Automated Threat Intelligence: An Overview
SecOps and security teams spend an excessive amount of time sifting through low-value, poorly-contextualized alarm data rather than actively hunting for valid threats. This is because bad actors are constantly looking to steal whatever they can hold onto with the least exposure. Recent ransomware attacks in critical business sectors only serve as reminders that organizations cannot lie dormant.
This blog post will unpack strategies to help overcome these challenges and explain why integrating threat intelligence with security orchestration and automation is critical for an effective security operations strategy.
What Is Threat Intelligence and Why Is It Needed?
Threat intelligence is the evidence-based collection of information and the observation of the capabilities, techniques, motives, goals, and targets of an existing threat. Simply put, it’s everything that you know about your attacker – actual or potential – based upon their motives and how bad they can damage your business assets.
Threat intelligence is not a checklist. It’s a cycle of well-defined processes and operations that involves collecting and managing potentially valuable pieces of information called observables, cleaning and normalizing these obersvables, comparing them to current data to remove duplicates, and then storing them in a structured, human-readable format.
However, transforming raw collections of data into valuable and actionable intelligence observables requires a lot of effort. The data must pass through many layers of processing and evaluation before reaching the end product. According to established practice, you should have a six-part cycle of data collection that consists of direction, collection, processing, analysis, dissemination, and finally, feedback. Due to the nature of these operations, you need to keep an eye out for new threats and an eye on your adversaries’ capabilities at all times. It’s also just as important to maximize your use of resources.
You need to be able to identify the most critical threats and act on them before they make their move – and doing so accurately means that you can stay alive longer. Therefore, the first and most important part of operating a threat intelligence network is to figure out how to automate the whole security orchestration.
6 Ways to Automate Your Threat Intelligence
As we’ve mentioned, the most effective way to gather actionable and valuable threat intelligence is through security orchestration and automation. The general operations that you need to automate may include the following:
- Pulling relevant observables from alerts or emails into the right IoC: Observables are often stored as strings that represent hashes or registry keys. They can even be stored as event types (such as the creation or deletion of certain files). These events usually come from automated systems that monitor pertinent files and system components that are critical to the operation of computers and networks. You will need to be able to pull observables from emails, Slack messages, or alerts into relevant Indicators of Compromise (IoC) containers.
- Creating tickets/issues on tracker software: Once the IoC containers have been populated with observables, you will need to set up automatic alerts based on specific rules and conditions, such as when events match criteria for generating suspicious files or deleting sensitive log files from the system. Creating tickets and triggering incident response systems will help bring people up to date on any suspicious activity.
- Delivering results through email and instant messaging: Effective communication means providing relevant parties with actionable information when an IoC needs attention. This can be accomplished through email, instant messaging, or applications.
- Collecting more information about IP, domain, email, file, and signatures from various sources: When collecting observables, you will need to expand their origin from several vetted and established sources. This could include critical, public, or private organizations like SANS Internet Storm Center or DomainTools. All of the feeds need to be cleaned, parsed, and stored in the same structure for further analysis.
- Performing contextual log searches for IP, domain, email, file, and signatures: Searching for matching IoC based on specific IP, domain, email, file, or signatures should be quick, accurate, and thorough. Another way to improve this process is to enable the saving of search queries so that they can be attached to automated alerts.
- Offering IoC block settings: IoCs are significant indicators that a particular resource has likely been compromised. Services and operators need to respond to actionable events in case there are active threats, and they should be able to create blacklists to block those threats quickly.
Getting Started with Automated Threat Intelligence
Automating your threat intelligence initiatives is not without its challenges, chief among which is an organization’s willingness to step up their security operations and transform the way they do business in a digital online world where they are constantly under threat of attack.
Threat intelligence is a good way for organizations to take the offensive position, plan for the unexpected, and protect their critical assets and their image. By automating their threat intelligence operations, they can turn the tables and provide a consistent response to threats that happen during their operational hours. If you want to delve deeper into threat intelligence, you can explore these community repo resources, or learn more about how Torq can help.