A Brief Overview of Threat Intelligence. (2018, 19 noviembre). FileCloudBlog. Recuperado 7 de junio de 2022, de https://www.filecloud.com/blog/2018/11/a-brief-overview-of-threat-intelligence/#.Yp95VijMJPY
What is Threat Intelligence?
Let us kick off with the basics, Threat intelligence is data that is collected, processed, and analyzed to understand a threat actor’s motives, targets, and attack behaviors. Threat intelligence enables us to make faster, more informed, data-backed security decisions and change their behavior from reactive to proactive in the fight against threat actors.
In other words, Threat Intelligence platforms learn from other attacks that have happened and that have been documented by using the Thread Intelligence feeds.
The Benefits of Threat Intelligence.
Threat intelligence benefits organizations of all shapes and sizes by helping process threat data to better understand their attackers, respond faster to incidents, and proactively get ahead of a threat actor’s next move. For SMBs, this data helps them achieve a level of protection that would otherwise be out of reach. On the other hand, enterprises with large security teams can reduce the cost and required skills by leveraging external threat intel and making their analysts more effective.
From top to bottom, threat intelligence offers unique advantages to every member of a security team, including:
Sec/IT Analyst
SOC
CSIRT
Intel Analyst
Executive Management
How can it benefit each position?
Sec/IT Analyst :Optimize prevention and detection capabilities and strengthen defenses
SOC: Prioritize incidents based on risk and impact to the organization
CSIRT: Accelerate incident investigations, management, and prioritization
Intel Analyst: Uncover and track threat actors targeting the organization
Executive Management : Understand the risks the organization faces and what the options are to address their impact
Threat Intelligence Platforms.
A Threat Intelligence Platform (TIP) is a technology solution that collects, aggregates, and organizes threat intel data from multiple sources and formats. A TIP provides security teams with information on known malware and other threats, powering efficient and accurate threat identification, investigation, and response.
A threat intelligence platform is:
Connected to internal systems and external security research feeds
Updated in real-time to reflect the latest global and internal events
Integrated with incident handling systems
Even though there is a large number of TIP’s out there, the best ones based on a list from eSecurity Planet (https://www.esecurityplanet.com/products/threat-intelligence-platforms/) are:
IBM X-Force Exchange.
Anomali ThreatStream.
SolarWinds Security Event Manager.
Palo Alto Networks Cortex XSOAR TIM.
LogRhythm Threat Lifecycle Management (TLM) Platform.
Mandiant Threat Intelligence Suite.
LookingGlass Cyber Solutions.
ThreatConnect.
Key features in a top threat intelligence platform include the consolidation of threat intelligence feeds from multiple sources, automated identification and containment of new attacks, security analytics, and integration with other security tools like SIEM, Next-Gen Firewalls and EDR.
When looking for a TIP, these are the 5 Need-to-Have Features:
1. Dynamic intelligence feed
The primary purpose of threat intelligence is to provide regular and up-to-date information on cybersecurity attacks. The platform should be linked with IT endpoints and security systems to monitor the landscape for threats.
2. Automated workflows
A threat intelligence platform may deploy automation at multiple levels. It can automatically fetch and refresh information feeds without manual updates or ad-hoc report generation. Next-gen threat intelligence platforms use cognitive technologies to filter out the noise and surface only high-priority information automatically.
3. Integration with the IT ecosystem
The threat intelligence platform you choose must support seamless integration with the rest of your IT infrastructure. Ideally, this should be a bidirectional integration, which means that your IT systems deliver internal threat data to the platform while the platform streams a real-time data feed to your security operations center. Most platforms include flexible applications programming interfaces (APIs) to connect them to virtually any software system.
4. Smart data visualization
Data visualization is at the heart of threat intelligence. Data can be useful to IT teams only when represented in a smart and easy-to-consume manner. The platform should have dashboards that support role-based access, data filtering and search, layout customization, etc. Threat intelligence data should be visualized via maps, trend graphs, timelines, tables, and charts – as necessary – so that you can easily spot correlations and perform a deeper analysis.
5. Analysis tools
A feature that’s now increasingly popular when selecting threat intelligence platforms is built-in analysis tools. While the platform can be integrated with an external analysis tool using APIs, it can be helpful to include built-in tools for threat analysis and investigation. For instance, prebuilt search dimensions could help you navigate the dense information contained in the threat intelligence feed. Some platforms also support collaborative analysis.
Feeds of Threat Intelligence.
Threat intelligence feeds are continuous data streams filled with threat information collected by artificial intelligence. These feeds provide information on cybersecurity threats and trends in real-time, enabling organizations to proactively defend against attacks. Security team and Organizations can also use this information to better understand potential hackers tactics, techniques and procedures to be able to improve their security posture and approach accordingly.
There is a large number of Feeds out there that work with TIPs to learn and be better. I cannot mention them all as it would take a really long time to discuss each one, but I will list 5 of the Best Open Source Feeds as of Today.
1. Department of Homeland Security: Automated Indicator Sharing
Private companies can report cyber threat indicators with the DHS, which are then distributed via the Automated Indicator Sharing website. This database helps reduce the effectiveness of simple attacks by exposing malicious IP addresses, email senders, and more.
2. FBI: InfraGard Portal
The FBI’s InfraGard Portal provides information relevant to 16 sectors of critical infrastructure. Private and public sector organizations can share information and security events, and the FBI also provides information on cyber-attacks and threats that they are tracking.
3. @abuse.ch: Ransomware Tracker
Ransomware Tracker collects data related to ransomware attacks so that security teams can check IP addresses and URLs against those that are known to be involved in attacks. The tracker provides detailed information on the servers, sites, and infrastructure that have been exploited by ransomware actors, as well as recommendations for preventing attacks.
4. SANS: Internet Storm Center
The Internet Storm Center, formerly known as the Consensus Incidents Database, came to prominence in 2001, when it was responsible for the detection of the “Lion” worm. It uses a distributed sensor network that takes in over 20 million intrusion detection log entries per day to generate alerts regarding security threats. The site also provides analysis, tools, and forums for security professionals.
5. VirusTotal: VirusTotal
VirusTotal uses dozens of antivirus scanners, blacklisting services, and other tools to analyze and extract data from files and URLs submitted by users. The service can be used to quickly check incidents like suspected phishing emails, and every submission is retained in its database to build a global picture of cyber threats.
Based on the information provided above and how the attacks and how the attacker continues to improve and bypass tools that where once, “Unbreakable”, we in the Security Industry need to keep thinking ahead and learning from the attacks. If there is a lesson to be learned in any hacking incident in the past, is that, they will continue to try and are relentless to stop trying to access, and using past attacks to learn and improve on how to defend and not only play defense when a threat happens, but being able to react and sometimes even prevent the attack is what Threat Intelligence is all about.
Creating a database that continues to learn from past scenarios to try and guess and predict an attacker next step.
By
Francisco Cosio
Senior Security Engineer
Sources: