Discover
Blog
Support
February 17, 2015
-
Greg Martin
,

The Blind Spot

Cyber Threat Intelligence
Modern Honey Network
SIEM
<p>In cyber security ignorance is never blissful.  It is down-right scary.  Many security operation teams have yet to develop an internal threat intelligence strategy and are currently operating with large blind spots when it comes to threats.  Let's walk through a simple scenario to help you understand what I mean:</p><p><em>Your SIEM alerts an internal host: 10.10.2.153 was seen scanning other internal IP's and after a deeper look it previously had outbound HTTPS connections to an IP address within Russia.  This scenario is certainly a warning sign of something potentially serious and is flagged by the SOC staff for investigation.<br/> The investigation goes like this:  The analyst ran a traceroute to the IP, searched it in Google, and after 45 minutes of effort, found there is no useful public information linking it to known campaigns, but is clear that the IP is a cloud server provider located in Russia.  Finally, the analysts checked A/V console on the host and saw that there are no infections detected.  Due to many similar events in the queue with little additional context the decision was made to flag the event as suspicious but close the investigation and move on.</em><br/> <br/> Now lets replay that scenario through an organization that has a 6 month operation threat intelligence program supporting the SOC.  It includes one full-time employee to manage the intelligence flow and acts as an overlay and escalation point for assisting SOC investigations.  This employee has basic training on static and dynamic malware analysis.  Your SOC also has an account to the ThreatStream Optic threat intelligence platform, enabled 70+ open source threat feeds and purchased subscriptions to 2 commercial threat feeds -  all feeding automatically into your SIEM via Optic Link.  Let's see how the scenario plays out this time.<br/> <br/> <em>Your SIEM alerts an internal host: 10.10.2.153 was seen scanning other internal IP's and after a deeper look, it previously had outbound HTTPS connections to an IP address within Russia.  the IP was seen linked in various threat intelligence reports and a few open sources like Virus Total as being connected to a remote access tool (RAT) known to be used in targeted attacks against US Corporations in the past year.  This event has now been immediately escalated to the incident lead, the SOC manager,  and a phone call to the CISO has been placed who instructs the team to stop all things and focus primarily on this one event.  What could have been lost in the sea of alerts is now properly prioritized and worked in as the most critical event facing the organization’s information security.  This is exactly the power of leveraging a threat intelligence platform within an organizations existing operations.</em><br/>  </p>

Get the Latest Anomali Updates and Cybersecurity News – Straight To Your Inbox

Become a subscriber to the Anomali Newsletter
Receive a monthly summary of our latest threat intelligence content, research, news, events, and more.
Subscribe Today

Explore more topics

Anomali
Anomali Copilot
Anomali Cyber Watch
Anomali Match
Anomali Security Operations Platform
Compliance
Cyber Threat Intelligence
ISAC
Malware
Modern Honey Network
Research
SIEM
SOAR
STAXX
Splunk
Threat Intelligence Platform
ThreatStream
UEBA
Cyber Threat Intelligence
Modern Honey Network
SIEM