Threat Intelligence and SIEM (Part 2) — Understanding Threat Intelligence
By Guillaume Dupont on February 9, 2016
In part one of the series we addressed the limitation of the reactive security posture of “traditional” security information and event management (SIEM) solutions. As Irving Lachow wrote, “passive defenses are a necessary component of a well-designed cyber defense program, but they are no longer sufficient to address increasingly sophisticated threats.1”
To prepare their (sophisticated) attacks, hackers can buy the same security devices used by the targeted company and craft their tools and/or methodologies to make sure the attack will be undetected and successful. The overall visibility provided by SIEM is a good start, but we need to add a key element to thwart such attacks in a proactive manner: threat intelligence (TI).
Before defining TI, let us understand its essence with a little analogy in physical security: consider your network infrastructure as a bank.
You have customers coming in and out to access their accounts in a certain part of your building (DMZ), and there are other areas which are restricted to employees only (internal network). To secure your bank you have several security measures in place, such as guards (firewalls) and cameras (IDPS) to help you protect your assets (e.g., money, client information). Finally, there’s a “security manager,” a person who coordinates all the efforts of the security team and gets regular updates from the guards, that can see the camera feeds and other security precautions.
This manager (SIEM) can also retrieve external information from other parties (e.g., other partners, police) about the current state of security in the financial industry. This external information can include info on recent attacks: why did they succeed/fail, what group was involved, what were the exploited weak points (vault, security mechanisms, etc.), how did they proceed (fraud/social engineering vs raid at night), and what actions they took.
This is what threat intelligence is all about.
Once retrieved, the security manager can not only act upon and update all employees and security personnel to watch for possible future threats, but also warn the bank’s executive team and the board of directors to help stakeholders make the right decisions.
Threat Intelligence Definitions
To have a better understanding of what threat intelligence is, let us first have a look at a couple of definitions.
Cyber threat intelligence was defined by Jon Friedman and Mark Bouchard2 as follows:
It is the knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help security and business staff at all levels protect the critical assets of the enterprise.
Levi Gundert, Vice President of Intelligence and Strategy at Recorded Future, defines threat intelligence this way:
Threat Intelligence is the act of formulating an analysis based on the identification, collection, and enrichment of relevant information. The goal of threat intelligence is to reduce operational risk, which in turn maintains or increases business profitability. In some cases, threat intelligence contributes to an information security program that creates a competitive advantage; strong security becomes a market differentiator.
In summary, it is important to understand that TI is more than just information: it gives us an analysis of adversaries and their motivations and methods, based on the collection of data that is enriched by using context. Once integrated in a security lifecycle, it enhances the security level and awareness of an enterprise and helps business continuity.
Why Use Threat Intelligence?
TI gives insights on attackers and their capabilities, providing invaluable information to enhance the security level. When companies use such intelligence, they can focus their actions on several crucial points to efficiently protect themselves:
- Who is attacking: TI helps defenders attribute attacks/malicious activities to certain groups (cyber criminals, hacktivists, government/national agencies, etc.)
- Why they are doing it: knowing who is behind an attack helps defenders understand their adversary’s motivations, how much effort they would put into an attack (advanced persistent threat [APT] vs opportunistic attacks), and how business/industry-specific such attacks could be.
- What they are after: with this information defenders can prioritize their actions based on the importance of the asset or assets the attackers are targeting.
- How they are proceeding: the so-called tactics, techniques, and procedures (TTPs) give insight about the way adversaries typically proceed, the tools and infrastructures they use, and more.
- Where they come from: correlating an adversary’s country of origin with its geopolitical situation can help defenders understand their enemies.
- How to recognize them: also dubbed indicators of compromise (IOC) or artifacts, these technical telltales (IP addresses, hashes, etc.) provide clear information that can be used to detect and signal a malicious presence.
- How to mitigate them: information about the steps a company can take to protect itself.
All of these questions are directly connected to each other. By correlating TI provided by external parties with internal information collected by a SIEM solution, defenders have a better vision of attacks in their context and can proactively defend themselves against emerging threats to the business. Thanks to the efforts of companies such as the MITRE and Facebook, standards have been created to help people retrieve, use, and create TI. We will discuss the standards later in another post. TI can be retrieved from various sources, such as cyber security vendors, independent labs and researchers, open source projects, and government and industry groups.
Threat intelligence can be presented at two different levels, depending on the intended audience. On the one hand it can be at a strategic-level: it is human-readable, not too technical, and is meant to be solely processed by humans (e.g., C-suite personnel) to give them insight into the threat impact on business continuity, helping them make the right decisions. Typical formats of strategic intelligence are reports or newsletters for instance.
Alternatively, intelligence can also be at the operational-level: once retrieved by SOC analysts, this machine-readable data is consumed by devices to make them able to act upon threats. Usually operational intelligence is XML-formatted data to ease the processing. Due to its broad variety and level of use, TI can benefit people with different roles within the same organization. For example, in addition to the board and SOC analysts, incident response teams can also glean valuable information to remediate security events.
For more information on the different types of TI, such as strategic and operational, see the “Aim Small, Miss Small: Producing a World-Class Threat Intelligence Capability” white paper by Levi Gundert.
Dismissing Irrelevant Information
There are numbers of reasons companies should use TI. One of the most useful is the ability to decrease the amount of time spent on analyzing alerts concerning irrelevant threats (e.g., vulnerabilities targeting applications not even present on the defended network; we saw in the previous post that this can happen when a company is flooded with alerts). With good intelligence, an enterprise can easily dismiss invalid indicators to weed out false positives and therefore focus on the actual threats it is facing.
If you are working for a bank, for example, you could make sure to use TI tailormade for financial institutions from security vendors or partners (e.g., other banks which may have seen new threats), giving you the right keys to defend against business threats. Moreover, you could retrieve generic TI (applicable to any business) to help thwart leaks of intellectual properties or employees’ personally identified information (PII). TI also enhances vulnerability management, as it provides a way to prioritize indicators and patches, helping IT staff fix the most dangerous vulnerabilities first.
Due to the different types and broad applications, there are several ways to consume TI. Like we mentioned before, from a strategic to an operational level, several groups can benefit from such intelligence and help keep the business running. TI becomes an integrated part of the security lifecycle involving many actors within the enterprise.
In the next post in this series, we will review what tools are required to leverage TI, and discuss why combining SIEM and TI could be a perfect match.
1 Irving Lachow, “Active Cyber Defense: A Framework for Policymakers” (Washington, DC, February 2013).
2 Jon Friedman and Mark Bouchard, Definitive Guide to Cyber Threat Intelligence (CyberEdge Press, Annapolis, MD, 2015).