Defence Engineering and Threat Intel - No Stone Left UnturnedANTHONY STITT
Every breach starts as a compromise that goes unnoticed and unactioned, often because existing security devices have too many events, too little context and cannot prioritize. Providing these systems with threat intelligence is the lowest cost and most effective way to improve contextualization and blocking of new attacks.
Frameworks like MITRE ATT&CK provide suggestions about detecting certain types of attacks including where to collect logs from and the pseudo-code required on the system itself, for example, intrusion detection system (IDS) signatures.
In a large busy network, it is not uncommon for users, applications or devices to be compromised from time to time. What seems to be missing for many organisations is the capability to detect and remediate these compromises consistently, reliably and in a reasonable timeframe. As a result, attackers can gain unlimited dwell time to escalate from compromise to breach. According to IBM’s The Cost of a Data Breach Report, the average time, which continues to increase, to detect large data breaches is around 220 days from the point of initial compromise.
While there are many factors at play, understanding the limitations of defences requires examining how blocking and detection systems leverage cyber threat intelligence (CTI). There is a three-way relationship between the security information and event management (SIEM), threat intelligence platform (TIP) and defences that forms the basis of how these ‘systems’ work together. The TIP provides priority indicators of compromise (IoCs) to the SIEM and receives sightings from the SIEM based on those IoCs; the SIEM then receives logs and alerts from Defences; and the TIP receives IoCs from Defences and provides signatures and IoCs for detection and blocking.
The Defence ‘system’ can include many components that TIPs are designed to integrate with, including: firewalls, intrusion detection and prevention systems, domain name systems (DNS), and email and web gateways. A TIP can push signatures to defence systems, for example, a DNS block list that is continuously updated with the latest risky domains and IP addresses. Or query a system as part of an investigation, like checking for the presence of a malware hash on any endpoint devices. Furthermore, a TIP can interface with intelligence collection systems like a sandbox, honeypot, deception technology or a phishing analysis system. These tools are good sources of internal intelligence from which a TIP can collect, normalise, score and share CTI, so that attacks detected in one area are shared across organisational systems for collective immunity.
Much has been written about eXtended Detection and Response (XDR), which is the capability for unified threat visibility across networks, endpoints and the cloud. The XDR concept h focuses on a given vendor’s ability to leverage their intelligence across their portfolio of defensive systems, starting with EDR. This closed loop has two limitations: you need the vendor’s technology everywhere, and you are limited to that vendor’s threat intelligence. The modern reality is that nearly all organisations have a diverse mix of security vendors and a platform helps share any data and intelligence so they behave like a single unified system.
With Open XDR (integrating disparate point products from different vendors into a unified system), the TIP receives intelligence from internal, paid, open, ISAC, CERT, and partner sources
and shares this with the SIEM, EDR and defences. The SIEM and EDR tools provide the TIP with real-time analysis and sightings of IoCs based on this intel and if detected, the TIP will send these IoCs for detection or blocking. This intel on IoCs is shared with the SIEM and EDR tool while the TIP then receives logs and alerts from defences. The vendor will send this intel via signatures and rules to their devices on the customer’s premise. Essentially, the SIEM, EDR and defences work together to provide sightings of IoCs to the TIP and, if of a malicious nature, will block them.
Even if an organisation used a single vendor throughout, a TIP still opens the environment to external and internal CTI over-and-above the vendor’s threat analysis capabilities. After all, no vendor has 100% coverage on threats, especially new and customised attacks.
A CTI program that prevents even a single breach each year will pay for itself but, unless your organisation is suffering data breaches constantly. Then you are unlikely to have any hard data to calculate an ROI. Instead, one approach is to track your organisation’s ability to detect compromises and determine which of those were exclusively detected with intelligence from the CTI program. One large global technology company was able to attribute over 1500 compromises per annum to their intel program using this method. In the context of their overall compromise detection costs from security tools, incident response, threat hunting, alert triage, they could show a strong ROI for the CTI team.
Other approaches include; looking at detection coverage by measuring threats blocked by defences as a result of unique signatures or rules pushed from TIP versus the cost of detection in the SIEM and/or EDR and subsequent handling via the SOC. Companies can estimate or calculate the risk reduction by implementing defence in depth, using different types of IoCs (domains, file hashes, etc), associated with a campaign or style of attack.
While internally gathered intelligence is contextually relevant, it often lacks details, which can be added through enrichment by analysts. A fusion centre also helps by correlating your internal intelligence with external intelligence adding a rich layer of details and content. It improves the confidence of analysts, expands the set of related IoC’s to watch for, adds information like common vulnerabilities and exposures (CVEs) and MITRE ATT&CK tactics, techniques and procedures (TTPs), and even leads to adversary attribution. For this reason, internal intelligence and external intelligence complement each other well, and a TIP is designed to bring the two together as a force multiplier.