Threat feeds and the data they provide continue to grow at a rapid pace. As this amount of data increases, the ability to make efficient use of it moves beyond human capability and must shift towards automation. There are three critical sections of the threat intelligence process that will greatly benefit from automation:
- Intelligence Management
- Intelligence Deployment
- Intelligence Integration
Open Source, trusted peers, premium feeds, internal programs - these are a few sources of intelligence data your organization is most likely ingesting. Just getting them into a single location is not enough any more - you must aggregate, deduplicate, and contextualize these pieces of data before you can turn them into usable information. Each of these actions should be automated, as they are almost always a series of repeatable steps that a human analyst would take to turn data into information. Leveraging a threat intelligence platform is a good starting point for aggregation and deduplication, especially to organizations that are strapped for human resources. When it comes to contextualization, it is best to sit with your threat intelligence analysts and learn their current manual processes. What sources of external and internal data do they leverage to learn more about an IOC? Do these sources have APIs to script against? Answering these questions is the first step towards automating the enrichment process of the threat intel feeds.
Now that you have the data managed and enriched, it is time to deploy it to your systems. Deployment should be an automated process that takes filters and destinations as input to ensure that the correct indicators are sent to the platforms where they will provide the highest value. Identify which platforms can ingest specific indicator types, ensuring that the fields in the logs of that platform align with the ingested types. This ensures that extraneous and irrelevant indicators are not taking up precious resources where they can’t be used. In addition to the proper types, it is best to work with threat intelligence analysts to prioritize indicators based upon pre-defined risk criteria to ensure that the SOC analysts will not be overwhelmed and suffer alert fatigue. Once this process is tested and validated manually, automated deployment should be a straightforward task that will provide immediate benefit and added value to the managed intelligence.
This final step is the most challenging and should be saved for last. This involves integrating your intelligence, the contextual information, and the alerts generated by the deployed intelligence into a streamlined workflow. A solid understanding of your SOC analysts’ end to end process is required to ensure that integration makes sense and provides value by reducing manual data lookups and the need to flip between tool dashboards. Starting with the moment an alert is generated, what data does your analyst need to close that ticket? Answering this question should lead to key automated processes to collect and display that information in a manner that is easily understood.
Remember, automating threat intelligence is not a quick and simple process. Many times organizations will try to automate all their threat intelligence processes in a single project. This often leads to frustration and lost time, as it is too complex and should be broken down into sections. Hopefully, the three stages we’ve outlined above will give you a good starting point as you start your journey toward efficient automation of certain pieces of your threat intelligence program.
Understand the driver behind security automation and why it is so important in this Black Hat Webcast with Justin Swisher, Security Strategy Manager at Anomali, and Ty Miller, Managing Director at Threat Intelligence Pty Ltd.