UNDERSTANDING HOW TO LEVERAGE THREAT INTELLIGENCE WITHIN THE CYBER SECURITY ATTACK DETECTION AND RESPONSE PROCESS
By Piers Wilson, Head of Product Management, Tier-3 Huntsman
This article will explain threat intelligence and help readers to navigate the various products, services and offerings. It will help organisations make best use of the internal and external sources of intelligence that are available. Finally it will cover how best to factor them into the cyber security, threat detection and incident response processes to “shorten the window” from breach to detection to resolution.
Threat Intelligence is the subject of much discussion within the cyber security community where it is seen as an important way to optimise the detection of, and response to, cyber attacks.
UNDERSTANDING THREAT INTELLIGENCE
Threat Intelligence has been described as ‘evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard’¹.
In simple terms, Threat Intelligence helps you interpret security events:
- in the context of normal activity inside and outside of the enterprise; and
- in light of known sources of attack or pre-existing databases of security information.
The key advantage can be summarised as:
‘By looking for attack patterns identified via threat intelligence in your security monitoring/ analytics function, you can shorten the window between compromise and when you detect that compromise.’²
SOME EXAMPLE SCENARIOS
A simple example of this is the detection of a user who is accessing a permitted website, which has been compromised and is now known to be distributing ‘drive-by’ malware downloads.
There is information available about compromised web sites; so this access can be detected at the point where the user makes the request (either at the proxy, at the firewall or from real-time logs). Analysts can configure an alert to detect attempts to access compromised web pages. These alerts can also trigger automated actions to capture data from the source system for subsequent analysis, enabling analysts to rapidly block the traffic or quarantine the system.
A second example would be an internal list of systems or users that are the subject of current security investigations. Here you would use Threat Intelligence to flag up any activity relating to those “sensitive” systems/identities to the relevant people immediately, rather than depending on their actions triggering some other security detection system.
The use of referenceable threat intelligence goes beyond the detection of threats and supports the incident triage and diagnostic process as well by providing context in support of the analysis of incidents that have been detected by other means.
Threat Intelligence is a relatively new concept and needs to be deployed thoughtfully to ensure meaningful results. For instance, intelligence that is drawn solely from a single vendor’s customer deployments, may have limited utility and value.
CHOOSE YOUR THREAT INTELLIGENCE SOURCES
Sources of threat intelligence may be internal and external, commercial (proprietary) or open source. External sources include security products and network appliance vendors, security associations and communities, MSSPs and cyber security consultancies.
Ideally, organisations should combine and use intelligence from multiple sources, but it pays to choose those most pertinent to your business or industry. Recent research by Forrester³ stresses the need for intelligence to be actionable and aligned to your business to ensure that you strike a balance between specific organisational information (which is unique to you and hence more expensive) and general information (that is global in nature so only helpful against non-targeted attacks).
The table below shows some examples of different types of Threat Intelligence:
WHY CONTEXT IS CRITICAL
Additional context around events affords your Security Operations team deeper insights before and during investigations.
By monitoring threat intelligence repositories to build a profile of event patterns and their relevance; and comparing these with a set of known, documented, recorded or anticipated threats, monitoring systems can raise contextual alerts to enable early investigation of potential threats in real time. This is clearly better than responding at some period after the event, or when the initial probe from an attacker has already been able to exploit a current vulnerability.
As Figure 1 above shows, the utilisation of threat intelligence information is dependent on some specific requirements:
- For externally derived threat intelligence identifying the right source(s) is key – e.g. open sources or commercial.
- For internally derived intelligence, the availability is less of a problem; however, identifying what is available and then gathering it in such a way that it is actionable is vital.
- Where contextual sources are useful the creation of data flows and feedback loops (often between systems) is required. For example, ensuring the IP addresses of “vulnerable platforms” are available to a SIEM solution in order that specific alerts can be triggered if an exploit is detected.
The effort and expense involved in achieving this can vary depending on the capabilities of the technological building blocks you have in place.
Figure 1: Threat Intelligence information flows within the incident investigation process.
Image © Tier-3 Pty Ltd. 2014, All rights reserved.
As we explain below, there is clarity of purpose and a tangible business benefit resulting from getting this right.
‘SHORTENING THE WINDOW’ OF ATTACKS
Using threat intelligence to aid detection accuracy and speed as well as to provide context during investigation increases effectiveness and responsiveness in a number of crucial ways:
- Faster and more accurate detection of security incidents.
Working with current intelligence in real-time, faster and more accurate decisions (automatic or manual) can be made about the significance of events, alerts and deviations from normal behaviour.
- Faster diagnosis and less wasted time.
By presenting analysts with fewer and more accurate alerts that have been triaged based on context and risk (with reduced false positives and background ‘noise’), the security team can focus on the serious threats.
- Faster decision-making with more context and more relevant detail.
