WHITE PAPER. The Need to Know

Transcription

1 WHITE PAPER MATURING A THREAT INTELLIGENCE PROGRAM Discover the state of your threat intelligence capabilities and uncover a roadmap to getting ahead of today s threats. The threat intelligence landscape is an emerging one. Even in the most sophisticated IT organizations, resource constraints often dictate that threat intelligence (TI) is the responsibility of a sole analyst sifting through incident alerts looking for patterns and trends which may indicate that a threat exists. Threat intelligence is more than that. Yet, with very few industry standards around what TI is and what it isn t, we feel Gartner s definition[1] comes the closest: Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject s response to that menace or hazard. The Need to Know Clearly, going beyond simple event-based data analysis is a prerequisite for any useful threat intelligence program. The problem is that many organizations don t know enough about the threats they face or their own security posture to defend themselves adequately. Instead they re stuck in a reactive stop the bleeding or compliance-driven approach to cyber security with no clear vision or blueprint for reaching any other state. So it goes that in the rush to keep up with the TI trend, organizations are purchasing standalone solutions that have little value in helping them achieve a true proactive posture and efficiently orchestrate security solutions and processes throughout the organization to achieve maximum value. Yet, it s not enough to implement new controls and technologies around systems. In order to fully harness the power of TI, 3865 WILSON BLVD. SUITE 550 ARLINGTON, VA p f

2 organizations must make the case for an intelligence-driven security approach and identify the right people to staff the program. In order to evolve their defensive posture, they must source the right threat data, sift through the noise, discover and implement the right process and methodologies, implement automation, and improve information sharing both internally between teams and externally with their supply chain partners, peers across the industry, and public organizations. Of course, not all organizations have the resources and organizational structures needed to implement a comprehensive threat intelligence program. And that s fine. Threat intelligence is an iterative process with defined maturity levels and milestones. With the challenges and opportunities of TI in mind, ThreatConnect has developed the Threat Intelligence Maturity Model (TIMM). Whether you are getting started with TI or seeking to expand an existing program, it provides a systematic guide to help you understand where your organization resides on the path to a mature threat intelligence program and how it can better apply threat intelligence to drive smarter security processes, unite all resources behind a common defense, and take decisive action to keep your business on course. THE THREAT INTELLIGENCE MATURITY MODEL Find out where your organization sits on the Threat Intelligence Maturity Model. Review each stage and learn about the resources, organizational structures, and technologies needed to achieve strategic processes and operationalize your threat intelligence. The model offers some general direction on the capabilities, risks, and exposures at each stage as well as things to consider as you anticipate moving to the next milestone. Maturity Level 0: Unclear Where to Start Threat intelligence programs begin life as threat data collection programs. Many organizations make the mistake of starting out aggregating external feeds and looking at the problem from the outside in. This just creates a new data problem. Typically data is fed into Security Information and Event Management (SIEM) technology whose operators quickly become overwhelmed or spammed by false positives and unvalidated data. The data at this stage is one size fits all, meaning that it is raw and unformatted, has no context around it, and is virtually unusable to thwart cyber threats. Because it forces process, a better place to start involves aggregating internal data from multiple sources and using this raw data to begin protecting your network on an automated basis. Threat data, also known as indicators of compromise (IOC), is then sent to your endpoint protection devices. This automation of incident identification is the foundation of any threat data strategy. TYPICAL TEAM: Not really a team at this stage. The staffing resources needed to support this basic-level threat intelligence program is limited to a security director or network admin. RISKS AND EXPOSURES: Not surprisingly, this stage on the maturity model has many, almost uncountable deficiencies. The defensive posture between the information gathered and alerting is a labor-intensive and manual process. With added time pressures and many events per day, analyst time spent on each individual event is extremely limited, and decisions must be made quickly, often with little to no information beyond what is contained in the alert. Time also adds another element of risk. Due to the manual nature of the work, alerts often point to historical threats and don t account for the fact that adversaries have had time to adapt.

