Nowadays, a large number of organizations have adopted Cyber Threat Intelligence (CTI) as an integral part of their security operations. However, several challenges remain in extracting the most value out of it for improving the organization’s security posture. One of the issues is regarding the difficulty in gaining actionable insights from the volumes of threat data collected. In this article, we take a look at how security teams can convert the threat data at hand into actionable Threat Intelligence.
If one were to create an exhaustive list of sources of threat data, it would take a while to go through it. However, any general threat data collection process will include various sources like:
- Open-source Threat Data feeds
- Commercial Threat Intel providers
- Security Advisories by vendors
- Alerts from Law enforcement or Regulators
- Threat research reports, whitepapers, blogs, etc.
- Information Sharing communities
- In-house Threat Intelligence
- Security notifications from Partner organizations
- Social Media platforms
- Dark Web Intelligence
With an abundance of information sources available to organizations, it is necessary to take a step back and analyze what separates valuable threat data from the rest of the noisy signal.
The Indicators That Matter
Let’s face it. There are more threat data sources out there than what any single team can analyze on their own. But not all indicators are made equal. Some are ephemeral in nature whereas others can have a long-term impact in mitigating against advanced threats. Let us look at what makes certain types of threat indicators superior to others.
The primary types of threat indicators include Hash values, IP addresses, Domain names, Network artifacts, Host artifacts, Tools, and Tactics, Techniques and Procedures (TTPs) used by threat actors. Let us take the case of Hash values and IP addresses. These indicators, despite providing highly accurate identification of threats, are only of short-term value. Threat actors can easily avoid detection if these are the only types of threat indicators available since they can be changed quite easily.
Moving on, next comes domain names. Even though domain names can also be changed, it requires a slightly more complicated process as it involves registration with a domain registrar. Moreover, it can leave a trail if not managed carefully. Next, come Network and Host artifacts which can help identify the attack infrastructure or even specific pieces of malicious software that are being used. If these are known by the defenders, threat actors would need to go back and reconfigure their tools to avoid detection, thereby breaking the attack chain. Indicators related to Tools used by threat actors can also force them to modify or change their arsenal to some extent. However, they can still retain the exact same technique for achieving their objective.
All the types of indicators discussed so far can help prevent or delay an ongoing or potential attack for a while. Still, an attacker can evade detection and mount an attack by changing or reconfiguring their tools. However, the most impactful type of indicators are TTPs. TTPs help describe the various stages of an attack, ranging from reconnaissance all the way to data exfiltration. This means that if an attacker’s TTPs are known by the defenders, the attackers will need to go back to the drawing board to craft an entirely new way to breach their target. Over time, with a growing collection of TTPs known by defenders, attackers will have highly reduced chances of executing a successful attack.
Thus, TTPs provide highly actionable threat intel in defending against the smartest attackers. It is clear that organizations must aim for leveraging actionable threat intelligence instead of relying on low-value indicators. Now, let us look at how security teams can enhance their Threat Intelligence operations to produce actionable insights.
Finding Needles in a Haystack
Here are some ways in which organizations can turn an abundance of threat data into relevant and actionable threat intel.
- Combination of machine and human intellect - Threat analysts possess experience in spotting anomalies or malicious indicators out of large volumes of data. However, their efforts can be enhanced with the help of an advanced Threat Intel Platform that can provide automated ingestion, validation, filtering of threat data from various sources. In addition to that, human intelligence can also be used to train machine models to improve detection of such anomalies over time.
- Focus on context - Organizations must look for contextual intelligence i.e. information that is particularly relevant in their specific threat environment. Just as every piece of news is not relevant for every person, security teams also need to separate the wheat from the chaff and identify threats with the most impact on their organization. Analysts can score indicators on the basis of a variety of factors such as geo-location, timestamp, affected industry, and more. This can help rank order and prioritize threat indicators for further analysis or investigation and reduce overall triage time.
- Diving deeper into adversary behavior - Medical doctors are taught to treat the root cause of an illness rather than merely treating the symptoms. In the same way, security teams must study adversary behavior to prevent malicious activity at its source rather than just blocking threats based on malicious indicators. By leveraging adversary behavior-based indicators such as TTPs, organizations can ensure a more effective application of the threat intel in their security operations.
- Unite and conquer - Every organization has a limited amount of resources dedicated to securing their operations. However, threat actors, on the other hand, learn from each other to further their malicious activities. Thus, organizations defending against them must also enhance their defense by exchanging intelligence and learnings from their own CTI operations. By unifying threat intel from internal and external sources and exchanging relevant intel with trusted partners, organizations can reap a greater return from their threat intel activities.
- Improving Threat Intel program maturity - Threat Intelligence can have an impact on many functions within an organization. Using threat intel, security teams can better prioritize their threat mitigation efforts, management staff can better allocate resources, senior executives can realign the organization’s cybersecurity strategy, and much more. However, this requires appropriate communication of threat intel with stakeholders and staff members at various levels. With this, threat intel can create a synergy between all the involved parties in managing the organization’s cyber risks.
An organization can sometimes face obstacles in driving actions through its CTI program. Though, with the right strategy and implementation, it can be the most important tool in the fight against modern cyber threats.