In this blog, we will be looking at a few popular use cases of Anomali Match™, one of the core components of the Anomali Threat Platform. Anomali Match is a powerful tool that addresses an industry-wide dilemma on how to leverage threat intelligence effectively. A key issue with most tools is that they do not understand TTPs, campaigns, threat bulletins, and other components of the threat model, and thus cannot provide context around indicator of compromise (IOC) matches. Anomali Match solves this major problem by identifying relationships across the entire threat model around IOC sightings within your environment.
1. Evolve from IOC-centric detection by leveraging the entire threat model
Anomali Match can provide strategic value on intelligence via threat model relationships. This moves the needle away from commonly seen “atomic indicator” type of IOC data, and starts giving you incredible information from which to base your investigations and incident response activities.
Within the threat model, you will, among other things, be able to see context such as related threat bulletins, incidents, actor profiles, campaigns, TTPs, and vulnerabilities.
2. Take advantage of the MITRE ATT&CK framework within your organization
MITRE ATT&CK (Adversarial Tactics, Techniques, and Common Knowledge) is a living, growing knowledge base of adversary tactics and techniques based on real-world observations. Anomali has integrated this framework into Anomali Match, allowing matching across strategic intelligence such as threat bulletins, actor profiles, TTPs, and campaigns that reach across the ATT&CK framework. As an example, this capability can allow indicators to be associated with threat actors to understand their TTPs.
The ATT&CK matrix is visually integrated into Anomali Match, highlighting TTPs that are being leveraged in a sighting, and immediately provides additional context around the observable in question.
3. Prioritize efforts by using vulnerability scans in conjunction with matches to compute an overall risk score on endpoints
Anomali Match introduces the ability to calculate an overall risk score for assets within your environment. By allowing the ingestion of reports from vulnerability assessment (VA) tools such as Qualys, having the ability to assign different criticalities to each asset or asset class, and factoring in intelligence matches, Anomali Match becomes a central decision point for understanding effort prioritization.
Each score is computed using an aggregate of VA information, asset criticality, and intelligence sighting, providing the operator with a concise view of impacted hosts.
4. Evaluate historical exposure to newly identified threats
A common approach to leveraging threat intelligence inside organizations is to ingest it into the SIEM for correlating matches. While this can be acceptable in a few scenarios, it does have certain limitations:
- These tools are usually limited in terms of data retention periods. Typically, a large subset of logs are kept in cold storage, meaning forensic lookups usually involve restoring logs from backup.
- Matches require parsing of raw log data, which can be costly in terms of performance and utilization.
- Matches do not utilize the entirety of the threat model.
Anomali Match is a purpose-built tool that solves these common issues. By backfilling data from the SIEM and only keeping metadata that can be matched with threat intelligence, this means that:
- Retention periods are almost limitless.
- Searches across large datasets complete in near real-time.
- Results are more comprehensive since they match across the entire threat model.
According to a recent Ponemon study, the average time-to-detection for data breaches sits at 191 days. Therefore, it is critical for organizations to not only be able to detect threats, but also have the ability to evaluate historical exposure when threats are discovered.
Anomali Match allows for automated retrospective lookups on new intelligence matches in your environment at speeds and scales other tools can’t come close to.
5. Identify IOCs within your environment across multiple tools
Organizations typically employ a variety of different tools in their security stack. For example, an organization could be using EDR, IDS, SIEM, and firewall technologies. Each of these tools can generate a considerable amount of log data.
Anomali Match has the ability to ingest data from various tools like the ones previously mentioned, as well as other common sources such as TAP, SPAN, syslog, and BEATS. This capability allows Anomali Match to report sightings across the multiple tools usually present in a modern security stack.
Topics:Threat Intelligence Platform