How to Build Comprehensive Security Processes With Threat Intelligence

Posted: 15th February 2019
How to Build Comprehensive Security Processes With Threat Intelligence

As children, many of us played with the classic assortment of blocks, columns, and other shapes known as Lincoln Logs. I spent hours in my bedroom as a young boy, creating fortresses and buildings, section by section, log by log. Like that time spent as a child, you can build a robust and comprehensive security approach piece by piece, while knowing that it can take just one mistake or accident to have it all come crumbling down.

Incorporating cyber threat intelligence into daily workflows and understanding how to use the huge amounts of data involved can be an overwhelming task. Many times analysts new to threat intelligence may ask the question, “Where do I start?” The way they choose to answer this type of question can make or break a threat intelligence program. All of this can be solved by taking a step back, identifying your organization’s biggest needs and visibility gaps, and creating a plan to use all of your security tools and staff effectively.

This blog will seek to alleviate some of the stress of choosing where to go and offer some suggestions on how to move all of your security functions toward a proactive model.

Security Processes Step by Step

Time and time again, organizations with poorly defined policies and procedures find themselves in chaos when security incidents occur and all hands are on deck. Understanding your organization’s incident response (IR) plan, adhering to a set security policy, and creating workflows and playbooks around these documents — and then actually trusting in and following these processes when things go bad — are paramount to managing security incidents without falling into chaos.

In this sense, having a definition of what an incident response situation is and how to handle events is key. As shown in the diagram below, there is a reason why preparation is the first step.

Success Plan

Know the steps to success and where you fit within your organization. (Source: Varonis Blog)

Acknowledging the likelihood that your organization will be attacked (and not if it will be) is critical to developing a solid security strategy. Therefore, having an incident response plan set and available for all parties to respond to such situations is necessary. Steps 2, 3, and 4 shown above will revolve around your organization having the tools available to identify and eradicate malware or resolve dicey security issues.

Inventorying and using critical tools such as security information and management (SIEM), security orchestration and automation (SOAR), or endpoint detection and response (EDR) software can help your responders and security personnel be more effective in eradicating a threat — and don’t forget to include your marketing, public relations, and legal teams to help keep brand reputation and confidence high in the eyes of consumers, patrons, and business partners. For example, tools like IBM Resilient are excellent at delegating tasks and accounting for the tasks that incident response and remediation teams handle.

Finally, Step 6, reviewing the lessons learned (really, reporting), is often missed, but it’s perhaps the most important step in this process: documenting the lessons learned and adjusting policy, so security events (like the one you just dug out of) do not occur again.

Using Threat Intelligence to Identify Your ‘Crown Jewels’

Acknowledging an issue is the first step, but in information-security speak, focusing on identifying where the biggest loss to business operations is, or where your “crown jewels” sit, is the most important one. For retail, this may be a point-of-sale outage. For energy, this is likely your ICS/SCADA platforms — the list goes on.

Once the weaknesses have been identified, put your black hat on and work to understand the threat landscape around those operations and how an outage or loss may be attained. Another way to think of it is, “If i lose X, how much will operations and profit be impacted?” This kind of thinking allows an organization to understand its threat landscape and acceptable level of risk. In turn, roles, responsibilities, and tools used to defend your organization become much clearer.

Crown Jewels

R&D plans, customer PII, PCI servers, etc. are all far more valuable than jewels.

Applying the “crown jewels” philosophy can help an organization start to develop more and more of a proactive security posture. Adhering to two basic tenets is paramount:

  • Use security tools and your security operations center (SOC) effectively (your SIEM is more than a compliance check box).
  • Allow security operations, incident response, and threat intelligence teams to support each other.

No one likes shelfware. Each of the security tools outlined above has a purpose — each individually cannot solve all your security problems, but harnessing them properly, for example to power your monitoring and scanning processes or to focus on certain criteria to alert you to threats sooner, will ensure that they don’t collect dust on the shelf. In turn, have your threat hunting, incident response, and threat intelligence teams focus on searching for threats to your organization’s operations and information before events happen. Together, these groups can help paint a picture of the days, weeks, and months to come and support the security strategy and incident response plan outlined in the first section.

