High-quality, enriched, and actionable threat intelligence is one of the greatest weapons that security teams can have to fend off cyberattacks. It not only equips security teams with contextual-based information by providing a better insight into an adversary’s motives, and tactics, techniques, and procedures (TTPs) but also elevates the quality of detection that is needed for making rapid and informed decisions. However, for this, the collection of threat data alone is not enough. Ingested threat data by itself is meaningless unless it provides the context on the associated impact on the organization. To realize the value of any threat data, it needs to be processed, verified, and contextualized so that the organization can act upon it. Once the data is processed and enriched, security teams can use it to produce effective cyber threat intelligence for delivering faster and smarter threat response. The process of deriving intelligence from enriched threat data for decision-making is referred to as analysis. It forms a foundational priority for contextual and relevant cyber threat intelligence.
Threat Intel 101: Defining Threat Intelligence Analysis
Threat intel analysis is an integral phase of the threat intelligence lifecycle where security analysts make sense of collected threat data by adding context. It is in this stage that threat information is correlated and contextualized to identify potential security issues and develop actionable insights that are needed to create appropriate countermeasures to respond to the identified threats. The analysis phase includes:
- Correlating indicators and incidents
- Establishing relationships
- Structuring data for indexing and search
- Visualizing the information to get a bigger picture
During the analysis, the threat information is evaluated for accuracy, relevance, timeliness, and completeness. Once verified, the information is put into context and complete threat intelligence is derived that is specific to an industry or organization for different views and decisions.
How does a Threat Intel Platform (TIP) Improve the Analysis Process?
Intelligence is key to enabling security teams to anticipate threats, respond to attacks more quickly, and make smarter, more informed decisions on how to reduce risk. And, gathering threat data is just one part of the larger process. Once all the information is collected, proper strategy and tools must be in place to analyze and process it. The single most effective way to manage this is through a threat intelligence platform. Rather than working in silos, a TIP allows security teams to actually work in a collaborative manner. And, security teams can go beyond just aggregating data to analyzing it. A TIP provides searchability, along with enabling knowledge management through the retention of threat intelligence and incident-related data. It collects and normalizes both internal and external threat data to create contextualized and actionable threat intelligence. Security teams can organize that actionable threat intelligence and automatically analyze the threat intelligence to identify hidden threat patterns. Modern TIPs are capable of automatically enriching intelligence with relevant and actionable context from trusted sources including Shodan, HybridAnalysis, VirusTotal, WHOIS, etc. Using this enriched data, Security Operation Centers (SOCs), incident responders, and red teams can steer rapid analysis and enhance the response actions. Security teams can calculate the IOC risk score and prioritize the relevant threat intel actioning that includes blocking the IOCs, and adding them to the SIEM watchlist.
Role of MITRE ATT&CK in Threat Intelligence Analysis
MITRE ATT&CK is a very useful framework for threat intelligence analysts as it outlines threat actor behavior in a standardized manner. It provides better visibility into threats that matter most for organizations. It offers a unique approach for analyzing cyberattacks by cataloging threat actor TTPs in different matrices. The MITRE ATT&CK framework offers a library of information on all existing TTPs that threat actors employ across sophisticated real-world attack campaigns. Using this comprehensive knowledge base on TTPs, security operations center (SOC) teams can examine the threat actor movements across their network and understand the defense gaps across organizations’ networks. When fused with threat intelligence, the framework facilitates security teams to gather appropriate evidence required for analyzing a cyberattack and taking necessary actions to prevent threat progression. Advanced threat intelligence platforms (TIP) come with a built-in MITRE ATT&CK Navigator that accelerates the analysis process by helping security teams identify trends across the cyber kill chain and associate them with reported intel. With MITRE ATT&CK Navigator, an advanced TIP provides contextualized insights by mapping adversaries’ footprints and TTPs against reported incidents. ATT&CK Navigator also provides a quick run-through of the object statuses, techniques observed, and prominent threat actors detected. This means, for every attack technique, analysts can get a detailed idea of impacted data sources, platforms, related malware, the defenses it can dodge, and the required mitigation steps. A TIP integrated with ATT&CK Navigator shows the IOCs, threat actors, incidents, or malware related to the technique, along with instances and further references.
How Enrichment and Correlation Improve Threat Analysis Process?
Threat intelligence enrichment plays a vital role in the threat analysis process. It is the process of enhancing existing information by supplementing missing or incomplete data. This not only helps remove false positives but deduces actionable intelligence for threat response and other security operations. It enhances the context of the threat information that may have been buried in the alerts themselves or held in external sources. At a minimum, threat enrichment data should include information about where a threat originated, which resources it affected, and when the threat was detected or was active. In some cases, threat intelligence enrichment can go deeper, providing details about whether the pattern of security events is associated with a specific type of attack or group of attackers. This enriched information, when correlated with internal telemetry and historical incident data, helps a great deal in identifying what, why, and how during the analysis process and assists security teams to triage threats faster. Traditionally, the process largely involved analysts sifting intel through several trusted sources and data and enriching and correlating indicators manually. The cumbersome process takes up a lot of time and is impractical in the present security scenario where hundreds if not thousands of indicators are collected on a daily basis. Threat Intelligence Platform (TIP) compensates for this by correlating and enriching hundreds of Indicators of Compromise (IOCs) from external enrichment sources such as VirusTotal, Whois, AbuseIP, and internal telemetry respectively.
Benefits of Analyzed Threat Intelligence
Better Detection and Monitoring
High-context threat intelligence can greatly improve threat detection and monitoring workflows by integrating with tools like SIEMs, EDRs, NDRs, etc. A threat intelligence platform delivers highly correlated and enriched threat data into these tools enabling them to better detect threats and prevent them from penetrating into networks.
Effective Threat Response
Threat intelligence analysis turns processed threat data into contextual threat intelligence by providing in-depth information and context about specific threats. Information such as details about threat actors, their capabilities, motivations, and the indicators of compromise (IoCs) can be correlated to get a bigger picture of a security threat or an attack. Depending on the extent and scope of the threat, security teams can deliver effective threat response to mitigate the impact.
Threat Triaging Through Confidence Scoring
Regardless of the threat intel feeds collected from various sources by an organization, security teams can look at confidence scores to understand the effectiveness and relevance of intelligence. The confidence score is evaluated based on different parameters such as the source of the information, the number of threat sightings, relations with other threats, traffic light protocol (TLP) rating, geography, organization sector, and file types. This enables security teams to prioritize their action based on high potential threats.
Threat intelligence enables security teams to make faster and more informed security decisions and even change their approach from reactive to proactive in the fight against threat actors. Furthermore, high-fidelity threat intelligence enables security leaders to keep track of changing threat environments and identify high-risk assets.
The Bottom Line
Cyber threat intelligence is the end result of cyber threat analysis. The analysis includes facts, findings, and forecasts, which enable the estimation and anticipation of attacks and results. Additionally, it helps security teams to gain a better understanding of the level of sophistication of threats staged against the organization, exploitation strategies, and identify areas in the organization’s security posture that may be vulnerable to these threats.