Threat intelligence has become a key tool leveraged by security teams worldwide in combating smart adversaries on all fronts. Whether it comes to driving preemptive actions to block emerging threats, studying adversary behavior, or shaping the overall security strategy, threat intel plays a role in many varied aspects of cybersecurity within an organization. Now, with the advent of security automation, it becomes crucial to understand how organizations can level up their threat intel operations by leveraging automation capabilities.
Stages of the Threat Intel Process
To understand what advantages automation can provide for intel teams, let us break down the key steps involved in intel operations and the effect of automation on each. The process of cyber threat intelligence (CTI) can be understood through a six-step process that is inspired by operations of intelligence agencies like the CIA.
- Planning and Direction - Before embarking on an intel operation, one must decide the key objectives and questions to be answered that will guide the Intel collection efforts. The Planning and Direction stage takes into consideration the requirements from all key stakeholders so as to ensure that the Intel produced at the end is actionable and relevant for them.
- Collection - This stage involves the gathering of raw threat information from various sources. This can include external sources like open source threat data feeds, threat research and reports, indicators of compromise (IOCs), security advisories, and more. Additionally, it will also include internal sources of threat information such as application or server logs, access control events, data collected from security controls like Firewall, IDS/IPS, SIEM, etc.
- Processing - It is necessary to convert the raw threat information collected into a form suitable for further analysis. This may require security teams to filter, clean, decrypt, and normalize the various kinds of information collected earlier. This helps evaluate the usefulness of the collected information with regards to the desired objectives and outcomes of the intel operation.
- Analysis - In this step, the collected information is analyzed by security analysts while considering factors such as reliability, validity, and relevance. The end result is clear, relevant, and contextual intelligence insights for various security functions and decision-makers within the organization.
- Dissemination - This step involves getting the intel produced by security analysts to the desired target audience. As mentioned above, it can be useful for personnel conducting security operations or taking decisions at a higher level within the organization. Moreover, organizations can exchange the threat intel with their peers, partners, vendors, industry groups, etc. to boost further efforts to curb the threat.
- Feedback - In this step, security teams may tweak their priorities and requirements for future intel operations based on learnings gathered from the process. This is crucial for improving the performance of intel teams and effectively fulfilling its role in the overall security strategy.
Now, let us briefly cover the benefits of automation in the threat intel process.
Imagine trying to solve a jigsaw puzzle but the puzzle pieces are scattered across the room. In that situation, the player would first need to figure out where the pieces may be hidden and then slowly collect and organize them before beginning to solve the actual puzzle.
The process of intel collection is somewhat similar wherein analysts have a wide variety of information sources to go through and they need to pick the relevant pieces from each one of them. It is evident that intel collection is a tedious task that needs to be performed every time before going ahead with any further analysis. This is why automation can be a major boon as it gives analysts the ability to collect threat information from both internal and external sources at the click of a button.
This not only saves the valuable time of analysts but can also improve the quality of information collected by iteratively improving the automation capability over time.
Intel Enrichment, Correlation, and Analysis
After collecting the threat information, analysts need to enrich, correlate, and analyze it further to understand and possibly predict the behavior of the adversary. In this process, the key challenge for analysts is to process the large amounts of data collected so as to accurately visualize the attack patterns.
Automation can help security teams prioritize threat indicators based on contextualized parameters such as their industry sector, geographical location, previous incidents, and more. By leveraging machine capabilities, security teams can also automate many repetitive parts of the process such as enrichment of threat indicators by combining information from many sources or the analytical steps such as the correlation of threat indicators.
Thus, the combination of human intellect and machine capabilities can improve the pace of threat analysis and help declutter the huge amounts of threat data collected every day.
Threat Intel Dissemination and Information Sharing
In previous blogs, we have discussed the importance of information sharing in the context of improving security operations. Without its timely and relevant dissemination, the value of threat intelligence is not fully materialized. Here, the use of automation can help ensure that all the important insights and alerts reach the right people at the right time.
Security teams can leverage automation to generate customized threat research reports, performance metrics, or advisories for various security functions or other roles within the organization. These insights can then be distributed through automated alerts to various personnel. Furthermore, organizations can also automate their information-sharing activities with trusted partners and build large information-sharing communities on top of it.
The Big Picture
The reality of cybersecurity operations is that threat actors need to win only once whereas the defenders need to win every time. In this unequal equation, security teams need to find the most optimal ways to improve their cybersecurity posture. Security automation is one such tool that can provide a winning edge for organizations by helping boost threat intel operations and enabling them to develop a proactive cybersecurity approach.
Posted on: February 19, 2020