July 11, 2024
7
min read

Rediscover threat hunting and investigations

Command Zero set out to solve the most significant bottleneck for security operations: investigations. There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders. In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.

Alfred Huger
Cofounder & CPO
In this article

Introduction & Our problem space

Command Zero set out to solve the most significant bottleneck for security operations: investigations.  

There are a lot of solutions (like SIEM, SOAR, SOC automation, AI-powered SOC analysts) available tackling alert ingestion, filtering, correlation and tier-1 related tasks today. Still, investigating escalated cases relies on labor-intensive manual work by tier-2 and tier-3 analysts or incident responders.  (Read more about the problem we’re solving and our unique approach on Dov’s blog post)

To achieve this hefty goal, we’ve built an expert investigations platform for every user. (read more about some of the principles and architectural decisions we’ve made so far on Dean’s blog post)

We do this by encoding the research, the investigatory expertise along with the deep understanding of every unique data source into the platform.

In this post, I’d like to share how Command Zero transforms the day-to-day experience for threat hunting and investigations.  

To demonstrate this, I will walk you through a hypothetical flow that starts with an investigation stemming from multiple alerts, a brief touch on threat hunting and an overview of a complex investigation using the Command Zero platform.  

Alert-driven investigations

Command Zero has been deployed in production environments of our early adopters and is being put to the test every day. With this usage, we observed that many investigations start with alerts from security solutions today.  

So, building a feature where users can review alerts from the key systems and kick off investigations based on multiple alerts was a natural step for us.  

The alert view provides an overview of alerts from multiple connected systems.
Users can initiate investigation based on an alert or multiple alerts.

When a user starts an investigation based on alerts, Command Zero automatically takes the initial steps and asks the most relevant questions to the data sources involved. This not only saves time for the investigation, but also it helps analyst understand the context more quickly.

Command Zero automatically takes initial steps and renames each investigation based on context.

The platform renames the investigation based on discovered context. It also builds a short summary and potential leads for the analyst.  

Once an investigation starts, the user has multiple capabilities at their fingertips:  

  1. See the investigation summary, review investigation leads.
You can get an overview of the investigation and a summary.
  1. Query multiple sources using pre-built questions to further investigate leads.
Interrogating multiple data sources is done by using pre-built investigation questions.
  1. View previous investigations and notes about the leads in scope.
Past investigations on leads help get up to speed on the historical context.
Notes taken by the analyst or the team help build institutional memory on leads.
  1. Run facets to replicate best practices and save time.
Facets are dynamic playbooks that save time, ensure consistency and build organizational knowledge.
  1. Add questions to timeline.
Users can add noteworthy questions and answers to the timeline for building the narrative of a case.
  1. Each question receives an LLM-generated summary that not only reduces the labor for reporting, but also it ensures that no detail gets missed or overlooked.
Question summaries help better understand results and save time with reporting.
  1. See timeline with notes, add additional notes for reporting.
Auto-generated timelines help communicate the narrative with stakeholders.
  1. See the complete summary of the investigation.
Investigation summaries combine all questions, patterns and timelines.

Reviewing past investigations or current alert-driven investigations on Command Zero is a great way to educate your teams on where the heat map of threats, gaps and overall risk are for our environments.  

Wherever you see the most escalated cases is generally where your team needs to hunt more and take a more proactive stance against these threats.  

Threat hunting

We all agree that threat hunting is a highly impactful activity for organizations. That stated, unless you have a dedicated team for threat hunting, it is an activity that we’re all doing less frequently than we need.  

And when we do threat hunt, we hardly know where to look and which patterns to look  for.  

Threat hunting has three impediments to properly adopt:  

1) Threat hunting expertise,  

2) access to systems in the environment,

3) technical expertise on diverse systems in the environment.

Command Zero tackles all three barriers as an expert platform with federated access to universal data sources.  

Users can interrogate security and non-security data sources in their environments with pre-built expert questions. They no longer need direct access to data sources at the individual level or be administrator level experts for technologies within the scope of the hunt.  

Users can threat hunt across data sources by using pre-built questions.

Traditionally threat hunting was (and still is) an elite activity exclusive to the highly experienced teams. And since these team members are oversubscribed with manual investigations, threat hunting often gets de-prioritized in most organizations.  

