I give myself good advice, but I seldom follow it.”
– Alice in Wonderland
In the threat intelligence space, vendors market threat feeds as a source of “good advice”. But are subscription based threat feeds truly providing actionable intelligence? A challenge for any SOC operations manager is to determine if their threat feed is really creating value or just a barage of alerts that send their analyst teams “down a rabbit hole”.
Most enterprise organizations are operating numerous technologies, including IDS, firewalls, and endpoint security tools and more recently have begun pumping their threat feeds directly into these tools. With raw data fed directly into those systems, analysts find themselves responding to alerts produced by technologies with no actual context. This process results in one of two problems; the SOC analyst either 1) chases down activity that may not be relevant to their organization or 2) investigates a relevant alert but is not empowered with the context of the attack to respond properly.
We recently witnessed an example of this when a small SOC that we work with reported that it was receiving 58,000 alerts every day generated from its many tools and threat feeds, yet the team only had four full time staff members to investigate and triage all of the alerts. In the end it was determined that the team stuggled to filter out the noise because there were too many irrelevant alerts produced by hits from every domain or IP address sourced by the threat feed.
A solution to this problem is to incorporate threat intelligence that connects indicators of compromise (IOC) to specific adversaries and their techniques, tactics and procedures. Typically, this comes in the form of tracking “campaigns” of adversary activity. Our view of campaigns has been to categorize them by the actual threat actors, as well as by their subsequent actions, motives and the characteristics of the attacks. This approach is about understanding the purpose of the attack and using the intelligence gained from it over an extended period of activity. Philosophically this is about thinking of security at a proactive level in order to determine which attacks can be connected to specific threat actors and motives. That way when a similar attack happens, the analyst will know how to respond and be better prepared for the outcome.
Once you have determined that your providers of threat intelligence are using campaign-based data sourced from actual adversary activity, you can now begin to integrate it into the appropriate technologies you use to defend your network. An example of this would be to incorporate this campaign-derived intelligence directly into a machine-learning based end-point threat detection and response system. By incorporating relevant threat intelligence with a system that can use the context of the attack in the determination of its severity, the system will begin to produce alerts that are more meaningful, contain more context and should appropriately link related activities to each other. This not only provides the appropriate context for the analyst but also helps them determine when real campaign-related activities are occurring on the endpoints.
This approach helps filter out the noise of events generated from non-contextual threat data. It also presents the SOC team with actionable intelligence that can reduce the amount of time spent chasing events that have no relevance to their network - which ultimately leads to a more efficient SOC that is not only making the most of their subscription threat intelligence but is also beginning to generate their own intelligence. So avoid falling down the rabbit hole and take our good advice; stop depending on automated alerts generated by threat feed providers and look for solutions that build context from campaign-driven, context-specific threat intelligence.