By providing the status of affected systems and their users, and up-to-date threat intelligence; analysts don’t have to spend time piecing together intelligence from multiple sources manually during an investigation.
- Faster response to incidents by creating feedback loops and automated actions.
This helps security staff detect and stop the spread of attacks and ‘kill chains’ as they occur, rather than following a ‘cold trail’ during a post mortem long after the event. Automating safe actions (and enabling them to be rapidly revoked) gives greater confidence to the analyst responding.
- Prevention of loss or damage due to early detection, investigation and resolution.
With better threat intelligence, rogue users can be intercepted, information flows can be halted and personal data or IP can be secured before it is compromised, extracted or lost.
In short, the goal is to enable your security function to make faster decisions, to reduce the time and cost to investigate and resolve incidents, and to reduce the scale and cost of breaches should they occur.
One further area to consider is the “community” or sector within which a business operates. There are often families of attacks, individual threat actors or groups, or trends that have a particular focus within a sector, business demographic or geographic locale.
The value of threat intelligence derived from within a community of interest sits somewhere between the direct usefulness of specific knowledge about threats to your business, and, more generally, public or commercial subscriptions and open sources that are available.
Sometimes within sectors like government or critical national infrastructure, there are specific organisations that collate and distribute threat information. Even in the wider commercial sector there are groups (often linked to industry bodies) that can act as an arbiter/ exchange for information that can be of benefit to the wider community.
Having access to these sources, whether structured and organised4 or informal and community-driven, is certainly useful. As this article has shown, building threat information into the security operations detection and investigation processes works best when it is actionable and relevant within the diagnosis lifecycle.
Where there is community threat intelligence available to an organisation, it is important to consider how intelligence gained from its own security operations activity is provided back to the community itself. The successful operation of these communities and bodies depends on there being a flow of derived threat, attack source and diagnostic information out of an organisation as well as in to it as part of a two-way process. However, this openness and sharing of threat and attack information is often not second nature to many security teams or organisations – so engaging fully will necessitate consideration and understanding the economic balance between information provided and the value of intelligence derived.
Threat intelligence is becoming critical for effective cyber security, especially in the current landscape of ever more diverse and stealthy threats and where both targeted and non-targeted attacks are used interchangeably.
The growing popularity of cloud services, mobile devices/BYOD and the “Internet of Things” pose more challenges as data flows are more fluid and the attack surface is broadened. Security analysts are in short supply and existing security teams are under constant pressure to deliver more with less. Hence, there is a constant need to optimise detection, hasten understanding and to make sure that the right diagnostic information is available quickly (preferably automatically).
When the security operations function has access to useful threat intelligence – however derived, there are clear advantages that can be gained. These include:
- Increasing the speed and reliability of threat and attack detection;
- Adding confidence to diagnostic decisions that are made around false positives as opposed to actual attack or reconnaissance activity;
- Ensuring that relevant information (either externally or internally derived) is available to investigators in a timely manner;
- Improving risk perception at both an organisational and individual level;
- “Shortening the window” of the attack from the initial occurrence, detection, understanding and resolution;
- Reducing impacts, losses and costs due to incidents either through deflecting more attacks or catching those that do occur earlier in their lifecycle;
- The ability to learn patterns and better understand the wider cyber-security threat environment.
There is also a degree of hype in what is still an emerging theatre of operation. Many vendors are claiming to provide threat intelligence – these include simple information brokers, managed services and products that can utilise it. Information service offerings can be very general or more specific; everything from “these are things on the Internet that we have noticed” to “this single element is a direct threat to your business”. As with other solutions, there are varying levels of quality.
“Threat Intelligence” is less of a product or a service, and more of an “initiative”. It is a way of thinking about the holistic security operations process. There are sources of information that can be accessed or derived and products that can utilise this information; but organisations need to understand the interactions.
Having access to data is important, but it will only become actionable if you also have the right tools, processes and an operational capability that can leverage it. ■
- “Threat Intelligence”, Gartner, May 2013.
- https://securosis.com/blog/TISM-benefiting-from-the-misfortune-of-others, Securosis, January 2014
- “Use Actionable Threat Intelligence To Protect Your Digital Business”, Forrester, August 2014
- Often this function is performed by a CERT or through some form of information exchange.
ABOUT THE AUTHOR
Piers Wilson is Head of Product Management at Tier-3 Huntsman, a leading provider of intelligent security and threat monitoring solutions. Prior to that he has spent many years working in senior roles as a consultant in cyber-security and the related fields of information assurance and data protection – most recently as a Senior Manager at PricewaterhouseCoopers and before that as Head of Technical Assurance at Insight Consulting. Over the last 20 years he has worked in both the public and private sectors and on a wide range of technical and managerial projects. He is also a Director of the Institute of Information Security Professionals (IISP).
See www.tier-3.com and www.iisp.org.