As cyber attacks and threats have grown more complex, our knowledge of them has increased as well. As security professionals we have become more adept at recognizing the indicators of an attack in progress, but obviously, detecting and identifying indicators is just the first step in stopping them. Threat Intelligence is the collection of information and indicators surrounding an attack as it is happening, and then utilizing that data, as well as shared information on previously encountered attack methods, to create a cohesive picture of the full attack chain.
Among its arsenal, Threat Intelligence utilizes indicators of compromise such as traffic patterns in network traffic which can signify anomalies, yara rules which assist researchers in identifying malware, and other indicators of malicious activity.
Getting Started with Threat Intelligence
So you’ve subscribed to some threat feeds, way to go. What now? Unless you want your security IT team running after irrelevant alerts, you need to focus their efforts on the alerts which make sense for your organization. Knowing where your risk levels increase is the first step in ensuring the alerts you receive are effective in minimizing risk. Are you worried about insider threats? Then you may want to monitor for leaked credentials. Is your organization the target of hacktavists? Your Threat Intelligence should include online brand monitoring to look for fraudulent employee profiles, domain fraud and phishing, among others. Need to assign a risk ranking to a patch alert? Threat Intelligence can help your team with effective patch management.
The Problem with Siloed Threat Intelligence
Threat Intelligence needs to be packaged and utilized correctly in order for it to provide effective insights to the organizational security team. False positives abound when the noise cannot be cleared out, or when an alert cannot be seen in its true context. Eliminating silos is a cornerstone of good security practice, and silos in Threat Intelligence are no different, especially when organizations use multiple security tools and threat intelligence feeds. It may seem like enough to know that an IP or a domain has been blacklisted, but not knowing why because you cannot see the full picture, can come back to haunt you later (especially when you are unaware of the malware siting in your system and trying to access that IP).
Some Things to Look for in a Threat Intelligence Solution
- Risk ranking: A decent Threat Intelligence solution should provide risk ranking, because obviously not all alerts carry the same level of risk and not all alerts should be treated the same.
- Date item added to feed: some feeds have thousands of records, not all recent or relevant. A Threat Intelligence solution should provide timely reporting of indicators so that information is accurate and effective.
- Categorization of each item: What is the item an indicator of? Is it phishing, a malware Command-and-Control center, an adware distribution site? This information, plus additional drill-down information is essential in assisting security teams make sense of alerts.
Most Important: Full Visibility and the Ability to Remediate
You’ve gotten an alert. What happens next is critical. In addition to giving you the data necessary to achieve full visibility and make smart decisions regarding organizational security, there need to be recommendations for (or even better, the ability to) remediate threats. What good is it to find and block malware from reaching out to its command-and-control if it is still sitting in your system?
Full integration of multiple capabilities is the only way an organization can truly secure itself and remain secure, in today’s rapidly changing threat landscape.