Get Ahead of
Cyber Threats
Articles

Remediation without the Guesswork

Robert Wagner
September 30, 2022
Reading time: 8 min

With Fletch, you can quickly and easily get a handle on new and evolving threats and act on them quickly—without guessing

Summary: In this user education article, we dive into remediation and how Fletch helps fix problems faster and more efficiently without the traditional guesswork.

Last week we broke down how Fletch helps you stay ahead of cyber threats. This week we dive into remediation and all the things you’ll do to address a threat that’s impacting you.

If you’re using the Fletch Trending Threats app, you’re starting to get a handle on major threats that could impact your organization. So, what now? 

Figuring out what do do with all the information coming at you can be overwhelming:

  • You’re trying to figure out what to prioritize, when to prioritize it, and what actions to take. 
  • Often, you’re asking your engineering team to drop what they’re doing to focus on a threat you’ve identified as a priority. You need to be prepared to answer their questions—especially the “why?”
  • You’re also monitoring threats as they evolve to see if other actions are needed.

Prioritizing risk

Prioritizing what to do has historically been one of the most difficult aspects of remediation. The good news is it’s also the one you can do the most about.

Remediation is all about research—the better your research, the better the response.

It's a matter of trying to figure out what  are the set or subset of issues that really overlay current events that are going on right now. You want to get better informed about the issues that matter most to your organization. That’s especially challenging because you’re dealing with a continuous cycle; it's not a one-and-done type of situation. There's new information bombarding you all the time that can impact your remediation strategy.

When it comes down to it, remediation work at many companies looks a lot like guesswork. Security teams aren’t necessarily measuring  risk based on hard facts, because they don’t have all the facts at their fingertips to begin with.

 Kk

If you’re like most security teams, you’re dealing with limited information. You’re constrained by your current tools and the time it takes to do proper research. You've got data across multiple apps that you need to pull in to try to correlate it. That typically requires setting up a SEIM, which is a lot of work in and of itself. It’s a lot of manual processing. 

Getting a handle on all the contextual information that’s related to thousands of new and evolving threats that come in daily is a massive undertaking.

This is where our Trending Thread app comes in. 

Focus on threats that matter

Fletch does much of that heavy lifting for you, allowing you to move much faster to mitigate major threats impacting your organization. 

Fletch analyzes and curates 30,000 daily threat intelligence reports and articles to give you a picture of what's going on in the real world. We deliver you a list of articles you probably should read today. That way, you're at least aware of what's going on in the world. But we don't just stop there.

If you connect Fletch to your security tools—your vulnerability scanners, code vulnerability scanners, and endpoint detection tools—Fletch takes all of that threat data and puts it in context for you. This allows you to prioritize threats specific to your environment.

Fletch correlates security indicators from the major threats it tracks  with indicators reported by your security tools.

How do we prioritize this list? 

Severity rating 

One obviously is a severity rating, where we look at the context of all the articles that correlate to this topic and we start to figure out ] what are the true impacts to your organization based upon those external factors. We’ll look at things like:

  • Is there a brand new, previously unknown vulnerability being leveraged by an attacker?
  • Have multiple organizations been impacted? 
  • Are any of the breached organizations relevant to your industry or vertical?

And then we look at which set of threats have compromised the most number of resources or are potentially targeting the most resources. 

After severity, we rank by resources potentially compromised (using malware indicators from your endpoint/EDR product) then resources vulnerable (user vulnerability indicators from your app and/or code vulnerability scanners). Collectively, these indicate if you are "impacted" (as shown in the Status column in the summary) and the respective counts on the types of impact (malware or vulns) affects the prioritization after severity.

Degree of impact

That “potentially compromised” column is interesting because we're developing context for you and picking up on things going on in the real world that your current security tools may miss.

EDR tools can’t do this. They are necessarily “generic" in the sense that they just aren't very aware of what's being reported in the news. They'll detect malicious activity and malware, but they won't tie it back to what's being reported.

Endpoint tools lack certain context

The main problem with EDR  tools is that many times they lack context: What does this exploit relate to, if any at all? That's very helpful when you're trying to dig deeper as to whether or not that particular system or set of systems is truly protected.

EDR's visibility is also limited to the endpoint(s) it's deployed on. It is not aware of anything else happening on the network that could be related to an attack.

If your EDR detects malware, that's great. But it may not have detected the subsequent things that malware would do, which is the data that you're going to find in those articles that we're pulling together for you.

As the chart above shows, Fletch takes all of our security data and compares it against data from your security tools.

You can see why this list was prioritized in this order. We've got a very critical threat. It’s based on pulling together and analyzing all that data to figure out what's critical. But we have eight hosts that are potentially compromised by this threat, as well as two other resources that are vulnerable to this particular threat. So that's why it's moved up to the top. 

This is where you would probably want to take your first actions of the day, as you're reviewing through your list.

Now, once you've got your priorities and you decided that you need to do something. You're now moving into the remediation and mitigation phase. You're going to try to contain the threat and eradicate any vectors that the attacker could use to regain a foothold in your organization. This is the advantage of having all of that data at your fingertips in one place. 

That's the beauty of Threat Intelligence. 

Track threats as they evolve

Fletch isn’t just telling you about the threat based on information in one article. We’re continually monitoring threat intelligence reports to track threats as they evolve.

We give you visibility into as much of the attack life cycle as possible, using as much open source information as possible about each threat.

Fletch keeps your prioritization up to date as a threat evolves, as the severity changes, and as new indicators are discovered.

Mitigation without the guesswork

Once you're ready to act to mitigate a threat, we give you detailed information to help get you started. Fletch takes you through all the potential steps that you may need to go through for a proper remediation of this particular threat.

In example, there's a spear-phishing email as the delivery mechanism for this threat. Your EDR  may tell you that your host has been compromised.

With Fletch: 

  • We’ll tell you if multiple CVEs may be involved.
  • We're also going to let you drill down into that article itself, so you can read it for yourself. You get intel of how it may have been compromised;
  • You know where to look. For example, we’ll tell you what to look for in your email systems.
  • We’ll tell you if a patch is available and also walk you through how to prioritize your patching in a separate conversation. 

Beyond the initial detection, there could be additional changes that are needed as part of your mitigation strategy that you might only be able to surface from these articles. 

We pull together all the information to help put together a comprehensive strategy for getting rid of this threat—especially when you have to act across your enterprise together.

Sorting

We can also help you sort the data in different ways. Once you know that you want to act on this particular threat, getting a list of resources that are impacted by it would be helpful. You can sort these by the various columns, giving you  a better view of where to start.

We put this all in a table for you, so that you can export it in case you need to deliver this to other teams in order for them to create tickets, to create prioritization lists themselves, and so on. A decent naming convention for your resources can also tell you which things are most critical. 

Within the list for each resource, you can expand out even further:

  • You can see the vulnerabilities. 
  • You can see the malware involved.
  • You can click on the text to a threat to get any tips shared directly from the vendor, if they offer any guidance.

We're pulling in everything relevant that we can find into one place, so that you can act quickly without the guesswork. You can go and research all of these things independently. But that is going to waste your time.  With Fletch you can act quickly and remediate efficiently.

With Fletch, you won’t have to guess any more.

Related topics: 

  • If you liked this article, be sure to check out our other user education topics:
  • Getting ahead - How Fletch helps you get ahead of a threat’s life cycle.
  • Staying head - How Fletch helps you stay ahead of evolving threats.
Back to Top
© 2023 Fletch. All rights reserved.   
Terms
Privacy Policy
Security at Fletch
FOLLOW US