Integrating Threat Intelligence Into Your Security Program
When it comes to securing your assets you need all the help you can get and it’s about time we realized that we’re not in this alone. Many other security teams are in the same boat and we need to stick together when it comes to defending our data and infrastructures. We’re in a constant arms race with the bad guys who have been known to join forces and attack a particular group/organization to fulfill their evil agenda. With the bad guys working together and sharing information, why can’t we? This is why threat intelligence has become such a burgeoning new market. Once we grasp the fact that we’re not in this alone, we can start understanding that there’s the possibility to share our resources to help defend against the other side.
What is threat intelligence? That’s a great question. Depending on whom you ask right now in the cyber community it could mean five different things to five different people. In a nutshell, it’s the ability to have actionable data about an attack/attacker, so that you can make an educated decision on alerts and incidents. This actionable data is a great starting point to understand if a particular alert or event has been seen by someone else in the infosec community. Let’s consider Edward Waltz’s statement on intelligence and how it’s used, “information and knowledge about an adversary obtained through observation, investigation, analysis, or understanding, is the product that provides battle space awareness.” Armed with this intelligence allows us as defenders to make stronger decisions and focus on alerts or incidents that we might not have reviewed without it. Now that we’re familiar with what intelligence is used for at a high level, let’s discuss this in more detail and how it can be used operationally.
There are many startups right now that are offering threat intelligence services, but as we discussed earlier, the gist of threat intel is having data ahead of time to compare towards events and give you a “heads up” on issues that should be reviewed (actionable). Each company does their threat intel discovery different – some are setting up honeypots, scouring the web, performing research and purchasing the information from other vendors or researchers. This way is fine, but I think in the long run we’ll get a higher level of confidence in threat data that people are willingly sharing to a community. By allowing services to anonymize the data and that’s entering your network will give the intel community a more focused view on intelligence. Even to the point of having intelligence by sector so that if the same attackers are looking to hit the same sector again, you’d be notified. I’m sure if you were in retail you’d be very anxious to get the data and alerts from Target in your possession. This shared community, where people are not only using the information in the community, but actively contributing to it, is where we need to get to as cyber defenders.
Now that we have this intelligence thing down how can we make the best use of it? What’s needed is for this intel to be integrated into your currently installed defense systems. This can come in the form of feeds from the provider that are streamed into your equipment, downloaded or manually uploaded. You’re looking for the quickest way to have the intel inserted into your equipment so that you have the actionable data at the ready. A few systems that allow these data feeds are IPS, firewalls, log management, SIEM, web filters and mail gateways. These are the normal places you’re going to use this intelligence to compare against IOC’s (indicators of compromise). These IOC’s (virus signatures, IP addresses, hashes of known malware, URLs of phishing sites, etc.) can be used as an early warning of attack against your systems and a sign of future attacks. As an example, tying the threat intelligence into your SIEM will alert you when an IP address in China, which was recently used in an APT attack against another company, is port scanning your DMZ. This intel will not only show what attacks are occurring, but what the motivation is of the attackers. If this IP address has been seen performing DDoS attacks and holding sites for ransom, it’s a good bet that they might be looking to do something similar. By combining your current data with the threat intelligence will give you a better understanding of what the ramifications of these events might be. Going back to our example, many times you won’t think twice about a simple port scan, but when you know who’s behind it you might want to make adjustments. It’s all about the intel, baby.