Don't Search for a Needle in a Haystack: Use Cases for Threat Intelligence

Threat Intelligence Can be Used to Support Effective and Automated Incident Response

Threat intelligence is an increasingly prominent element of security operations. In fact, back in 2017 Gartner predicted a 15x increase in the number of large enterprises using commercial threat intelligence by 2020. Threat intelligence comes in many forms, from a variety of vendors, and serves several distinct use cases. In this article, we will explore some of the use cases for threat intelligence that are especially relevant to the aspects of security operations with which I work most closely: security orchestration, automation, and response, otherwise known as SOAR.

Automation tools have changed the way that security teams turn information into action, with the ability to automatically search and collect threat intelligence from a variety of third-party sources. This reduces the burden on analysts who are tasked with sifting through the vast amounts of complex information produced by threat intelligence platforms, allowing threat intelligence to play a more important role in day-to-day incident response.

Automated Alert Enrichment

Incident response and SOAR platforms can interface with threat intelligence platforms to enrich event-alerts from a variety of tools—including SIEM—with contextual data that helps eliminate false positives, and identify and convict real incidents. In automated platforms, potential threat indicators from a SIEM alert are automatically looked up in integrated threat intelligence platforms, giving analysts a full picture of the threat by the time they open the incident report.

Threat intelligence lookups can also be done as a proactive step during an investigation. Analysts can manually conduct queries about entities while evaluating an incident. For example, an IP address from a historical incident could be checked against a threat intelligence database and blacklisted if it is known to be malicious.

Phishing Response

Not all incidents start as SIEM alerts. Phishing attempts, for example, often come to the attention of the security team via a report by someone else in the organization. Threat intelligence can be valuable in this instance as well. If an employee receives a suspicious email and reports it as an incident, the security team can assess the email by querying threat intelligence sources to check the domain reputation, identify the domain owner, find connections to internet service providers that are known to host malicious content, and more. 

Proactive Investigation

Beyond helping to manage the immediate risks of incoming security incidents, threat intelligence can be used to investigate all kinds of unwelcome activity in the online world. Examples might include unauthorized parties posing as your brand online, posting malicious links on your social media, or violating your copyrights. When an organization comes across this type of unwanted activity, the security team will want to find out who is behind it, how dangerous they are, and in which legal jurisdiction they are located. Querying threat intelligence sources can provide this valuable context, by identifying known malicious actors and domains that are involved, as well as geolocating the source of the activity. This information can tell you whether you’re dealing with a teenage prankster or a sophisticated scammer, allowing you to employ the most appropriate risk mitigation strategy moving forward. 

Intelligence Sharing

Sharing threat intelligence is an important way for organizations to stay one step ahead of (or at least not too far behind) attackers. There are many different networks that bring new threats to light by facilitating the sharing of information. Some of the most useful include Spamhaus, SANS’ Internet Storm Center, and the Financial Services Information Sharing and Analysis Center (FS-ISAC). In addition to industry-specific sharing networks, some threat intelligence providers actively promote the bidirectional flow of data so that users can contribute information to their database of threat indicators.

Conclusion

Given that most SOC analysts are already too busy chasing after security alerts to take a proper lunch break, no one has the time to stay perfectly up-to-speed on the latest threats and attackers. There is simply too much relevant information for one person to make sense of on their own. That’s one of the reasons why threat intelligence adoption is expected to grow so rapidly in enterprises. 

I’ve just covered a small range of the ways threat intelligence can be used to support effective and automated incident response, but there are many other use cases across security operations. If you aren’t leveraging threat intelligence in your security operations, you’re depriving yourself of a valuable tool. To explore the usefulness of threat intelligence without having to take a hit to your budget, start by experimenting with one of the many free sources provided by trusted organizations and government entities.

Original author: Stan Engelbrecht