Standard Operating Procedures

(SOPs) for known-threat alerts

in CTD
v1.1

488 Madison Ave 17th Floor, New York, NY, US 10022

Claroty.com
DOCUMENT CONTROL

Title Standard Operating Procedures (SOPs) for known-threat alerts in CTD

Author Sergei Ridkey

Owner

Name Role Email Date Issue

Nicholas Van Training nicholas.v@claroty.com 18 July 2023 2

Den Berg Content
Creator

Review Panel

Name Date Name Date

– 2
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
TABLE OF CONTENTS

DOCUMENT CONTROL ................................................................................................................................... 2

TABLE OF CONTENTS ..................................................................................................................................... 3
OVERVIEW ..................................................................................................................................................... 4
Scope................................................................................................................................................... 4
Purpose ............................................................................................................................................... 4
Roles ................................................................................................................................................... 4
PROCEDURES ................................................................................................................................................. 5
Procedural steps ................................................................................................................................. 5
Step: Alert triggered ........................................................................................................................... 5
Step: Acknowledge alert .................................................................................................................... 5
Step: Download and Store Alert PCAP............................................................................................... 7
Step: Review Similar Tickets ............................................................................................................... 7
Step: Create Hypothesis ..................................................................................................................... 8
Step: Recommend improvement ..................................................................................................... 11
Step: Classify and Enrich Security Alert ........................................................................................... 12
Step: Contact Site Team with Alert Details ..................................................................................... 12
Step: Site investigation ..................................................................................................................... 13
Step: Threat Intelligence Analysis .................................................................................................... 13
Step: Create Knowledge Documentation ........................................................................................ 15
Step: Update Knowledge Documentation ....................................................................................... 15
Step: Prepare Remediation Advisory ............................................................................................... 15
Step: Manage Response Brokering and Resolve Alert ................................................................... 15
CASE PRIORITIES .......................................................................................................................................... 17

– 3
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
OVERVIEW

This document provides the Standard Operating Procedure (SOP) for known threat alerts that are
generated within Claroty Continuous Threat Detection (CTD).
This SOP ensures that reported security alerts are analyzed, assessed and forwarded to the correct
teams for remediation.

Scope
This document describes the procedures needed to handle and resolve known-threat alerts that are
generated by Claroty’s CTD solution.

Purpose
The purpose of this document is to provide guidelines for security analysts. The relevant guidelines
describe how to handle, mitigate, resolve and communicate known-threat alerts that are generated
by Claroty’s CTD solution.

The following important tasks are performed in the course of these procedures:
 Initial response to security alerts that are generated by CTD.
 Generation of hypotheses.
 Identification of valid alerts.
 Analysis of security alerts.
 Information enrichment of security alerts, for efficient response.
 Recommendations for improvement of alert-generation rules.
 Preparation of remediation advisories.
 Response brokerage, and coordination with the relevant teams for purposes of remediation.

Roles
The following personnel participate in the overall process of security incident management:
 One or more Alert Responders.
 One or more Security Analysts.
 One or more Site Champions, and their team(s).
 The Security Operations Center (SOC) Manager.

– 4
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
PROCEDURES

The known-threat process flow involving Claroty CTD is as shown in the flow diagram below.

Procedural steps
Various procedural steps shown in the flow diagram above are explained in detail, under the
relevant sub-headings below.

Step: Alert triggered

In this step, a security alert is triggered within the relevant security information and event
management (SIEM) solution. This is the start of the process.
The trigger to action is an alert within CTD, followed by a SYSLOG alert.

Step: Acknowledge alert

In this step, a security alert is triggered within the relevant SIEM system, an alert ticket is created,
and basic information regarding the alert is gathered.
An Alert Responder is responsible for this step.

– 5
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
Sequence of activities
1. Acknowledge the alert within CTD, and assign it to yourself or to a relevant person.
2. Take ownership of the alert in the SIEM.
i. View the alert within the SIEM.
ii. Click on the relevant alert link within CTD.
iii. Click Assign to (below).

iv. Assign the alert (below).

