Expect More From Your Intelligence — Starting With Context

Posted: 14th October 2022
By: Meghan McGowan

Picture this:

  • your security team can automate 100 percent of its operations
  • software distinguishes benign traffic from malicious traffic correctly 100 percent of the time
  • gateways and firewalls automatically and accurately manage all access/block

Think of all the headaches you’d spare your security team. Unfortunately, this dream is still in the works, but intelligence gets you closer to this vision.

Security teams invest heavily in software to defend their network against indicators of compromise (IOCs) like phishing, malware, and other cyber threats. While practical and essential, these tools still refer some traffic (and now ever more traffic in this era of work from home and remote work) to Security Operations (SecOps) teams for decisions. Those teams qualify their choices based on threat data. Ideally, such decisions should be based on and validated by intelligence.

To us, intelligence is the collection and contextualization of data points across the entirety of the internet – a tightly woven thread of insights that are purpose-built for detecting, investigating, and monitoring cyber and physical threats.

This blog post examines the intelligence analysts and leadership needs to determine how to prioritize their threats – that intelligence starts with context.

A day in the life of a security operations analyst

In a typical threat investigation, security analysts, or incident response teams, receive an alert from their security information and event management (SIEM) product, which continually pulls data on security events from the internal network and concentrates that data for analysis. Analysts then have to decide whether the event is a threat or not, so they begin collecting information on the internet and through their existing security tools.

The problem is that their efforts involve time-consuming manual research that often compares detections against a flat risk list and gets some details on IOCs – which, at that time, may already be stale or irrelevant.

Next, security analysts attempt to cobble together the data needed to understand the nature of the threat. Here’s an example:

  • They identify the internet protocol (IP) address associated with the threat, then find a threat feed on the internet that mentions the address. However, the feed only provides the name, IP address, and traffic source.
  • Analysts then turn to their go-to security blogs, online forums, social media, and other sources, which may have nothing about the threat.
  • The information they gather from web sources like VirusTotal may only amount to a couple of mentions of related hacker activity, but nothing concrete.

The team spends ten, then 20, then 30 minutes of valuable time on manual research – still without establishing a foundational picture of the threat or whether/how to address it. Even if they find a clue in one source, their next step is to continue searching to confirm the hunch; meanwhile, the threat persists unmitigated.

In this all-too-common situation, analysts burn precious time looking for context from disparate sources on the open and dark web, yet only come up with a few pieces of what they need to reach a good understanding of the threat.

In other words, analysts are trying to conduct a threat investigation without much intelligence – the lack of context results in missed threats and slow responses.

Provide sufficient context for threat intelligence

Empowering security analysts to conduct threat investigations with intelligence requires that the intelligence:

  • Provide complete coverage. The threat landscape never stops shifting. Threat actors continually innovate and change tactics – with critical IOCs changing in flux. Threat intelligence needs to be comprehensive enough for you to identify emerging threats wherever they originate and however they evolve.
  • Deliver real-time context. When you understand who is attacking you now, their motivations and capabilities, and which IOCs matter, you can save time and take quick action to mitigate the threat.
  • Integrate with your current tools. Actionable intelligence integrates with your current tools so you can protect your network with automation or other workflows without additional complexity.

Intelligence with full context allows analysts to derive more value from the data and logs they already have. They can detect relevant threats to your organization. They can use the context to automate more of the decision-making of security operations teams. And they can gradually move from investigating current threats to uncovering and tracking relevant threat actors targeting their organization through threat prioritization, threat monitoring, and threat hunting.

So, how can your organization get there?

Put intelligence into action: monitoring-integration-analysis

As you continue on your intelligence-led security journey, we recommend that your organization consider how intelligence fits into three different areas:

  • Monitoring. Collect observations from various sources and check them for threat indicators relevant to your business. For instance, if monitoring reveals a leak of your company’s login credentials, you can warn your IT department to expect an upcoming rash of suspicious requests for password resets. Or, suppose that monitoring reveals that your products are being mentioned on the dark web, or that your corporate brands are being typosquatted in domain name registrations. In those cases, you can warn IT to anticipate phishing email campaigns that target your coworkers and customers.
  • Integration. Analysts are already using SIEM and/or security orchestration tools, automation and response (SOAR). Now, you can integrate intelligence and context into your security tools to automatically enrich indicators and immediately act on incident response. Alert fatigue and challenging context-chasing are not necessary. When you have real-time machine-readable intelligence via API, the intelligence is useful and actionable.
  • Analysis. Gradually, analysts shift their focus from fighting fires, to effectively and efficiently identifying emerging threats to the business. Through context, they can study risks to their business, industry, and suppliers to get ahead of those risks. Analysis is the strategic value of threat identification, hunting, and prevention. The analysis also guides investments in new technologies and their return on investment (ROI).

Coming Soon: Put Intelligence Into Action: Anatomy of a Threat Hunt

The next post in this series includes a walkthrough of this monitoring-integration-analysis model. You’ll follow the workflow of a threat hunt using threat intelligence, Splunk SOAR and Splunk Enterprise Security – and you’ll see how context makes a difference at each stage.