5 questions the CISO should ask the Threat Analyst

Threat intelligence data is a powerful tool for understanding attackers and their activities. Once organised in a threat intelligence platform, the data often reveals techniques and methodologies used by attackers as evidenced in malware, infected websites, suspicious domain name registrations and mass credential exposures.

The threat intelligence platform plays a vital role in normalising the data across multiple streams of data, providing a secure communication channel for threat information sharing, and providing data integration with your SIEM and security architecture. With the help of a threat intelligence platform, evidence of attacker activities or indicators of compromise (IOC) are commonly used to provide some information about the strategic risks to our business or agency and detect possible data breaches.

The following five questions represent a way for the CISO to start a risk-based dialogue that can be a source of metrics supporting the use of threat intelligence data. The answers to the questions can also be a regular part of board level discussions.

What are the risks to our brand?

Attackers often create domains similar to a company’s existing brand to attract your customers with the purpose of stealing their usernames and passwords, credit card information or other personal information. These activities can cause your customers distress, damage your brand reputation and cost you money. Domain registrations can be an important source of information about attackers that may be wanting to target your brand. Actively monitoring Whois data can help make you aware of this type of fraud before it is perpetrated. This means monitoring a portion of the reconnaissance phase of the attack chain. This can give you time to alert and remind customers to be alert to specific fraudulent domains you may find.

Are our employees’ credentials part of any mass exposure?

No matter how much security training we give our employees there will be those that use their work email and a clear text password for other activities on the internet. Employees need to know that being a part of a mass credential exposure can put the business at risk. It is possible for valid email address/clear text password pairs to be used by an attacker to impersonate a user if they are able to get inside your network. Having access to data from the dark web or other parking lot sites for stolen credentials or those that have been exposed via a database attack allows you to know, over time, if your security education program is working. Monitoring the Dark Web for your employees’ credentials should be supported and automated through a threat intelligence platform.

Are we as aligned as we can be with security operations?

Threat analysis needs to be an extension of your security operations’ team’s function to truly have an intelligence-driven SOC. The challenge as defined by SANS is 'to organically integrate threat hunting into existing workflows so that it complements current security efforts'. Threat analysts and the security operations teams are often viewed as two separate organisations each with its own charter. This method of organising the security team can lead to slower response times and non-aligned priorities.

The intelligence-driven SOC, prioritises security events based on correlation with threat intelligence IOCs first and true-positive correlations between different types of security relevant log data second. When security operations personnel that see a security event in log data, they should also know in real-time if there is any threat intelligence data that might link the event to a previously seen attack. This provides added context in the form of the attacker’s methods or techniques.

How do we know we are hunting the right threats?

Threat hunting without context is an inefficient chase-anything-that-moves strategy. Using an ad-hoc or first-in first-out strategy to look at threat intelligence data or perform incident response is very inefficient.

According to SANS, 'Hunters need to consider “crown jewels” analysis: They identify the assets and information that are most vital to the organisation’s mission so that they can prioritise their efforts.' In the context of known key assets, their value to the organisation, their individual owners, and real-time correlations between potential IOCs in log data to IOCs in threat intelligence data creates threat hunting that is focused and meaningful. With these three data sets, threat hunting is a proactive pursuit that is scalable, repeatable, and teachable. Knowing you are hunting threats that are current, relevant to your business, and low on false positives facilitates an active defence.

What can we share with and learn from other companies in our industry vertical?

Attackers learn from each other, they cooperate, and they can act as a syndicate. They know the power of sharing information. Yet, many organisations do not share threat data IOCs with one another. The reasons for not joining and participating in a vetted trusted circle are many, but most have to do with fear. Not wanting to let others know that you may have experienced a breach and the liability around sharing are the two we hear the most often. Not sharing information doesn’t lead anyone to think you’ve never had an incident or been breached.

A good threat intelligence platform provides a trusted link to a wealth of knowledge from other companies in your industry vertical or across a supply chain. Sharing what you see in your environment sometimes means you’ll see a potential threat days before threat intelligence services. Sharing should be encouraged and if your organisation is not sharing, find out why and make sure there’s a good reason.

Summary

Making threat intelligence data useful requires a robust threat intelligence platform that can off-load correlation IOCs with log data from the SIEM. This is a necessary step for making tens of millions of active IOCs useful for threat hunting. This approach is efficient and aligned across threat analysts, SOC personnel and incident responders. A proactive approach to cyber security means finding threats before they become a problem. Make everyone a threat hunter by unleashing your entire security team’s creativity but keep it efficient through active prioritisation and inside the bounds of what matters to the organisation.

Mark Seward, Vice President of Security Solutions at Anomali