 Note that to assign an alert to a specific user, the user must be defined within
CTD. This can be done manually, or by Active Directory integration.
3. Extract the initial alert details from the page containing the CTD Alert listing. Examples of
relevant information include:
 The affected zone.
 The affected region.
 The affected site.
 The threat signature name.
 The alert’s criticality rating (1, below).
 The alert description (2, below).
 Source asset details (IP, MAC, Site, Asset Type, Asset Criticality, Vendor – 3, below).
 Destination asset details (IP, MAC, Site, Asset Type, Asset Criticality, Vendor – 4,
below).

– 6
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
 4. Open a ticket using your internal ticketing system. From this point, all new information must
be logged to the relevant ticket.
5. Assign the ticket to an available Security Analyst.

Step: Download and Store Alert PCAP

The purpose of this step is to enable investigation of the specific threat signature that triggered the
alert.
The person responsible for this task is an Alert Responder.
The trigger to action is acknowledgement of the relevant alert.

Sequence of Activities
1. Download the PCAP file for the alert.
2. Go to the Alert page for the relevant alert within CTD.
3. Click Download Capture (below).

Step: Review Similar Tickets

The purpose of this step is to compare the alert to any documented alerts of a similar nature that
might have occurred. This is typically done by discovering relevant information in the knowledge
base.
The person responsible for this task is a Security Analyst.
The trigger to action is acknowledgement of a reported security alert.

– 7
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
Sequence of Activities
1. Run a search on the relevant knowledge database. Use parameters like the alert signature,
source IP, destination IP, URL, Domain and so on, to identify alerts of a similar nature that
have occurred in the past.
2. Analysis of the alert may or may not show that a similar or identical alert exists and is open.
Do the following actions on a case-by-case basis:
 If the new alert has a similar signature, attack pattern or malware to an existing
alert, but involves different asset groups, open a separate alert. Remember that
alerts must always be grouped based on the same asset group.
 If a similar alert has previously been logged for the same asset group, tag the new
alert to the pre-existing alert.
 If a similar alert has previously been logged, but is in a closed state, do not tag the
new alert to the existing alert. Instead, wait to see if additional similar alerts are
triggered. If this happens, tag the similar alerts to the new alert.
3. Document the information discovered as part of this activity.
4. Proceed to Step: Create Hypothesis.

Step: Create Hypothesis

The purpose of this step is to investigate the alert, in order to create a hypothesis for it.
The person responsible for this task is a Security Analyst.
The trigger to action is completion of a search for similar alerts in the knowledge base and/or
internal ticketing system was completed, whether or not similar alerts are discovered.

Sequence of Activities
1. Create a hypothesis document that contains (but is not necessarily limited to) the following
information:
 Observations on the progression and methodology of the attack.
 Details regarding the attacker and the target (see below).
2. Go to the relevant Alert page within CTD.
3. Click the listings for the relevant asset(s). The source asset (1, below) is the attacker. The
destination asset (2, below) is the target.

4. Review the basic alert information within the relevant Alert page (below).

– 8
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
 5. Prepare for advanced asset analysis by reviewing the baseline details, the asset timeline,
and the sequence of activities related to the asset (below).

6. Examine the event logs and all other physical evidence and artifacts. These could be
indicators of security compromises, or could point to potential or actual security violations
(below):

– 9
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
 7. Gather details regarding the attack details for event analysis by going to the Event details
sub-section section of the Alert page (below). Examine the page for information about the
sequence of events that triggered this alert.

8. Visualize the path the intruder took to attack the target, and try to deduce the potential
destination:
i. Check for the presence of any other alerts that might give clues as to the nature of
the attack. As an example, a sequence of alerts that may indicate a potential
WannaCry attack is as follows:

– 10
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
 ii. Re-create the sequence of events that led to the security breach. As an example,
information contributing to the re-creation might include:
 Test results regarding alternative attack paths the intruder could have taken.
 Findings from the investigation into the paths and methods the intruder used
to gain access.
 The actual purpose of the attack.

