Cyber risk is business risk. Business are digitizing and governments are putting in place policies to promote digitalization and smart-city projects. While this helps citizens and organizations to adopt technology advancement, the continuous increase in cyberattacks, in both frequency and sophistication, pose significant challenges for organizations that must defend their data and systems from threat actors.
Most organization has outsourced their IT security management tasks to MSSP (managed security service providers) and very few still retain their internal SOC (security operations centers). These organizations generally started their journey only with security device monitoring management services (such as managed firewall services) and slowly added security event monitoring using SIEM solution components. The growing threat landscape and difficulty in hiring security cybersecurity professionals with the needed expertise makes it more difficult for organizations to understand the tools, techniques and tactics used by adversaries.
Need for cyberthreat information sharing
The need for cyber threat intelligence has become better understood by governments and organizations lately. NIST encourages greater sharing of cyber threat information among organizations.
In today’s large security product and service industry, offerings such as firewalls, endpoint protection and managed security services (MSSP), are enhanced by threat intelligence capabilities. The threat intelligence cycle has key steps, as depicted in the figure below.
According to Gartner, “Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and action-oriented advice about an existing or emerging menace or hazard to assets. This intelligence can be used to inform decisions regarding the subject’s response to that menace or hazard.”
Cyber threat intelligence feeds for security operations
Often, organization need to detect the threat quickly and do not want to waste time investigating false negative alerts, thereby remediating the vulnerabilities and mitigating the attack vector more quickly. The typical questions that the security operation center has are:
- Has our sensitive information been leaked?
- What threat actors could be targeting my organization’s capabilities in the coming months?
- Who are my top adversaries? Are they credible?
- Can I be advised of their activity within a short period of time of it occurring? Which underground sites do they frequent? Who is known to be associated with these adversaries?
- Is a connection to this Internet Protocol (IP) address bad? Who owns the IP? To which internet service provider (ISP) is this IP address connected? What other IP addresses are registered by this company?
- Is this URL dangerous? Who registered the domain? Have they registered others? If yes, which ones? Which types of threats were served from this website? Is other malicious activity linked to this URL?
- Which vulnerabilities in my environment are actively being exploited “in the wild”? Who are the threat actors selling or using these vulnerabilities? Which malware and other threats are leveraging these vulnerabilities? What types of organizations are being attacked via these threats?
- Is this “Zero Day” attack rumor true?
- What do the bad guys know about my organization and its staff? Are they selling access to my systems or my intellectual property?
If cyber threat intelligence feeds can provide answers to the above questions, it allows security teams to more efficiently address threats.
Use cases of security telemetry enrichment with cyber threat intelligence in today’s security operations centers
Taking a use-case-centric view is still the ideal and pragmatic way to start a journey for the SOC with cyber threat intelligence and improve the overall security program. A few use cases/examples include:
- SIEM tool integration for maintaining threat watch lists with existing logs flowing in from existing SIEMs. Threat intelligence data is overlapped on top of existing logs to detect threats by matching indicators of compromise (IOCs), such as IP addresses, file hash and domain names (examples: IBM XForce Threat Intelligence, EclecticIQ’s Fusion Center, Anomali).
- Threat intelligence has been a boon for IDP (intrusion detection and protection) in recent years, and many clients report improved detection and blocking capabilities for a range of threats simply by enabling the intelligence subscription for their IDP systems (examples: Trend Micro’s Reputation Digital Vaccine for its TippingPoint IDP, Palo Alto Network’s MindMeld).
- Phishing is a pernicious and prevalent threat that remains an effective way to gain access to organizations’ resources. Threat intelligence can help identify elements of phishing campaigns to speed up detection/response actions and help with proactive measures, such as prevention/prediction (examples: Proofpoint, ThreatConnect).
- Vulnerability management prioritization has moved away from thinking about vulnerability severity. Instead, the No. 1 priority is on “which of your vulnerabilities are being exploited in the wild.” Threat intelligence gives organizations the ability to determine which vulnerabilities present the biggest risks (examples: Kenna Security, Recorded Future).
- Surface, “Deep” and “Dark” Web Monitoring customers can use threat intelligence services to get prior warning of threats and better understand how the threats work and where they’re being seen. This helps them to perform brand monitoring (examples: ZeroFOX, Kela Targeted Threat Intelligence, SpyCloud).
There are many cyber threat intelligence service providers in the market, and the number appears to be growing. Not all services that are marketed as threat intelligence actually provide that type of content, so it is important to understand what problem customers are trying to solve. While both commercial-based premium services and open-source feeds exists in market today, security operations needs to validate the solutions that help them to acquire, aggregate and act upon the threat intelligence that they need.
About the author: Rasool Kareem Irfan is a trusted cybersecurity advisor with wide experience across various industry verticals including healthcare, life science, banking, financials, insurance and telecom sectors. He holds the global security certifications (such as CISM, CEH, ISO27001 Lead auditor) and multi-vendor technology certifications (such as Palo Alto, Symantec, Cisco, Checkpoint, Proofpoint). He is prominent blogger (www.rasoolirfan.com) in areas including cybersecurity, blockchain, IoT, artificial intelligence, robotic process automation, open compute project, and cloud, and works closely with reputed national and international forums and institutions.