3 Maturity Level 1: Warming Up to Threat Intelligence Organizations at this maturity level have integrated some level of automation into their defensive controls to prevent future attacks. They are correlating internal data with ingested threat data feeds within their SIEM to begin the process of automated alerts and blocking at the endpoint. Analysts likely will be overwhelmed and will experience sensor fatigue. Together, Level 0 (automating incident notifications) and Level 1 (automating defensive controls) are the prerequisite for a mature threat intelligence program. TYPICAL TEAM: Network admin or solo analyst. RISKS AND EXPOSURES: Although a step forward towards a useful TI program, Level 1 is still a reactive stop the bleeding approach with several deficiencies. Triage is hard enough with time and resource constraints, but it s merely a bandage if you don t really know who is targeting your organization and why. While the aggregated threat data gained in Level 1 is useful, it won t actually tell you much about the context of the threat your organization may be facing. For example, is the activity a one-off or is it part of a larger, coordinated series of attacks? What information can you glean about who the threat actors are, where they re located, and what behavior patterns they exhibit? As organizations think about moving up the maturity model, their posture shifts from Am I bleeding and where? to Why do I keep bleeding and how do I fortify my security infrastructure/posture to prevent it? Using the data gathered in Level 1, organizations can begin to automatically analyze, correlate, pivot, and enrich that data so that actionable intelligence can be gained and blocking measures introduced. Another limitation of Maturity Level 1 is the SIEM approach. Unlike threat intelligence programs, SIEM platforms aren t designed to handle the multiple unstructured formats of threat intelligence from numerous sources that are required for analysis. SIEMs tend to quickly become malnourished, meaning that they get overfed with unvalidated and uncorroborated data, which essentially clogs organizations security arteries with garbage information. When bad data overwhelms your security posture, you end up losing sight of the real threats to your organization. Furthermore, in both Levels 0 and 1, the focus is often exclusively on internal data (although it shouldn t be, as we mentioned above) with no ability to interact or benefit from threat data produced by external sources such as communities in similar industries, geographies, etc. Maturity Level 2: Expanding Threat Intelligence Capabilities At Level 2 organizations start to proactively produce truly actionable threat intelligence that addresses the who, why, and how of any given attack to draw context and connections and further refine threat knowledge. Such organizations are also seeking out communities, asking questions and drawing on additional IOCs to expand their threat knowledge. Instead of merely consuming indicators and reacting accordingly, threat intelligence teams have transcended to a place where data is turned into knowledge. They are collaborating to build and define processes that can find the smallest atomic indicator s role in the vast tapestry of an attack landscape.

4 At this maturity level, organizations begin building out a true threat intelligence process. Taking external and internal data inputs to decipher what s helpful, what s relevant, and what s merely noise, and iterating accordingly. This enables a shift from a reactive to a more proactive posture. TYPICAL TEAM: To be prepared to handle this level of a TI program, the organization must have both a team-based approach and a security operations center (SOC). A SOC is comprised of defined roles and workflows for network monitoring and incident response. RISKS AND EXPOSURES: Threat analysis is often labor-intensive (think sharing incident and threat data by spreadsheets and s) and TI requirements typically exceed capacity. With attack sources changing by the minute, hour, and day, scalability and efficiency is impossible. Large SOCs, for example, produce hundreds of millions of events per day. This is extremely difficult to filter down to a manageable number of suspicious events for triage. Even a couple of un-vetted threat feeds going into a SIEM can cause the SOC to become quickly inundated. It s at this point that organizations must deploy analytical TI program resources to produce usable, relevant, and timely threat intelligence from the threat data they consume. Organizations need a threat intelligence platform (TIP) that can automatically analyze the content of threat indicators and the relationships between them. For example, an analyst could perform relationship modeling on a phishing to determine who sent it, who received the (s), which domains it is registered to, IP addresses that resolve to that domain, and so on. From here, the analyst can pivot further to reveal other domains that use the same DNS resolver, the internal hosts that try to connect to it, and what other host/domain name requests have been attempted. ADVERSARY Clearly, a TIP is a force multiplier that can significantly increase the capacity of security teams. In addition, with a move towards the introduction of external threat data from communities, a TIP can act on this form of information sharing at speeds previously unimagined. With a TIP, organizations can function as a pack against threats, rather than potentially blinkered lone wolves. CAPABILITIES VICTIM INFRASTRUCTURE Maturity Level 3: Threat Intelligence Program in Place It s here at Level 3 that organizations are starting to build on the operational capabilities achieved so far and establish a structured team approach to strategic analysis. Organizations at this maturity level have some established TI processes and workflows in place and are beginning to collaborate with partners, vendors, and their supply chain to protect network-adjacent organizations. They are also producing in-house correlated and analyzed TI from data feeds and internal data. Finally, they are beginning to measure the efficacy of their processes and report progress and security infrastructure health to leadership.

5 Having identified persistent threat actors, they are now tracking them and beginning to act on threats more strategically. They have also integrated more tightly with the wolf pack, and are joining organizations like Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs). They are also using TI to drive tactical business decisions. From a staffing and resource perspective at this stage, this organization is also realizing greater efficiencies and increased capacity of existing intelligence teams. This ultimately lowers the threshold needed to establish and reap the rewards of this functionality in existing environments. A threat intelligence platform (TIP) is a key requisite for this level of maturity. A TIP is a force multiplier that can help organizations overcome the labor-intensive process of threat analysis that often exceeds the capacity of enterprise organizations. A TIP can handle many of the tasks described above automatically and allow a security analyst to perform many of the sophisticated duties normally reserved for specialist threat analysts. With a TIP, workflows are automated and multiple kinds of TI from a multitude of sources can be processed automatically. TI can be quickly visualized (both by security teams, the organization as a whole, and wider communities) and pivoted to provide a richer picture of threat actors so that action can be taken. A TIP also drives smarter practices back into your SIEM, intrusion detection, and other security tools thanks to the finely curated, relevant and widely-sourced TI that the TIP produces. TYPICAL TEAM: Typical teams include the SOC and incident response teams with a security director at the helm; sometimes a dedicated threat intelligence analyst may be involved. Network operations and IT staff are also involved. Hybrid options also exist in which internal teams handle Level 0 and 1 threat intelligence, while more sophisticated requirements are outsourced. RISKS AND EXPOSURES: While some workflows are in place at this stage, there s room for improvement. A fully-featured TIP works best when it integrates information from multiple upstream resources and transforms it for use by downstream tools (forensics tools, IDS, reputation feeds, SIEM watch lists, etc.). This can all be achieved automatically without user involvement and makes it easier to generate reports or data feeds to enhance workflow. Further collaboration with communities is also needed to share intelligence and integrate and ingest TI data in machine-readable formats. Finally, there is an opportunity to move beyond just the tactical use of threat intelligence and utilize it strategically to inform high-level business considerations such as the financial costs of mitigating attacks and brand management. Maturity Level 4: Well-Defined Threat Intelligence Program At the top of the threat intelligence maturity model, these organizations have implemented a stable TI program with defined, formalized processes and workflows that produce actionable intelligence and ensure an appropriate response. They are also collaborating effectively and even leading a threat intelligence community an enhanced ability that is a key feature of a mature TI program. This level of community participation can t be achieved without a sophisticated threat intelligence platform. Powerful TIPs enable these communities to create tools and applications that can be

6 used to continue to change the game for security professionals. In this model, analysts and developers freely share applications with one another, choose and modify applications, and accelerate solution development through plug-and-play activities. Furthermore, the organization at this level is both operationally and strategically aligned and uses TI to make C-level business decisions. At this stage, the CISO/security director is using TI to make network and security architecture changes and optimizing security teams that will limit the ability of adversaries to successfully leverage intrusion tactics, techniques, and procedures. BENEFITS OF A MATURE THREAT INTELLIGENCE PRACTICE Perceptions documented in a recent study of 692 IT and IT security practitioners. [2] 48% 75% 60% 22% 21% Fosters collaboration among peers and industry groups. Improves the security posture of an organization. Improves situational awareness. Reduces the cost of detecting and preventing attacks. Makes threat data more actionable. The CISO is also reporting on return on investment to prove the effectiveness of the TI program and inform board-level strategic decision making. Finally, operations playbooks are being built based on TI to ensure a systematic approach for achieving and maintaining a world-class threat intelligence program. HITTING THREAT INTELLIGENCE MILESTONES As the TIMM shows, achieving an intelligence-driven approach requires people, process, and technology. The human aspect of threat intelligence programs is the most important factor. The investment doesn t have to be huge, and it s important to realize that the most useful sources of threat intelligence are not necessarily the most expensive. Many organizations can start today using existing personnel to improve data gathering and collation. Over time a case can be made to business stakeholders to add an element of automation that would reduce manual processes. Finally, a truly team-driven approach that aligns security strategy with business strategy and the sharing of attack indicators with wider communities becomes possible. The problem is getting there. That is where ThreatConnect, the most widely adopted and comprehensive threat intelligence platform available, can help. ThreatConnect brings together trusted communities, process excellence, and the Diamond Model for Intrusion Analysis to provide complete threat intelligence. Unlike piecemeal solutions that often only support Level 0 and 1 of the TIMM, ThreatConnect helps grow your program across the lifecycle of the maturity model, at your own pace. With ThreatConnect, security analysts can simultaneously coordinate with incident response, security operations, and risk management teams while aggregating data from trusted communities - whether they be private communities comprised of supply chain partners or any number of ISACs and ISAOs. With ThreatConnect, your team will be better equipped to protect the organization from modern cyber threats, mitigate risk, and address strategic business needs all through a single, robust platform. Mature users can also start building apps, and if approved, share them with the ThreatConnect Exchange, thus bringing collaboration to a new level. TC Exchange allows users to join or create their own communities. Users can also access open source and premium feeds to enhance intelligence gathering. Within TC Exchange, users can build, host, and share secure, customized applications that enable better intelligence gathering, analysis, and sharing.

7 Maturity Level 4: Well Defined Threat Intelligence Program Mature TI Team & Processes Actively Participates in Communities and May Lead a Community Produce and Utilize Tactical and Strategic Threat Intelligence Maturity Level 3: Threat Intelligence Program in Place Some TI Processes & Workflows Produce Tactical and Strategic TI Share TI with Partners, Vendors, Customers and Communities Maturity Level 2: Expanding Threat Intelligence Capabilities Produce Some Operational TI Consume Threat Data and TI Want to Participate in communities Maturity Level 1: Warming up to Threat Intelligence Aggregate Threat Data for Alerting and Blocking Maturity Level 0: Unclear Where to Start But don t just take our prosaic word for it. The figure above brings it all together. We ve defined the key maturity milestones of a threat intelligence program, how and when your organization can achieve them, and how ThreatConnect can help. Whether you are getting started or are a mature enterprise organization in need of a cloud-based or on-premises TIP, ThreatConnect is available in a variety of deployment editions to suit your requirements, local data security regulations, and your team s preferred operational methodology. CONNECT WITH US Interested in learning more about how ThreatConnect can help unite your security team and protect your enterprise? Further Reading \\ Technology Overview for Threat Intelligence Platforms (Gartner) \\ The Five Characteristics of an Intelligence-Driven Security Operations Center (Gartner) \\ What s in a Platform? This blog examines how a true threat intelligence platform lets analysts innovate while spending more time on analysis, helps raise the water of threat intelligence for partners, and better serves the needs of directors and the c-suite. TOLL FREE: LOCAL: FAX: ThreatConnect, Inc Wilson Blvd., Suite 550 Arlington, VA Footnotes: [1] Definition: Threat Intelligence. Rob McMillan, Gartner, May definition-threat-intelligence