As previously discussed (TIP Defined blog post), a properly employed Threat Intelligence Platform can enable an organization to take a more effective approach to computer network defense. In this post we will delve a bit deeper into how a Threat Intelligence Platform (TIP) can act as a tool for incident response and investigations, becoming a central hub for SOC operations performing with an Intelligence Driven Defense®mindset.
A TIP can integrate with an organization’s Security Information and Event Management (SIEM) to provide analysts with a workspace to respond to the alerts that are ingested – which can be all, a subset, or a correlated blend of all the events sent to the SIEM. When an alert comes in, an analyst gathers internal data points and documents them in the TIP. The analyst then processes the data and begins investigating deeper if it is truly malicious activity. A TIP can provide the platform for an analyst to record all results from the investigation and analysis of each attempted intrusion. Indicators can be documented, and notes recorded to provide context and explain how the investigation was conducted. Standard courses of action can also be documented so that similar alerts are dispositioned and addressed in a repeatable and efficient manner.
An effective Threat Intelligence Platform can enable analysts to determine patterns of malicious behavior learned from previous events to better address future attacks. All the data from previous investigations and the intelligence that is mined from analyzing intrusion attempts is stored within the TIP and is searchable to enable identification of patterns and quick recognition of relationships. Analysts connect intrusions by correlating indicators or TTPs to determine that an attack is coming from a previously seen adversary.
By conducting a complete analysis and identifying relationships, a comprehensive profile of adversary activity is built that provides insight into the attacker. This includes understanding where, when, why, and how the attackers put together their assault. Analysts can also leverage the external threat intelligence that feeds into a TIP to further understand the adversary and its TTPs.
Connecting the dots is one of the key components that a TIP performs for a SOC with an Intelligence Driven Defense® mindset: the ability to recognize the relationships among incidents beyond simply responding to intrusion attempts. An Intelligence Driven Defense® approach helps clients evolve from being purely reactive to producing and mining actionable intelligence to create a proactive posture. This approach can be supported with a robust Threat Intelligence Platform that manages all your threat intelligence, allowing analysts to identify broader campaign activity by leveraging historical data.
Lockheed Martin developed the PalisadeTM solution to enable analysts to correlate malicious activity. The PalisadeTM platform integrates with an organization’s SIEM to provide enterprise-wide alerting capability and manage all threat intelligence. The Palisade™ solution empowers analysts to focus their efforts and adopt an Intelligent Driven Defense® approach by providing a platform for incident investigation and response that is aligned to the Cyber Kill Chain® framework. It allows for the identification of broader campaign activity through the connection of disparate events by leveraging historical intelligence from previous incidents. The PalisadeTM platform is an enabler for a more effective approach to computer network defense – an approach that is fueled by analyst tradecraft and intelligence.
Review seven ways to apply the Cyber Kill Chain® with a Threat Intelligence Platform: