Prescriptive Adoption Motion - Threat intelligence
The degree of sophistication and advanced threats, along with the large volumes of data involved with threat detection, make the work of security analysts difficult day-to-day. Sifting manually through hundreds of security alerts to find real threats is a nearly impossible task. SOCs face many challenges in their efforts to protect their business:
- The vast amounts of data collected by an organization
- Understaffed security teams trying to keep on top of threats
- The fatigue that sets in on analysts chasing alert after alert
While security teams use resources and software tools to face these challenges, often the solutions they introduce into their infrastructure don’t integrate easily or seamlessly in their organizations. With attackers becoming increasingly sophisticated in exploiting cybersecurity gaps to breach organizations, security teams must improve their threat intelligence capabilities.
Actionable threat intelligence is an essential function to protect digital infrastructure and assets successfully. Understanding the threat landscape means organizations can accurately identify and prioritize risks, while implementing the right processes, tools and techniques to respond to threats. When it comes to threat intelligence, it's essential to search for information in the right places. However, knowing what and where to look is becoming increasingly difficult, since threat actors use diverse channels and methods to avoid detection. Many threat actors operate through the deep web or dark web, so security teams must be familiar with these often-overlooked parts of the cyber world. To proactively prevent attacks, organizations must also understand how attackers can target them.
A threat intelligence integration aids the processing and analysis of data from multiple feeds, improving security and visibility. This prevents staff overload by providing them with an effective means of analysis in near real-time, helping them respond more quickly and accurately to threats.
The benefits of using threat intelligence include:
- Identify threats specific to your business and profile. Aggregate your internal logs and combine them with your threat intelligence to quickly identify which feeds are most applicable to your environment.
- Build confidence in your threat assessment. Maintain a record of false positives, so you can assign a level of confidence to incoming feeds and prioritize your response.
- Build deeper insight and context into the threat. Add contextual and relationship-rich indicators to alerts and events for a more in-depth understanding of risk and a more informed incident response.
- Leverage information sharing networks for additional enrichment. Share threat data for further enrichment from other data sources and intelligence communities.
- Integrate automation workflows and orchestration. Use SOAR platform workflows to drive actions via integrations with the rest of your security infrastructure, and turn your own incident data into internal threat intelligence, which is the most valuable.
Aim and strategy
Splunk customers who are able to advance and mature their threat intelligence capabilities are more likely to detect and respond to credible threats, and have more insights into the threats that bubble up. Contextual information derived from threat intelligence can help SOC teams make more actionable, timely and appropriate decisions, and even helps teams identify threats proactively before they are known.
Threat intelligence management performs three basic functions:
- Aggregation. Brings multiple threat intelligence data feeds into a centralized feed or repository.
- Analysis. Curates data, using indicators of compromise to define and identify security threats.
- Action. Disseminates relevant threat intelligence with incident response and defense teams for defensive posture adjustments or incident response activities.
Each of these functions plays a role in the security lifecycle of information as it is collected, assessed, disseminated, and actioned. The following steps provide a detailed breakdown of the components involved in the threat intelligence security lifecycle:
- Collection. Identify data that provides value and relevance to your organization, with intelligence related to industry, geography, or a specific type of threat, such as malware. Ingest and aggregate data from multiple threat feeds, for example CSV, STIX, XML, JSON, OpenIOC, or raw data formats. Data should be included from internal sources such as network activity events, and from external sources such as public feeds and the dark web.
- Correlation. Where possible use automated processes, such as a Threat Intelligence Platform (TIP) to sort the data, organize it with metadata tags, and remove non-relevant or redundant information. Then compare the data with previously curated information, searching and finding patterns or correlations to detect threats.
- Contextualization or enrichment. Context is key in threat intelligence. Without it, analysts may easily confuse an anomaly with a threat while overlooking the real threats. Enrichment provides context to data to help eliminate false positives or connect a relationship. Adding data such as IP location, network information, and blocklists provides teams with as much detailed information about the potential threat as possible.
- Threat analysis. Processing and enriching intelligence-based threat indicators in real-time allows analysts to see the relationship between data events. Security analysts can use this information to detect hidden threats and proactively hunt out unknown risks.
- Integration. Contextualized threat intelligence can now be integrated with security tools, such as Splunk Enterprise Security, Splunk SOAR, and Splunk Mission Control to maximize information correlation and investigation.
- Action. Use threat intelligence integration in the processes that aid in automated responses. When events are actioned in Splunk SOAR or Splunk Mission Control, the automated analysis of event data helps facilitate collaboration with internal and response teams, and shortens the response time (MTTR) in the event of an active cyber attack.
This lifecycle continually operates and improves as the program matures to help achieve the goal of collection and contextualization of data in a team's effort to perform informed risk based threat detection, mitigation, analysis, and response.
Common use cases
- Incident enrichment and contextualization of security event data
- Vulnerability assessment and prioritization
- Creating a threat intelligence-led incident response plan
- Threat hunting and proactive defense
- Threat modeling
User roles
Role | Responsibilities |
---|---|
Threat Intelligence Analyst | Gather, sort, investigate, and perform threat research which can be used in active and proactive defense. |
SOC Analyst | Conduct investigations and use enriched security event data to assess threats and risks detected by security tools. |
Splunk Enterprise Security or Splunk SOAR Admin | Administer and configure threat intelligence feed sources and troubleshoot data integration problems. |
Information Security Management | Provide security strategy, approvals, and project sponsorship. |
Preparation
Starting to build a threat intelligence strategy can often be challenging due to the dynamic nature of cyber threats. Organizations must be able to rapidly adapt to the evolving threat landscape and changing risk posture of their strategy. The threat intelligence lifecycle is the framework that helps teams plan and execute their project, optimize resources, and respond to threats.
1. Prerequisites
1.1 Requirements
In this stage, teams lay out their roadmap for threat intelligence operations. It is a crucial stage in planning when teams agree on the threat intelligence program’s goals and methodologies. A few of the following elements might be identified in this stage:
- Adversaries. Who they are and what motivates them.
- Attack surface. Which areas, assets and processes are most vulnerable to attack and exploitation.
- Mitigation and prevention. Identifying the specific measures to defend against gaps in defense and future threats.
1.2 Data collection
After a program’s requirements have been designed and approved, teams can start collecting information needed to meet the specified objectives. This usually includes identifying and collecting public data sources, network traffic logs, chat forums, social media platforms, and industry specific intelligence.
Threat intelligence generally falls into four categories that collectively provide a comprehensive assessment of the cyber threat landscape:
Strategic intelligence. Strategic threat intelligence summarizes potential attacks and consequences for a non-technical audience, such as business stakeholders. This information is generally based on in-depth analysis of emerging trends and risks. Intelligence teams usually present this type of analysis as a blog, white paper, report, or presentation. It describes the threat landscape affecting a specific organization or industry vertical at a high level.
Tactical intelligence. Tactical threat intelligence provides details about the tactics, techniques, and procedures (TTP) used by attackers. Tactical intelligence is intended to be consumed by the individuals directly responsible for security of the organization (for example Security Analysts, Security Engineers, or Threat Intel Analysts). It describes attacks in significant detail, covering how an organization might be targeted, and how best to mitigate or defend against attacks.
Technical intelligence. Technical threat intelligence focuses on the indicators of compromise (IoCs) that suggest an active attack. These IoCs include reconnaissance actions, weaponization of vulnerabilities, and attack vectors. This type of intelligence plays a key role in thwarting social engineering attacks. Many people confuse it with operational intelligence, but the difference is that technical intelligence is more adaptable, quickly adjusting when attackers change their tactics to exploit new opportunities for attack.
Operational intelligence. This type of threat intelligence includes information from various sources, such as social media platforms, chat rooms, antivirus logs, and historical events. Analysts use operational intelligence to predict the timing and nature of future cyber attacks. Machine learning and data mining enable the automatic processing of many data points in different languages. Incident response and security teams use operational intelligence to adjust the configurations of security controls, including firewall rules, access controls, correlation detection rules, and incident detection and response policies. It helps reduce response times (MTTR) by providing a clear direction for investigation.
1.3 Data processing
After collecting raw threat intelligence data, it must be processed into suitable formats for integration and analysis. The processing stage usually involves:
- Arranging the data into spreadsheets
- Translating data from various formats and sources into compatible fields that can be integrated with security tools
- Assessing the information’s reliability and relevance
1.4 Data Integration
After data is formatted for use within your security tools, the process of bringing that data together for use as enrichment or detection is the next stage. This can involve:
- Creating lookup tables or reference lists in your SIEM
- Installing applications that use API connections to query data in your TIP or Threat Intelligence Management (TIM) platform
- Creating or adjusting correlation activity to detect information from list, tables or lookups
- Building automation workflows as part of response processes to use threat intelligence references to provide enrichment to save analyst time and effort of collecting and connecting the dots
2. Recommended training
3. Resources
4. Considerations
Organizations deploying a threat intelligence platform may find themselves overloaded if the volume of data is too high. If you have data coming from multiple independent intelligence sources, you need to process the context of this data to effectively filter alerts. This process can be automated with the use of machine learning, or by simplifying the process from the start and bringing in feeds individually that can be curated from the onset.
While TIPs work by identifying indicators of compromise (IOC), they focus on the tactics, techniques, and procedures (TTP) to detect threats. Sifting through alerts without relevant context can result in an overload of alerts. Integrations such as ES and SOAR enable the threat intelligence platform to add sequence and logic to identify threats as they align to events and alerts.
Implementation guide
Integration of Splunk Enterprise Security with threat intelligence data or information accessible via a threat intelligence platform can assist in prioritizing alerts, adding value to Splunk Enterprise Security and to the entire response process.
Splunk Enterprise Security, like many SIEM platforms, has built-in threat intelligence management capabilities that can enhance the accuracy and effectiveness of your defense. Some of the key features present in Splunk Enterprise Security include:
- Integrated threat lists. 30+ intelligence feeds and frameworks that can be enabled for use to provide additional contextual information and detections.
- Behavior analytics. Splunk Cloud Platform leverages behavioral analytics to detect behavior anomalies that may result in an attack. It correlates the data, giving it context, effectively identifying if the threat is real, and determining its level of severity.
- Notable integration with Splunk SOAR. Use Splunk SOAR to automate the collection of data and response to low-level security events. Splunk SOAR identifies events of interest, compares them with existing threat intelligence data, and follows up with mitigation activities. With automation in place, analysts have more time to focus on high-level, complex threats.
Threat intelligence feeds support early incident detection by helping teams classify high-risk activities and security incidents. They also help guide the response efforts associated with investigating and remediation. This information is especially useful when integrated into an automated incident response pipeline because it helps predict the course of an attack.
As an Splunk Enterprise Security administrator, you can correlate indicators of suspicious activity, known threats, or potential threats with your events by adding threat intelligence to your deployment. Adding threat intelligence enhances your analysts' security monitoring capabilities and adds context to their investigations.
Enabling threat intelligence with Splunk Enterprise Security is a simple process:
- Using threat intelligence in Splunk Enterprise Security
- Add threat intelligence to Splunk Enterprise Security
- Expand Splunk Enterprise Security threat intelligence coverage with apps from Splunkbase
You can check these guides to see how to use threat Intelligence with Splunk SOAR and Splunk Mission Control:
Success measurement
When implementing this guidance, you should see improvements in the following:
- Input
- How many alerts were enhanced with intelligence?
- How many feeds are being ingested?
- Analysis
- Number of new external campaigns/threat groups tracked.
- Vulnerabilities that are being tracked.
- Number of techniques, tactics, and procedures (TTPs) detections added to SOC workflow (for example Yara, IDS sigs).
- Number of indicators of compromise (IOCs) for detections or mitigations added to SOC workflow (IP addresses, domains, file hashes).
- Feed efficacy (new data added, old data expired, uniqueness of data).
- Output
- Curated intelligence published (daily, weekly, quarterly, flashes).
- How many threat intelligence projects were successfully completed?
- Number of stakeholder interactions influenced by threat intelligence (for example security architecture, physical security).
- Due diligence - how often did you check specific feeds with auditable results?
- How many failures to correctly anticipate events were there?
- How many analysis judgments were made, but proven later to be incorrect?
- Number of stakeholders that provided threat intelligence relevant to needs.
- Impact
- Percentile finds directly attributable from threat intelligence - what sources, and what source found what.
- Incident response tickets directly attributable to intelligence.
- Instances where threat intelligence has led to re-prioritization (for example, urgent patching, new architectural direction).
- Number of campaigns/threat groups identified directly targeting the organization.
- Timeliness of notification versus patching.
- Timeliness of intelligence versus event.