Command Zero’s fresh approach democratizes threat hunting to all your analysts, regardless of experience levels and technical expertise for target systems.  

We believe these capabilities will encourage implementation of more threat hunting programs at all organizations, helping the industry shift to a more proactive stance.  

Users can review the responses and identify patterns of interest. They can either interrogate potential leads more before they decide, or they can promote these objects as leads for further investigation.  

Users can promote leads in threat hunts to be further investigated.

By utilizing Command Zero for investigation and threat hunts, analysts not only get a better understanding of the overall picture, but they also gain the ability to focus more on problem areas.  

The threat hunting and investigation experiences above are significant improvements over the manual, chaotic and labor-intensive experiences for these activities today.  

The transformative investigation experience

For each investigation run on the Command Zero platform, every step of the case is documented, visualized and summarized. These capabilities enable transparent collaboration between multiple analysts or teams, coaching opportunities between team members and smooth handovers between teams.  

Command Zero is not a case management system. And we don’t intend to build case management capabilities in the platform. Instead, we are integrating with the leading systems in this space like ServiceNow to facilitate the normal workflow.  

Command Zero works in tandem with case management solutions, yet the platform provides a record of all current and past investigations to help analyst teams do their best work, within the scope of investigations.  

Analysts can review current and past investigations all on one dashboard.

The platform runs autonomous investigations and threat hunts. These activities also appear on the list of investigations. Users can review autonomous investigations, dive deeper into them with additional questions or facets (dynamic playbooks).

Conclusion

To conclude, Command Zero speeds up threat hunting and investigation processes, delivers consistency and enables collaboration for tier-2+ teams. The platform has been a game-changer for our early adopters, and we believe it will make a huge impact for any organization handling investigations.  

Please check out www.cmdzero.io to learn more or watch our platform overview video.  

Alfred Huger
Cofounder & CPO

Continue reading

Investigations
Highlight

Current SecOps tools are hard to operate and investigate

Despite the early and sincere focus on search/investigations, modern SIEM and SOAR capabilities have evolved to satisfy compliance/regulatory requirements. Today, these technologies do not provide dedicated investigation tools and the right user experience for an effective flow. In this post, we dive into findings from our research, discover sample use cases and recommend solutions to common issues for investigations.
Dean De Beer
Oct 30, 2024
8
min read
Investigations
Highlight

An interview with Eric Hulse: Insights from recent Command Zero engagements

In this interview, we dive deep into the world of cybersecurity investigations with Eric Hulse, Head of Research at Command Zero. Eric shares invaluable insights from some of the recent customer engagements, explaining how Command Zero is revolutionizing the way security teams operate, from drastically reducing investigation times to empowering analysts at all levels. He reveals how the platform can integrate with common tools like Microsoft Entra ID, Okta, Office 365, CrowdStrike, Proofpoint and other data sources in as little as 15 minutes. He also covers how it's helping teams tackle the overwhelming volume of alerts and incidents. Eric talks about Command Zero's unique approach to AI implementation, moving beyond simple chatbots to provide context-rich, actionable insights. From streamlining HR-led investigations to providing comprehensive identity visibility across multiple platforms, Eric illustrates how the platform is addressing the industry-wide challenge of doing more with less in cybersecurity.
Eric Hulse
Oct 24, 2024
7
min read
Investigations
Highlight

Uncertain security alerts: Common hurdles and recommendations

Security Operations Centers (SOCs) struggle with uncertain security alerts, which create inefficiencies and analyst fatigue. The main challenge is the high volume of non-conclusive alerts that only indicate "interesting patterns" rather than definitive threats. Analysts must investigate numerous alerts daily, requiring extensive context-gathering about users and their behaviors. While playbooks can help with known attack patterns, they're difficult to maintain and can't keep pace with constantly evolving security threats. In this article, I’d like to highlight some of the common practical hurdles we observe with uncertain (aka non-conclusive, non-definitive) security alerts, and our recommendations to overcome them. The key is facilitating better decision-making through improved data collection, context building, and flexible investigation tools.
Alfred Huger
Oct 23, 2024
8
min read
By clicking “Accept All Cookies”, you agree to the storing of cookies on your device to enhance site navigation, analyze site usage, and assist in our marketing efforts. View our Privacy Policy for more information.