Elevating What a TIP Can Be – The ThreatQ PlatformANTHONY STITT
In a previous blog I reviewed the foundational use case for a TIP, which is threat intelligence management—the practice of aggregating, analyzing, enriching and de-duplicating internal and external threat data in order to understand threats to your environment and share that data with a range of systems and users. However, one of the unique benefits of the ThreatQ Platform and where organizations are deriving additional business value, is that it also allows you to address other use cases. I’ve written before about the defense engineering use case. Here, I’ll talk about four more use cases including alert triage, incident response, threat hunting and vulnerability management.
Threat intelligence false positives are a major pain point for most Security Operations Centers (SOCs). So much so that organizations prefer a smaller volume of relevant intelligence over a higher volume of intelligence, if the higher volume is prone to cause false alerts. False alerts take time for analysts to investigate, which reduces SOC efficiency and increases the risk that real issues get missed. The ThreatQ Platform minimizes this problem by only feeding relevant threat intelligence into the SIEM for correlation.
In general, threat intelligence services publish their CTI on a single API and include additional contextual information to help users work out which parts of the CTI “feed” are relevant to them. For example, an adversary C2 domain might include attribution tags for an adversary, a target geography and / or a target industry. Connecting your SIEM directly to these APIs, without the capability to filter by contextual relevance, increases SIEM load at best, and leads to false and duplicate alerts at worst. Exacerbating the challenge, open CTI sources frequently have little to no contextual information which makes it virtually impossible to determine the relevant from the irrelevant. Finally, there is always some degree of overlap in CTI: the same indicators of compromise (IoCs) from different sources. For most SIEMs, this will generate multiple alerts.
The ThreatQ Platform scores CTI based on parameters you set before exporting it to the SIEM, which ensures that when an alert occurs it is far more likely to be relevant. Furthermore, the analyst can see why the alert has a high score and can take action faster and with greater confidence, all without leaving the SIEM console. Analysts can also search ThreatQ’s central repository from within the SIEM to find out more information about IP addresses, hash files, domains or any other data in the ThreatQ Platform.
Incident Response (IR)
ThreatQ is designed to support the fact that Incident Response (IR) is a team sport. IR teams require access to information from across security operations and often these teams are assembled quickly from different groups. The ability to include the necessary resources from outside the immediate security department (i.e., database administrators, application specialists, etc.) ensures complete situational understanding and engages the full set of capabilities of the organization. So, ThreatQ provides a collaboration space to document and work on the investigation. This instantly allows an incident responder to assess other research that has been performed and by whom, what tasks need to be assigned, and how all the data relates.
As the investigation proceeds, malware can be analyzed in a sandbox for example, and results collected in the platform for automatic correlation with SIEM. Likewise with phishing email analysis, DNS records, or any host / network artifacts.
Once an event/alert is escalated to an incident, teams need to move as quickly as possible to understand the scope, impact and the actions required to mitigate damage and recover. Typically, gathering all the required information is a difficult and manual process, and the data comes in a great variety of formats, from many different teams and from both internal and external data sources.
Simplifying the process, ThreatQ will automatically relate an incident under investigation to a known campaign or adversary if any of the information is common. This reduces the analysis and response time by identifying missing information that might otherwise require manual investigation and correlation. As the necessary responders from around the organization complete tasks and publish them to the larger incident canvas, the team progresses towards identifying patient-zero and re-arming the organization against the next wave of attacks.
Maintaining adversary profiles and historical IR reports helps jumpstart any IR investigation and all information can be stored in the platform for future reference and learning. IoCs, TTPs, MITRE ATT&CK information and other intelligence can be incorporated into ThreatQ and used for detecting similar future attacks. This information can be used to adjust the threat model over time, adding newly discovered adversaries, campaigns and TTPs.
Correlating CTI with historic SIEM logs is a means of retrospectively discovering successful, undetected prior attacks. Finding these attacks reduces attacker dwell time and is the objective of threat hunting. Several studies find that attacker dwell time in data breaches can be 200+ days. When a compromise does occur, even if it was not blocked, the SIEM will likely have logs from the devices involved. Attackers typically take time to escalate access and privileges, which gives the organization time for hunting to be effective. Good CTI, an effective scoring policy and SIEM integration are the building blocks to automate the process, which allows the hunt team to concentrate on more complex adversary scenarios.
The ThreatQ Platform provides all the building blocks to support retrospective threat hunting and goes even further to support proactive threat hunting. Proactive threat hunting often starts with an hypothesis about an adversary, their TTPs, IoCs and where an organization might look internally for signs of compromise. The ThreatQ Platform provides a good starting point for adversary information and selection and can also import data from frameworks like MITRE ATT&CK so that the organization can map adversaries to TTPs quickly and easily. The additional ability to represent this information in the scoring policy helps prioritize the CTI related to adversaries of interest.
Next, the hunt team can visually build and collaborate on a specific hypothesis using a single shared collaborative environment in the ThreatQ Platform. Team members from any area can access and contribute to the scenario, either privately or with the analysis team. Furthermore, ThreatQ provides tools to perform real-time queries on other systems: for example, the SIEM to check for IoCs in logs; a vulnerability platform to check which systems are vulnerable to a CVE that is part of the investigation; or even external enrichment sources like VirusTotal or DomainTools. These “sightings” and related CTI can be brought into the platform and collaborative environment. Analysts can pivot between all data in the central repository, picking and choosing what’s relevant to the hypothesis as they go.
Finally, investigations can be saved for future reference and findings can be documented and stored so that ThreatQ can continuously coordinate with the SIEM to look for future occurrences of the same or similar attacks and export priority CTI (IoCs, rules, signatures) to blocking / detection tools. The scoring policy can be adjusted if the hunt discovers new information that might enable the automatic detection of future attacks from this adversary or other adversaries using the same TTPs.
A valuable input to the patching process is prioritizing vulnerabilities with knowledge about how they are being exploited by the adversaries and threats relevant to the organization. ThreatQ allows security teams to focus their resources where the risk is greatest. By integrating with a vulnerability assessment platform (VAP), ThreatQ can share a list of priority CVEs for patching, or, as part of alert triage and incident response, allow analysts to query the VAP to check which corporate systems are vulnerable to a particular CVE under investigation. The vulnerability team can query ThreatQ from the VAP to check if a particular CVE is associated with a priority adversary.
Designed for data-driven security operations, the ThreatQ Platform goes beyond a traditional TIP, helping security operations teams address all their top use cases, including threat intelligence management, defense engineering, alert triage, incident response, threat hunting and vulnerability management. Interested in learning how ThreatQ can help you can address the use cases most important to your organization? Request a live demo now.