Data. Data. Data. Threat data can feel like a constant rushing waterfall that can overwhelm an analyst. After all, what good is one more set of data if there’s not an applicable and manageable use case for it. Some people look at threat intelligence (note not threat data) as a nice to have – however without threat intelligence and quality intelligence, people who leveraging all of these detection tools only give security teams 100 percent visibility into 50 percent of the problem. This equates to taking our eye off half the ball from a security and visibility perspective. Adding high-quality threat intelligence – both verified and relevant is what enables us to get a lens on that other 50 percent.
So let’s dig into the challenges based around managing threat intelligence. A constant overwhelming amount of data being generated and created by adversaries not on a weekly or monthly basis, but on a second to second time frame. New threat data is constantly being entered into the wild and comes at us from a variety of different sources and formats. When it comes to managing any set of data this large where millions of what we’ll call data points are added on a daily basis we need to have a strategy that is adept to dealing with this amount of data. Not only are we going to tire ourselves out, but we will strain our resources when it comes to the searchability of these data points against our log data using tools like SIEMs. The other parts of this challenge we’ll address is the idea of relevance and the legitimacy of the threat data and talking about threat data vs threat intelligence.
Out of all these millions of data points which ones do I actually care about – in other words why does this matter to me? Addressing alerts can feel like a game of whack a mole without helping highlight which mole you want to hone in on. I discussed the many different sources of threat intelligence, one of the ways this concept of relevance has been addressed is through the creation of Information Sharing & Analysis Centers (ISACs). ISACS provide a great advantage for anyone looking to improve the relevance of their threat intelligence to drive more meaningful alerts. This type of intelligence helps me understand what types of threats are my industry peers facing? The use of ISACs also enables users to share threat intelligence amongst their peers using solutions like threat intelligence platforms.
Even getting threat intelligence from our ISACs can still require a bit of leg work on our part. Once we get past the duplicates and false positives, we still need to add enrichment to confirm further details of the threat and understand it. Security teams are already overloaded by flashing red lights and alerts and in order to keep them from feeling their “intelligence source” is the boy who cried wolf, they need to have a valid source of data that has been vetted or enriched so to speak in order to confirm something is malicious. Enrichment sources like Virus Total, scanner classifications, Web of Trust, Passive SSL amongst others can help security responders make decisions not just more quickly but more accurately and confidently.
True intelligence is something that security teams are able to leverage in order to take action. I think of quality threat intelligence like a high accuracy 9-1-1 dispatcher, you aren’t just getting a location but deep detail. What’s the crime, what does the suspect look like, where specifically is it in our local community? We need to be able to parse through the wave of information that gets thrown at us as security professionals and home in on what we need to prioritize our responses and actions on. If we don’t have a certain level of context, our security responders are going to have an uphill battle to fight. So how do we work to solve all these challenges?
The answer is the leveraging of a threat intelligence platform. The true management of threat intelligence is broken up in the 3 categorizations. We’ll start with the collection of intelligence – as I mentioned earlier there are many different sources and formats of threat intelligence data out there that comes in plain text, STIX, CSV and we need a place that doesn’t just normalize but also stores it. From here, the intelligence is managed meaning scrubbed so that false positives and duplicate IOCs are removed from the data set and the threat data are scored and enriched helping an analyst to observe the collected data in one centralized repository.
Coming back to an earlier point the data needs to be integrated so action can be taken on it, truly making it intelligence. We need to drive home is the fact that we’re trying to create meaningful alerts not just more noise for our teams to sift through. While the automation does assist in the challenge of how much time it takes to do these processes, the idea of a meaningful alert means one that has context and detail around it. When it happened and the fact that it happened in your environment is helpful, but we want to truly understand why does this matter to us – why do I care that I saw a connection in from this IP or out to that URL/domain?
We need to understand all the details that don’t meet the eye and that we need to know more about. As a researcher/analyst, we can’t just stop at the fact that an IP domain URL file hash or email address is bad because someone said so. We need to establish concrete evidence and conclusions that help us fully understand the source of the threat, is it part of a campaign or utilized to carry out a malicious TTP? This is the ability to bridge the gap between the technical teams and those driving business decisions to understand what their risk exposure and attack surface look like.
In conclusion, our ability to manage threat intelligence robustly allows security professionals of an organization to help drive business decisions. Using quality intelligence, security teams can have improved visibility into their environment and attack surfaces understanding where they need to prioritize and potentially batten down the hatches. The proper management of threat intelligence will allow organizations to improve security posture over time and put in place solid best practices for when an organization is under attack.
Interested in learning more on managing threat intel? Listen a recording of Teddy’s webinar
Teddy Powers has been an SE with Anomali for almost 3 years, supporting customers in the financial, healthcare, telecom and tech sectors. Unlike most of his team members, his previous position before Anomali was not at ArcSight but at the Villanova University Athletic Department. In his free time, he reads, plays guitar, sings and hits more golf balls than any healthy, sane person should.