Threat Intelligence (TI) can come from different sources—local or external feeds and includes attack signatures, registry data, IP addresses, domain names, and a host of other pieces of information often referred to as “artifacts” or “Indicators of Compromise.” TI also adds information about how adversaries operate and behave during an attack, often called Tactics, Techniques and Procedures (TTPs). It is not just daunting but also an expensive endeavor to hire enough analysts to manually combine the threat feeds together for analysis, make the intel relevant, and then push the insights to all other tools.
Threat Intelligence Platform or TIP offers the solution for this problem. A Threat Intelligence Platform aggregates hundreds of intel sources into a single repository for analysts to easily and effectively identify threats and build awareness and create context around the threats.
Let's explore the top four use cases for a Threat Intelligence Platform and how each use case helps security teams to fight cyber crime with confidence.
1. Incident Enrichment Using Threat Intel Data
Problem: Most tools that Security Operations Centers and Incident Response (IR) teams use to respond to alerts are very generic. There is not much of a correlation of network data and understanding of threats and attacker movements. Many times there is a dump of information including bad IP addresses or domains and someone has to be assigned to manually resolve to figure out false positives. There is also a lack of understanding of malicious families, hacking tools and their patterns of attacks. The process is cumbersome, takes up a lot of time, and is impractical. It’s especially so in the present security scenario where hundreds if not thousands of indicators are collected on a daily basis.
Solution: Accelerating incident response with Threat Intelligence Platform and alert enrichment using Threat Intelligence (TI) data.
Incident enrichment workflow in Cortex XSOAR Threat Intelligence Management leverages TI from our very own high-fidelity centralized threat intelligence library Unit42 to look up:
- Research data from Unit42 to learn about known malware campaigns or families
- IPs and domains with WHOIS data
- Passive DNS data
- Web categorization data
Our next release of TIM 3.0 coming up in December has enhancements and capabilities mentioned above to help respond to incidents with confidence. Here is a glimpse of this new capability.
2. Proactive Blocking of Threats
Problem: The security team needs to leverage threat intelligence to block or alert on known bad domains, IPs, hashes, etc.. The indicators are being collected from many different sources which need to be normalized, scored, and analyzed before the customer can push to security devices such as SIEM and firewall for alerting. Detection tools can only handle limited amounts of threat intelligence data and need to constantly re-prioritize indicators.
Solution: Proactive threat monitoring with playbook driven automation.
With indicator prioritization, you can ingest alerts from email inboxes through integrations. Once an alert is ingested, a playbook is triggered and can have any combination of automated or manual actions that users desire. The playbooks can have filters and conditions that execute different branches depending on certain values.
Here is a demo of how TIM works with pro-active blocking of threats.
3. Intelligence Reporting and Distribution
Problem: Threat Intelligence programs have a growing set of responsibilities. One of the key responsibilities is production and dissemination of threat intelligence reports which keep employees up to date on the latest threats targeting their industry. Most intelligence is still shared via unstructured formats such as email, blogs, etc. Sharing information about indicators of compromise is not enough. Additional context is required for the shared intelligence to have value. Analysts go through hours of manual work aggregating and digging for known malware families, curated news and threats related to the company, or the vertical for an industry and why the story is relevant to the company. They need to send this report out to a large audience for security awareness and alert to other stakeholders so they can facilitate better in the future.
Solution: Workflows and central repository for intelligence analysts to create, collaborate and share finished intelligence products with stakeholders via PDF reports. Intel analysts will be able to understand trends within threat intelligence using their local/curated intel + Unit42 threat intelligence. Consume RSS feeds to collect all the news sources.
Here is a demo of how TIM helps you with intelligence reporting and distribution..
4. External Threat Landscape Modeling
Problem: Threat Intelligence teams need to understand details of attacks and how their organization may be vulnerable. The foundational element of understanding risk/impact to an organization begins when threat analysts begin profiling the attacks.
Solution: Threat modeling to prevent or mitigate the effects of threats to the system.
Intel team builds profiles of threat actors, identifies if there are related attacks, identifies which techniques and tools the threat actor used. This information is shared to stakeholders including security operations and leadership.
See this demo to see how external threat landscaping is done in a real scenario.
Conclusion
While threat intelligence is data and information about threats, a threat intelligence platform is the collection, normalization, enrichment and actioning of data about potential attackers and their intentions, motivations and capabilities. This information can help organizations make faster, more informed security decisions, and thus be better prepared for cyberthreats.
The best threat intelligence solution for your organization will vary depending on your needs and we recommend a “use-case-centric” view when looking for the best solution for your organization.
Join us for an upcoming webinar to learn more about these use cases and how TIM’s next release helps you put threat intelligence to action. Register here.