Today, I am going to discuss the threat intelligence process at a fictional, but typical, financial organization called DPS. The threat intelligence process is an integral component of securing and protecting DPS assets, brand, and reputation. The company must protect its proprietary intellectual property from a wide range of threats. At the same time, as a critical component of the financial system, DPS faces many attacks aimed at its data and processes. Finally, DPS must protect its brand and reputation, which are built upon customers’ trust in the security of the company. The threat intelligence process allows DPS to assimilate intelligence on indicators of compromise (IOC) and threat actors and take proactive steps to protect against, counter, or mitigate such threats.
The main challenges with the threat intelligence process include varied levels of confidence in IOCs, ensuring actionable intelligence, timeliness of intelligence and response, and minimizing possible self-inflicted damage when responding. DPS receives IOCs from multiple sources, including paid services, vendors, open-source services, and governments. The quality of these intelligence feeds, and the confidence in each source can vary widely. Further, intelligence sources may include IOCs that are not applicable to DPS or are outdated. Finally, when responding to any possible threat, DPS must consider the possible impact that action may have on its business.
Current Symptoms and Concerns
The sheer volume of threat indicators puts a strain on DPS resources to filter through the noise and find the credible, actionable threat indicators in a timely fashion. The primary concern is what we are not seeing. Intelligence analysts cannot devote enough time to vet every intelligence feed and indicator thoroughly. Poorly vetted indicators lead to a lot of false positive alerts in the Security Operations Center (SOC). The security analysts who are inundated by what they believe are false positives may begin to ignore these alerts or create filters to whitelist the alerts.
Another symptom of the current process is that the security analysts are spending nearly all their time reacting to alerts. Many of these alerts are time-consuming and repetitive. The security analysts spend too much time gathering data, which decreases the amount of time to discern and decide on a course of action (COA). Another manifestation of this issue is that security analysts do not have time to search and hunt deeper threats and vulnerabilities proactively. This lack of time to proactively search for threats and vulnerabilities increases the already considerable advantage enjoyed by the attackers.
Current human-centered cyber defense practices employed by DPS cannot keep pace with the speed and pace of the threats targeting organizations like DPS. Further, the speed of attack versus speed of response gap is getting worse . Defenders need to drastically increase the speed of both detection of and response to cyber-attacks. Organizations like DPS must automate many risk-based decisions to facilitate an increase in detection and response speed.
Feasibility of a Solution
DPS has many technical resources that it could use to improve the threat intelligence process. Recent advances in security automation and orchestration hold great promise, and, if applied correctly, could improve both the quality and speed of the threat intelligence process. DPS can leverage the security and information resources at its disposal to increase the speed, accuracy, and applicability of the intelligence feeds. By improving the threat intelligence intake, DPS may also automate much of the response action. The improvements and automation will allow the humans in the process to focus on discerning and deciding on appropriate COA.
The future threat intelligence business process must address the issues and concerns present in the existing process. The future process must leverage security automation and orchestration to enrich intelligence and automate many of the repetitive, error-prone tasks currently performed by the security analysts. By using automation to enhance the process, security analysts will be able to focus on decision making and deeper threat hunting activities.
Applying Automation to the Threat Intelligence Process
The use of automation in the threat intelligence process can assist in increasing confidence in intelligence feeds, decreasing time to detect, decreasing time to respond, and increasing awareness of advanced threats. After intelligence analysts apply initial confidence ratings to each intelligence feed, the actions taken by SOC analysts can influence the confidence ratings. Automation can also quickly filter out non-applicable and outdated IOCs. For each remaining alert, automation can retrieve enrichment data from security devices and other data enrichment sources. Based on the enriched data, the automation can determine a recommended COA. For high-confidence, low-impact indicators, the automation can apply the COA. For all other indicators, the automation can present the enriched data and the recommended COA to the SOC analyst. The SOC analyst can decide whether to apply the recommended COA or to take alternate action. The confidence rating of the originating intelligence feed is boosted if the SOC analyst chooses the recommended COA. Otherwise, if the SOC analyst selects an alternate COA or determines the alert is a false-positive, the confidence rating is diminished.
Goals and Expected Benefits
There are two major benefits expected from the future-state process. The first benefit is increasing the speed of response and remediation of IOCs received from intelligence feeds. The other significant benefit is the more effective use of the SOC analysts. With the future-state process, the SOC analysts can concentrate on events that require human decision-making and on proactive threat hunting activities., The future-state process must focus on several key goals to achieve the expected benefits. These goals include:
- Improve the confidence ratings and consistency of intelligence feeds;
- Automate the enrichment of IOCs, which will decrease the time to detect, the time SOC analysts spend enriching alerts, and the time to respond;
- Fully automate the response for many IOCs, further reducing the time to respond; and
- Identification of the most-reliable intelligence sources and discontinuance of those sources that provide little value.
Meeting the above goals will ensure that the future-state process delivers the expected benefits. With the SOC analysts spending more time on proactive measures, such as threat hunting, the security team will be able to detect more advanced threats and increase the security posture of the company. As a side benefit, the SOC analyst’s role will become more rewarding and allow for career growth, which should help the company retain quality analysts.
About the author: Donnie Wendt is an information security professional focused on designing and engineering security controls and monitoring solutions. Also, Donnie is an adjunct professor of cybersecurity at Utica College. Donnie is currently pursuing a Doctorate of Science in Computer Science with a research focus on security automation and orchestration.
 Fonash, P., & Schneck, P. (2015, January). Cybersecurity: From months to milliseconds. Computer, 42-50. doi:10.1109/MC.2015.11