Core Functions of a Threat Intelligence Platform — Part 2: Enriching Threat IntelligencePOSTED BY CHRIS JACOB
So you’ve used your threat intelligence platform (TIP) to wrangle the herd of data feeds into something manageable. What’s next? How do you take this subset of threat data and turn it into actual consumable threat intelligence? If your threat intelligence platform is worth its salt, you do that with data enrichment.
Spend any time at a Security Operations Center (SOC) or with an Incident Response (IR) team, and you will see the analyst with 20 tabs open, feverishly copying and pasting IoCs from spreadsheets into tools, and adding the results back to the spreadsheet. Lather-rinse-repeat. Worse yet, the other analysts on the team do not benefit from that individual’s research.
While automation is important, the need for an analyst to have that “work bench” to practice their trade-craft is paramount. Submitting hashes to VirusTotal, for instance, can unlock a treasure trove of additional information. Being able to submit that query from within the platform increases efficiency, and having the resulting information added to the dossier instantly increases the situational awareness.
We often refer to this as the battle rhythm, which is the process of taking “raw signals” and applying analysis, correlation, and fusion.
For example, an OSINT (Open Source Intelligence) feed may serve as the source of raw signal, and VirusTotal is the tool used for analysis. The results from VT could be a related indicator that already exists in your threat intelligence platform, which would give you correlation. Finally, connecting these two disparate pieces of data gives you fusion.
Further, we can begin to run some of this data past our internal data sources. Pushing contextualized data to your SIEM, for example, may result in hits that further enhance the data giving yet a better look at the bigger picture. This creates a feedback loop that can raise or lower the value of an atomic indicator. Another example would be feeding the firewall a baseline of IP’s to block and then monitoring the resulting hits. Imagine being able to tune a firewall policy based on the individual type of traffic on that specific data path.
This sort of data enrichment leads to contextualization of the data being investigated. If we take this a step forward and talk about the “P” in the threat intelligence platform we can start to see how this real-time collaboration begins to have a serious impact across the entire security organization. The SOC analysts performing data enrichment may benefit from the additional IoC’s being added by the IR team. Each has a small piece of the larger picture. As an example, the IR team may uncover files originating from a URL that the SOC is researching, relating the uncovered hashes. This data can be further enriched, unlocking another piece of the puzzle.
In summary, and at the risk of winning the buzzword bingo, it’s critical for a threat intelligence platform to offer that “single pane of glass” that allows the top tier analysts to do their jobs, and in turn help the up and coming analysts to improve the efficiency of their work. This, combined with the real time collaboration of the ThreatQ threat intelligence platform provides the foundation to help an enterprise become more efficient and effective in detecting and stopping threats.