Howler is a triage platform designed to assist Security Operations Centre (SOC) teams in streamlining their workflow and enhancing their ability to handle alerts.
The tool was developed by the Cyber Centre’s Cyber Defence Program and released in April 2024. Howler can help analysts improve their triage processes and respond to alerts more effectively. The platform simplifies results in terms of a threat, target, and summary of suspected activity.
How it works
Howler empowers triage analysts to take control of their entire workflow. It allows detection engineers to generate these alerts independent of analysts’ workflows. Its design is based off 4 main pillars:
- coordination
- insight
- consistency
- efficiency
Coordination
The platform's workflow management system provides real-time visibility into the status of each alert. This function makes it efficient to assign or delegate alerts to the appropriate team members without duplicating effort.
Insight
Howler’s data-driven approach supports informed decision-making and proactive threat management by offering various graphs and summaries to help identify trends and correlate data.
Consistency
Detection engineers’ consistent input of alerts ensures that analyst queries are effective and efficient. The platform's actions and labeling system allow for automated triage workflows to reduce the impact of recurring false positives. By creating specific filters and actions, teams can automatically dismiss known scenarios, minimizing alert fatigue and allowing analysts to concentrate on the most critical issues.
Efficiency
Howler has customizable templates so triage analysts can tailor the presentation of alerts to their specific needs. The platform’s view system allows SOC s to define and prioritize specific alerts based on filters and sorting criteria.
Howler uses special terms to distinguish between different escalations of detected anomalies:
- Miss: The anomaly was confirmed as not a malicious activity
- Hit: There was an anomaly with no specific degree of confidence
- Alert: There was an anomaly that should be triaged by an analyst
- Evidence: The anomaly was confirmed to be a malicious activity
Why use Howler?
Howler aims to provide a clear, customizable, and flexible interface for triage analysts to investigate alerts. The platform makes creating these alerts as simple as possible for detection engineers, reducing the time and work necessary to triage potential security breaches.
Built with ease of use and flexibility in mind, Howler helps analyst triage analysts to take control of their workflow by:
- customizing information presentation
- grouping information to provide better context
- defining automations to reduce repetitive tasks
By combining these capabilities, Howler can simultaneously support multiple triage teams, each with their own specialized workflows tailored to their needs.
Howler case study
An employee receives a malicious file from an external source. Not realizing the file was malicious, they download the file and inadvertently trigger the embedded malware on their computer. This malware then connects to an external server owned by the author of the malware who starts performing malicious activity on the employee’s computer. Detection engineers in the organization note this suspicious network traffic and create an alert in Howler.
A triage analyst notices a pattern in these anomalies and identifies routine administrative network activity from potential malicious ones. They create a label “admin_activity” to filter anomalies that are routine activities. The malicious alert that was sent into Howler does not receive the “admin_activity” label. A triage analyst monitoring Howler sees the alert and assigns the alert to examine it for evidence of malicious activity.
Howler’s customizations allow the analyst to quickly access key data points that help identify this network traffic as malicious. They assess the alert as a compromise and move to block access to the malicious server and quarantine the infected computer.
Development of the tool
Howler was built using public domain and open-source software, with the majority of the code developed by the Cyber Centre. It does not contain any commercial technology and is easily integrated into existing cyber defence technologies. As open-source software, businesses can modify Howler to suit their requirements. Howler is being actively developed and improved by the Cyber Centre.
Where is it now?
Howler is available on Github, an open-source software repository available to everyone with an account.