However, it’s important to not get distracted or derailed by hunting for “sexy” topics like mentions on dark web forums, searching for malware specifically tailored to your organization or infrastructure, and other high-risk situations. Rather, focus on the fundamentals — a “back to basics” approach to ensure you cross the T’s and dot the I’s that make up your IT workflows and requirements.

Security Is a Team Sport

Your marketing department may have fantastic phrases around how your organization is one big group working together — a team with a family atmosphere, meaningful relationships with colleagues, all that.

These may sometimes be cynically deployed as recruiting tools to highlight your organization’s supposedly fantastic culture and attract new talent — but as prescriptions for how your team ought to operate, they’re also the truth. You all are in this together, and not just the security team — by “this,” we mean the threat landscape for your organization’s industry.

Whether it’s energy, aviation, retail, or healthcare, each industry comes with its own unique assortment of risks and threats. So yes, shielding the shy accountant down the hall from cyberattacks is as important as defending your CEO.

While it may sometimes feel as though an individual is just a cog in the machine, finding ways to empower and enable your staff is always an important management goal. Making your team more efficient, keeping them sharp between the ears, and reducing fatigue through the use of threat intelligence can help your organization the most. For example, using threat intelligence to gain an understanding of the risks pertaining to your organization and industry can help drive a successful cybersecurity training program for your employees.

Attackers, Methods, and Operations

Phishing simulations and tests for employees may be a good idea for Google.

While the example above pertains to phishing and cybersecurity training, it shows how using threat intelligence (commonly, but erroneously, viewed as an asset only for those organizations “big enough” to ingest it) can be used to help support your daily business operations and keep your non-technical staff from clicking that PDF invoice attachment they got from “Bob in the New York office,” no matter how urgent that request may be.

A Comprehensive Security Approach With Threat Intelligence

For many organizations, threat intelligence has been considered a capability for the top 10 percent around the globe — those with a security maturity to match the need for a dedicated threat hunting or forecasting team. This is no longer the case. Using threat intelligence in daily operations can be as flexible as the number of use cases your organization focuses on (or wishes they had visibility into but haven’t found yet). Recorded Future can support your security operations, incident response, vulnerability and threat management, third-party risk management, threat intelligence, and threat hunting teams within one platform to improve efficacy. See the diagram below to understand major use cases that Recorded Future can assist with:

Threat Intelligence Use Cases

What bucket will the next big threat to your organization fall into?

Whatever your use case, whether it’s sending alerting rules looking for new exploits, targeting vulnerabilities, or an API feed sending risk list data for enrichment to your SIEM, looking at organizational issues and concerns through the lens of threat intelligence can help illuminate unknown gaps in visibility and allow your organization to spread out licensed user seats in Recorded Future to various teams at your place of work. Additionally, it can help identify use cases you may not have thought were critical.

Take vulnerability management, for example — a common pain point among companies and a major use case for the Recorded Future platform. By using Recorded Future’s in-house security architects, you can visualize workflows and improve efficiency through ingesting Recorded Future’s risk data directly into your security stack. This alleviates strain on SOC and incident response personnel and helps them focus on critical events.

Blending Security Tools

How to blend security tools together with Recorded Future.

Using this workflow, you can task your CTI team to search for techniques, tactics, and procedures (TTPs) as well as direct threats, exploits, exposure, and more against your organization’s infrastructure, while your SOC team prioritizes vulnerabilities and secures your customer data, alleviating many unknowns and stress.

When I was young, I would ask my mother, “Mom, how do I build this Lego set?” She’d laugh and reply, “Read the instructions in the manual.” She wasn’t wrong. Understanding your requirements, risks, and threats, and then building out processes for how to respond to those threats are the first steps toward a secure foundation. Inventorying your security tool set, understanding how they interact with and protect your most valuable assets, and finally, knowing who is responsible for what when chaos occurs will save you hours in the long run. Opening that discourse into risk and threats targeting your organization and understanding how to hunt for them can push a cohesive effort toward cyber defense, involving everyone and holding all parties accountable.

Recorded Future can play a part in every section of your organization and make everyone more efficient and effective. If, after reading this blog post, you still have questions, request a complimentary demo to learn how to best use Recorded Future in other operations, both security and business. And if you want to read a physical handbook held in your hands, well, we wrote one of those too!

Andrew Scott

Andrew Scott is an intelligence services consultant at Recorded Future.