like “WannaCry” or IP address “184.108.40.206” the results will first list all IoCs that match the term, followed by reports that contain the term. If the results contain an IoC you can click on it and see the graph visualization of all reports that connect to it.
If you are new to TruSTAR check out this blog post about how to read our graph visualizations.
Check Out Our IoC Search Demo with WannaCry
Ready to get started?
Now that you know how our new search capability works, give it a try! Click here to get searching. I’ll bet you find a new correlation you haven’t discovered before.