Companies have invested in protection technologies for decades – firewalls, web and email security gateways and endpoint protection. Over time, these technologies have increasingly relied upon threat intelligence to create real-time block lists for malware signatures, bad domains and IP addresses, file hashes and more. Despite these measures, attacks still get through.
People tend to think this is result of a coverage gap: the vendor doesn’t have a signature for the attack. But there is also a timing gap when the vendor doesn’t have a signature for the attack when the attack happens. Apart from coverage and timing gaps, organisations also have the problem of physical coverage gaps. They may not have a security device in the area being attacked, so blocking or detecting the attack at the point of intrusion is impossible.
Are companies doomed to live with these security gaps, or is there something they can do to compensate? In truth, companies probably have much of what they need to address these challenges. They just need to find a way to make better use of the security technologies and teams they already have in place.
By creating a library of threat intelligence, security teams can use existing security information and event management (SIEM) log data to help close the coverage, timing and physical security gaps. It may seem like a duplication of effort to create your own threat intelligence library, given most security technologies have their own threat libraries. But, in fact, it is key to leveraging the organisation’s existing security investments. Here’s how:
The signature coverage gap. No vendor covers every attack. In an analysis of the blacklist ecosystem, researchers at Carnegie Mellon University found that the contents of blacklists generally do not overlap. In fact, of the 123 lists reviewed, almost all indicators appeared only on a single list. Further, devices like firewalls have memory limits on the number of signatures they can store at any point in time, and it is up to the vendor to choose which signatures get deployed. A threat library can provide an additional list of signatures tailored to and scored based on the organisation’s context and parameters and therefore trustworthy and relevant. Threat intelligence collection, prioritisation and signature deployment to security tools can be automated when an organisation trusts the data because it is scored accurately.
The physical coverage gap. Many non-security devices, like DNS’s or internal servers, create logs which provide valuable data. A threat library can unlock this security potential through integration with the SIEM, turning non-security devices into security sensors providing visibility into areas of your infrastructure that other tools can’t. Feeding raw threat data into a SIEM generates a lot of noise and so the threat library’s function is to deduplicate, normalise and prioritise raw threat data to deliver high-fidelity threat intelligence to the SIEM.
The timing gap. The threat library also serves as the organisation’s threat memory. It can go back in time and automatically perform rear-view mirror searches on logs to identify and alert on attacks that have fallen through the cracks because they were not identified as malicious at the time.
Automated threat hunting. A central threat library can also help to address these gaps by automating threat hunting. When a protection technology fails or simply isn’t in place because of physical limitations, breaches happen. Costs start to escalate dramatically because at that point threat hunting is the only way to identify nefarious activity and mitigate damage. But not all threat hunting is the same. Automating as much of the threat hunting process as possible will save time and costs over manual methods. In a survey by the SANS Institute, “Threat Hunting: Open Season on the Adversary”, threat hunters say that better detection and automation top the list of capabilities needed to improve their hunting practices. The report recommends, “threat hunting must be done on a continuous basis utilising automated tools, with manual expertise alerted when anomalies are detected.”
By automatically prioritising threat intelligence, a threat library can determine what to hunt for within your environment. With this focus, you can start an investigation by importing several high-risk indicators of compromise associated with an adversary or high-profile intrusion and then run selected operations to pull in supplemental data points. You can also compare indicators across your infrastructure with internal log data to find additional connections. As new data and learnings are added to the threat library, intelligence is continuously reprioritised to support ongoing threat hunting.
Bringing together the security tools, technologies and teams you already have in place, a central threat intelligence library can help close the coverage, timing and physical security gaps you face. With the ability to quickly focus on relevant, high-priority events, you can improve detection and prevention and accelerate investigations to mitigate impact and reduce costs when a breach happens.