9. An Alerts and Basic Mitigation Table can be found in the CTD Reference Guide. This table
lists the names of possible alerts generated by CTD, as well as their descriptions,
corresponding mitigation steps, and significance. It can therefore be used to improve the
classification of the alert.
10. Check whether the alert is a valid alert or a false positive.
 If the alert is valid, proceed to Step: Classify and Enrich Security Alert.
 If the alert is not valid, proceed to Step: Recommend improvement.

Step: Recommend improvement

The purpose of this step is to ensure that any needed procedural improvements are recommended,
based on any relevant findings from analysis of the security alert.
The person responsible for this task is a Security Analyst.
Possible triggers to action include:
 The relevant alert being identified as an invalid alert.
 Any generic improvement identified at any stage of the process.

Sequence of Activities
1. Assess all available historic data in regard to all alerts of a similar nature that were
previously logged.
2. Identify the relevant problem.
3. Suggest a solution, if applicable.
4. Submit a case using the Claroty Customer Portal. Attach the alert PCAP to the case.

– 11
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
Step: Classify and Enrich Security Alert
The purpose of this step is to ensure that the relevant security alert is further enriched with
information from available intelligence feeds.
The person responsible for this task is a Security Analyst.
The trigger to action is completion of the relevant alert hypothesis.

Sequence of Activities
1. Classify the security alert based on the current prioritization policy.
2. Use internal and external Threat Intelligence feeds to enrich the alert with information. Do
this by linking local observables to the data feeds.
3. Information relevant to the security alert can include (but must not necessarily be limited
to) the following:
 A detailed description of the alert.
 The type and category of the alert.
 The targeted location of the attack.
 Any exploits involved, with specific reference to the primary exploit method used by
the attacker.
 All identified impact that the attack has had.
 All evidence justifying the security alert.
 All suggested remediation steps that may be used by internal teams to remediate
the attack and its consequences.

Step: Contact Site Team with Alert Details

The purpose of this step is to communicate all findings that have been made so far in relation to the
alert to the site focal point and the investigation team, with the goal of giving a meaningful start to
the on-site investigation.
The person responsible for this task is a Security Analyst.
The trigger to action is completion of the relevant alert hypothesis.

Sequence of Activities
1. Determine whether or not the alert is a crisis-level alert.
 If the alert is crisis-level, follow your organization’s internal alert response
procedure.
 If the alert is not crisis-level, proceed to step 2. below.
2. Set up a conference call with the site response team.
3. Present all findings that have been made relative to the incident, based on the contents of
the relevant hypothesis document.
4. Schedule a follow-up call to sync with the rest of the team, regarding the findings of the site
investigation.
5. Based on the results of the conference call with the site response team, and all information
that has been collected so far, determine whether or not the organization’s research team
and/or an escalation point needs to be involved:
 The Research team and/or escalation point will be involved if the Security Analyst
does not have enough information to effectively mitigate the alert.

– 12
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
  If the Research team and/or escalation point are involved, proceed to Step: Threat
Intelligence Analysis.
 If assistance from the Research team and/or an escalation point are not required,
proceed to step 6. below.
6. Check whether there is an existing knowledge reference:
 If there is no existing knowledge reference, proceed to Step: Create Knowledge
Documentation.
 If there a knowledge reference exists, proceed to Step: Update Knowledge
Documentation.

Step: Site investigation

The purpose of this step is further investigation of the alert, based on the relevant SOC hypothesis.
The person responsible for this task is a Site Champion.
The trigger to action is completion of the relevant alert hypothesis.

Sequence of Activities
1. Locate the infected machine or machines.
2. Gather further information on the infected machines:
 Their purpose and role.
 All users who could access the machines.
 All remote connections to the machines.
 All external devices connected.
 All external software currently installed.
 Network information (subnet and VLAN).
 Business process association and business process criticality.
 The next scheduled maintenance window for the affected machines.
 All currently installed patches.
3. Verify that the firewalls and antivirus software are up-to-date.
4. Run the antivirus software.
5. Note down all relevant information regarding the antivirus software, firewall, and so on.
6. Report the state of the machine (for example, are databases encrypted, is the machine up
or down, and so on).
7. Report any unusual behavior in the infected machines, and related network.
8. Provide feedback to the Security Analyst,
9. Check whether any additional assets are infected.

