Between keeping up with your alerts, putting together reports, running through your daily checklists, or whatever else it may be throughout your day, I think one thing we can all agree on is there is never enough time in the day! As I’ve progressed in my career, I’ve tried to become lazier in my work. Yes, you heard that right! I try to be lazy, but that’s a good thing, and I’ll tell you why! Consider the following… why choose to do the same tedious tasks daily when you can be lazy and let the computer do the boring stuff for you. Let’s face it, there is a huge need for investing in automation, and here are some reasons why.
The Need for Automation
Manually handling hundreds of indicators of compromise is not fun and it can be hard to make heads or tails from them. Often this becomes too much to deal with, and when it becomes too much to deal with, it ends up being too noisy. Ultimately, this leads to useless data, and there isn’t much value in having indicators if you view it as useless data.
When you have lots of manual work involved, it leaves room for human error like overlooking things, misclicking something, or forgetting to save your document. Honestly, I don’t trust myself not to make a mistake when there is so much data to comb through and analyze.
False positives and alert fatigue go hand-in-hand. However, by leveraging automation to provide additional context or enrichment to your alerts, you can start to reduce these for you and your team. For example, you may discover you can start writing logic into your automation which closes out false-positive alerts or sends malicious file hashes to your endpoint tool to be blocked.
For each alert, incident, or investigation, the time spent gathering information about a particular indicator of compromise adds up. I’m telling you, the key to success is to be lazier! Put the computer to work and make it do the time-consuming stuff for you! When you can get results faster, you can make decisions faster. It takes time to go to each website to look up an indicator of compromise and figure out what data is valuable. Suppose you spent an average of two minutes going to each website to look for analysis, multiplied across five different websites. In that case, it adds up to 10 minutes spent on just one indicator alone. The goal should be to determine the good, bad, or unknown quickly. Known good could be dismissed, known bad could be blocked, and finally, unknown could be alerted on for further investigation or analysis. Every minute you save not spent manually looking up indicators will be another minute you have to spend elsewhere!
Automation Can Be Hard
Automation! It sounds great in theory, but the reality is there are unaccounted-for things you run into along the way. For example, you may try to tackle automating a task, but you quickly end up spending all your time trying to debug your code, leaving no time left for your original task. Maybe you start to rethink if automation is worthwhile and continue with your manual processes or procedures. Or perhaps you have a small team, and you can’t afford to devote time away from managing your alerts to developing new automation. Well, hold that thought!
PyOTI Makes It Easy
There is a much easier way to get the data you need — introducing PyOTI (pī’yōdē), the python open threat intelligence library! PyOTI is a modular API framework that allows you to query threat intelligence APIs easily to get fast, accurate, and consistent enrichment data to provide added context to your indicators of compromise. The idea for this project came from the need to add automation to our indicator vetting process in the RH-ISAC. As I started writing scripts for the Intel team to use, I thought there would be interest from the wider cybersecurity community and decided to write it in a way that could easily be used by others.
PyOTI’s modules standardize and provide a uniform way to query different APIs and get the results in JSON format for easy parsing. If a service or tool you use isn’t already in PyOTI, it is simple to add a new enrichment module, or you may open an issue for a feature request, and we can work to get it added into the project. Currently, PyOTI only performs queries to check if an indicator of compromise has already been scanned or analyzed; however, it is on the road map to add the ability to submit an indicator of compromise to be scanned or analyzed.
Why Use PyOTI?
There are dozens of SEIMs, SOARs, and TIPs, and not everyone uses the same tools. We need tools that play nicely with existing tools, and PyOTI keeps it simple by being tool-agnostic. The only limitations are whatever APIs you have available to get data from. Think of PyOTI as middleware that can be applied to existing workflows that doesn’t require separate infrastructure to use. It is tested and supported cross-platform (Debian/OS X/Windows 10). There is documentation for installing and updating PyOTI on Linux or Windows; however, I strongly encourage you to open an issue on Github for us to help track and support any issues you may have while trying to install, update, or use PyOTI. PyOTI can be used in day-to-day work by leveraging the Jupyter Notebook to perform automated URL analysis for phishing triage, or you can integrate the PyOTI library into your existing security tooling stack.
Automation can be challenging at times, but it doesn’t always have to be. By collaborating and building tools for the community, we continue to help protect as one. We all have the same goals in mind when it comes to cybersecurity, so we shouldn’t have to reinvent the wheel. Good tools aren’t written or built; they’re grown. I am limited to the tools, services, and APIs that I have access to, but I hope to make this a project for the RH-ISAC community and base further development on your needs or what you would like to see from this project to make it more usable for you.