Recently, I discussed the importance of situational awareness to Security Operations Center (SOC) effectiveness. Without anticipatory intelligence and context surrounding cyber-threats, SOCs receive a lower return on investment on tools such as threat feeds and endpoint solutions.
The intended value of threat intelligence feeds is to provide proactive information to organizations so they can better defend their data and networks. Unfortunately, improper use of data from threat feeds is a major reason for a reactive cybersecurity posture. And, this inability to proactively use threat intelligence is often driven by an organization’s lack of cybersecurity maturity.
According to one IDC report, 77% of companies survey equated SIEM to threat intelligence and another 35% associated threat intelligence with shared information provided within the security community. These two points demonstrate the shallow level of cybersecurity maturity of many organizations.
If a SOC’s cybersecurity maturity can be increased by having more knowledge about threats and the threat intelligence it consumes, than it is incumbent on threat intelligence providers to provide customers with more relevancy and context, e.g. situational awareness in the content they provide.
After defining a threat feed, the next step is to understand the data’s relevance to your organization or its context. In this capacity, SOCs need to challenge the value of threat feeds to their organizations.
To enhance the intelligence gathered from your own environment, it is important to incorporate anticipatory intelligence from other data sources, like social network intelligence, to instill a greater sense of context. Leidos Cyber Threat Analysis through Open-Source Intelligence is the only strategic service that produces this level of anticipatory Intelligence and provides the ability to extrapolate anticipatory intelligence from social networking sites. It allows your organization to incorporate sector and cross-sector knowledge concerning cyber-threat trends, and filter that intelligence down to the adversary tactics, techniques and procedures (TTPs) level to prevent or avoid attacks.
Similar to how advanced RADAR systems combined with powerful algorithms can help forecast weather patterns, OSINT technology can help predict incoming attacks or potential dangers, both inside and outside your sector or geography. By applying trend and pattern analysis and visualization of various types of cyber data, OSINT technology supports better cyber threat forecasts. They include:
- Threat topics, messages discussing Indicators of Compromise (IOC’s);
- Attack tools and methods, DDOS, Spear Phish, Man-in-the-middle, etc.;
- Reports on groups such as Hactivists, Criminal Organizations, Terrorist Groups, State Sponsored hackers and others of interest to SOC analysts;
- The positive and negative tones surrounding those topics, people, locations and organizations;
- And the propagation of threat intel among web communities and a quantitative scale for ranking the most authoritative and influential authors and sources.
Recently, Leidos used OSINT technology to help a client make a successful, strategic business decision concerning a proposed geographic move. By leveraging the actionable intelligence from OSINT technology, the client was able to avoid a series of forecasted attacks by not moving to the new location. This is just one example of how the anticipatory intelligence of OSINT technology can help organizations well beyond the capabilities of any other threat intelligence service.