Step: Threat Intelligence Analysis

The purpose of this step is to facilitate advanced analysis regarding the security alert, baselining the
initial assessment that has already been performed.
The person responsible for this task is the Research Team and/or escalation point.
The trigger to action is any threat-intelligence analysis required by the Security Analyst and/or any
information updates applicable to the mitigation advisory.

– 13
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
Sequence of Activities
1. Verify the hypothesis or analysis conducted by the Security Analyst. Validate the reported
security alert sources, and populate the hypothesis with all related information.
2. Contextualize the security alerts and update alert information that is related to past security
alerts.
3. Capture the evidence and supporting documentation of all identified impacts (both cost and
benefit) in respect of the security alert as part of the security alert’s information. The
security alert information should include the following:
 Alert severity.
 The impact of the alert.
 A description of the impact.
 All other information related to the analysis that was performed to assess the impact
of the security alert.
4. Identify all compromised systems and potential targets.
5. Do the analysis related to the security alert by executing the following steps:
i. Identify the potential target.
ii. Identify all compromised systems and potential targets related to the security alert.
iii. Visualize the threat projection and impact assessment.
iv. Create relevant threat-simulation scenarios. Document the test findings.
v. Enter the following information into the Security Alert document (Security Alert
[analyzed]):
 Observables (information gathered during the investigation).
 Attack details.
 The exploit methods used by the attacker.
 The known or deduced purpose of, or motivation behind, the attack.
 The current stage of the kill chain, and all information substantiating this
finding.
 A Backtracking report describing the test mechanism used to identify the
attack sources.
 The Root Cause Analysis (RCA) that describes all factors which allowed the
attacker to penetrate the relevant assets.
6. Document the advanced analysis that was performed.
7. If needed, re-classify the security alert based on the defined classification criteria. Also, if
required, re-classify the security alert based on assessment of the attack’s impact on the
organization (in terms of loss to business, reputation, service disruption, financial losses and
so on).
8. Perform a threat signature investigation, using advanced packet analysis tools such as
Wireshark.
9. Check whether the alert was a valid alert, or a false positive:
 If the alert is valid, proceed to Step: Create Knowledge Documentation.
 If the alert is valid, proceed to Step: Recommend improvement.
10. Consult with your assigned Claroty Technical representative.

– 14
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
Step: Create Knowledge Documentation
The purpose of this step is to create a knowledge-base article that facilitates faster response in case
of similar alerts.
The person responsible for this task is the Research Team.
The trigger to action is completion of the Threat Intelligence Analysis.

Sequence of Activities
1. Create a new knowledge-base article in the organization’s knowledge database. Include all
findings from the threat-intelligence analysis conducted by the relevant Research team.
2. Tag the respective Security Analyst, and provide guidance.

Step: Update Knowledge Documentation

The purpose of this step is to update the relevant knowledge article (if one currently exists) in order
to facilitate faster responses in case of similar alerts.
The person responsible for this task is a Security Analyst.
The trigger to action is appropriate classification of the relevant security alert, and the relevant
findings being communicated to the site team.

Sequence of Activities
If a relevant knowledge article currently exists in the knowledge database, update the article with
all findings discovered as part of the alert’s classification and enrichment.

Step: Prepare Remediation Advisory

The purpose of this step is to ensure that a relevant remediation advisory is prepared for the
security alert, thereby helping the users tasked with resolving the security alert.
The person responsible for this task is a Security Analyst.
The trigger to action is analysis of the alert, and an identified requirement for a remediation
advisory to be incorporated with the relevant alert information.

Sequence of Activities
1. Incorporate all data gathered as part of the relevant attack analysis. This includes all input
from the responsible Security Analyst, all threat intelligence input, and all site input.
2. Prepare the Remediation Advisory. This step includes all measures needed to remediate the
alert, and identify the personnel who will be responsible for the remediation.

Step: Manage Response Brokering and Resolve Alert

The purpose of this step is to ensure that all relevant information regarding the security alert is
forwarded to the respective remediation team(s) for appropriate action.
The person responsible for this task is a Security Analyst.
The trigger to action is conclusion and distribution of the relevant Remediation Advisory.

Sequence of Activities
1. Inspect the Remediation Advisory for correctness and omissions after the alert is analyzed.
2. Identify the appropriate remediation teams (response intermediaries and/or line function)
responsible for resolution of the alert.
3. Coordinate with the respective remediation teams to ensure closure of the alert:
– 15
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
  Follow the timelines in the table below when communicating with the relevant
Security Analyst.
 The definitions given in the Alert Priority column are explained in CASE PRIORITIES.

Timeline to send
Communication Timeline to send
Alert Priority subsequent Recipient(s)
method first notification
notifications
Respective
Crisis-level E-mail 15 minutes 30 minutes Remediation
team(s)
Respective
P1 E-mail 45 minutes 2 hours Remediation
team(s)
Respective
P2 E-mail 3 hours 24 hours Remediation
team(s)
Respective
P3 E-mail 6 hours 48 hours Remediation
team(s)
Respective
P4 E-mail 24 hours 72 hours Remediation
team(s)

4. Close the security alert within CTD and the internal ticketing system.
5. All appropriate remediation steps must now be taken by the respective remediation
team(s), with the relevant alert being resolved by the Security Analyst.
6. Prepare a root-cause analysis (RCA) of the relevant security alert. The RCA must include the
following information:
 A problem/ alert statement.
 All factors responsible for the actual cause of the alert.
 All environmental factors that allowed the cause of the security alert to happen.
 The investigation methods that were utilized.
 All root causes that were identified.
 All appropriate recommendations for resolution, and future action.
 All other appropriate information.

– 16
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com
CASE PRIORITIES

This section explains the definitions given in the Alert Priority column of the table seen in Step:
Manage Response Brokering and Resolve Alert.

1. Crisis level
 Definition: The organization is unable to control the critical external dynamics of the
situation.

2. P1 (Critical). Possible definitions include:

 A confirmed compromise of a ‘Crown Jewels’-level asset, and/or of restricted
information, sensitive personal data, financial data relating to an individual, or
authentication credentials for systems that store any or all of this information.
 A confirmed compromise of an IT and/or OT system rated as Extremely Critical
(100%) in the relevant criticality assessment.
 Any event that results in significant business impact and/or lost revenue, or that
results in global impact to users, or to the network infrastructure.
 A confirmed, targeted hack on company systems or networks, originating from an
external source.
 A confirmed compromise of any organizational security infrastructure (for example,
firewalls, web proxies, and so on).

3. P2 (High). Possible definitions include:

 A suspected compromise of a ‘Crown-Jewels’-level asset, and/or of restricted
information, sensitive personal data, financial data relating to an individual, or
authentication credentials for systems that store any or all of this information.
 A confirmed compromise of confidential information and/or personal data.
 A confirmed compromise of any IT or OT system rated as Very Highly Critical (75%) or
Highly Critical (50%) in the relevant criticality assessment.
 A security event leading to loss of service.
 A confirmed hack on company systems or networks, originating from an external
source.
 A new (that is, previously unknown) malware infection.

4. P3 (Medium). Possible definitions include:

 A suspected compromise of confidential information or personal data.
 A confirmed compromise of any company-level information.
 A known malware infection of 10 or more client devices.

5. P4 (Low). Possible definitions include:

 A suspected compromise of any company-level information.
 A known malware infection of fewer than 10 client devices.
 No discernible impact (indicates that the reported alert is a false positive).

– 17
488 Madison Ave 17th Floor, New York, NY, US 10022
Claroty.com