9 minute read
MAKING SENSE OF THREAT REPORTS
FIVE TIPS FROM SECURITY PROS TO IMPROVE THREAT REPORT ANALYSIS AND ACTION
Most organisations have more threat intelligence than they know what to do with, from a variety of sources – commercial, open source, government, industry sharing groups and security vendors. Bombarded by millions of threat datapoints every day, it can seem impossible to appreciate or realise the full value of third-party data. In a recent
Advertisement
CyberSocial webcast, industry experts
David Grout, CTO EMEA for FireEye and
Yann Le Borgne, Technical Director for
ThreatQuotient, helped listeners tackle this challenge. Using threat reports as an example of one type of published threat information, they responded to real-time polling results as they provided advice on how to analyse a threat report and make it actionable.
Here are five tips they shared.
1Select the right sources of threat data for your organisation.
When polled, the audience reported using a well-balanced combination of sources of threat intelligence. They are on the right track, but David explains that it is also important to identify the right sources for your organisation and collect threat reports from several different sources as they provide different levels of content – strategic, operational and tactical. Figure out the who, what and when for consumption and use that for your metric for success when looking at acquisition.
Yann adds that as open-source intelligence (OSINT) is free and easy to access, most organisations use it extensively. But organisations must also consider the trust and reliability of sources. Yann explains that in a classical hierarchy, the highest level of trust comes from the intelligence you generate and receive from your close network and peers, and OSINT information is placed at the lowest level. David recommends using trust models such as the Admiralty System or NATO System which classifies information from A to F for reliability and from 1 to 6 for credibility, particularly for new
sources that surface during times of crises or outbreaks. Applying this scale to threat intel helps to determine what to do with the data and reduces false positives and noise generated from nonvalidated and unconfirmed data.
2Determine who will acquire the data.
In response to the next poll question, 25% of respondents said all groups have access to all threat intelligence sources. David explained that while it may be good to provide access to a broad audience, it is probably even better to have one team responsible for acquiring and analyzing threat reports and only delivering information that is actionable. Not every stakeholder needs every level of intelligence.
Using the report on the Ryuk ransomware from the French National Agency for the Security of Information Systems (ANSSI) as an example, Yann explained that to do this you need to determine how the same report will impact and be used by various teams across the organisation. Different teams may use different aspects of the same report in different ways to achieve their desired outcomes, for example modifying policy (strategic), launching hunting campaigns (operational) or disseminating technical indicators (tactical). A threat report that is in PDF format requires a lot of work to translate the information it contains into actionable data for different sets of users, which is why it is important to have a dedicated team acquire the data.
3Structure the data for analysis.
Yann explained that the three steps for analysis include: understanding the context of report, the relevance of the report, and relating the report to any prior reports, intelligence and incidents. This process allows you to contextualise and prioritise intelligence but requires that the data be structured uniformly. Threat data comes in various formats (e.g., STIX, MITRE ATT&CK techniques, news articles, blogs, tweets, security industry reports, indicators of compromise (IoCs) from threat feeds, GitHub repositories, Yara rules and Snort signatures.) and needs to be normalised. The information you gather, in the Ryuk report for example, is expressed with their own vocabulary and translating it into a machine-readable format is necessary to link it to other related reports and sources of information.
David adds that it isn’t just about format. The volume of information across the threat intel landscape is high and different groups use different names to refer to the same thing. Normalisation compensates for this and enables you to aggregate and organise information quickly. Structuring data so that you can prioritise is critical for triage and ensures you are focusing on the threats that matter most.
4Use tools to help with analysis.
Yann explains that the tools you use need to support your desired outcome. According to the poll, 67% of attendees using technical ingestion (SIEM) which indicates that desired outcomes are more technical. And 15% are still handling the acquisition and analysis process manually. This is quite a challenge, particularly during a big event. A threat intelligence platform (TIP) does a good job of extracting context and can help you use the information in various ways for different use cases (e.g., alert triage, threat hunting, spear phishing, incident response) and to support different outcomes.
It is also important that the tool you select works well with frameworks like MITRE ATT&CK. David shared that MITRE is the most used framework to organise the analysis process. Customers are identifying their crown jewels and mapping to MITRE to understand which adversaries might target them, the tactics, techniques and procedures (TTPs) to concentrate on, and what actions to take.
5Select the right tools to help make data actionable.
Analysis enables prioritisation so you can determine the appropriate actions to take. There are a variety of tools to help make threat reports and other elements of your threat intelligence program actionable and achieve desired outcomes at the strategic level (executive reporting), operational level (changes in security posture) and tactical level (updating rules and signatures).
In the final polling question, 45% of respondents said they are using a TIP to make the data actionable for detection and protection, but few are using a TIP for forensics. Yann and David agree this is a missed opportunity and a capability teams should explore as their capabilities continue to mature. From a forensics standpoint, MITRE is an important tool to enable analysis of past incidents so organisations can learn and improve.
In closing, these two security experts recommend that before you start thinking about threat intelligence sources, analysis and actions, you need to understand the desired outcomes and deliverables for each of your constituents. It’s a journey that typically starts at the tactical level and, with maturity, evolves to include operational and strategic intelligence to deliver additional value. When shared the right way with each part of the organisation, key stakeholders will see threat intelligence for the business enabler that it is, and the threat intelligence program will gain support and the budget to grow.
THE POWER OF ONE
IFS HAS RECENTLY LAUNCHED IFS CLOUD, A SINGLE TECHNOLOGY PLATFORM THAT CONNECTS ALL ITS PRODUCTS. DARREN ROOS, CEO OF IFS, EXPLAINS HOW THIS NEW PLATFORM BRINGS CHOICE, SIMPLICITY, AND INNOVATION TO ENTERPRISES.
How are you helping your customers accelerate their digital transformation initiatives?
The path to digital transformation is not a simple one. Most businesses are complex and have intricate value chains, so few organisations succeed, and even fewer vendors provide the tools to enable it truly. At IFS, our single most important goal is to deliver value to our customers, and we want to provide a clear path for them to evolve to new business models, compete and win. Customers have told me that their main goals are to drive efficiency, control costs, and develop better products and services.
We know that to achieve this, the cloud is a prerequisite. Digital innovations need to be easily consumable and embedded into daily business operations, which is why I am confident that IFS will succeed where others have not.
Globally, while a lot of companies have been prioritising digital transformation, many of them however haven’t actually done it the right way. Companies are prioritising and increasing capital allocation towards digital transformation.
But most businesses are complex and intricate value chains, which means you can’t simply flick a switch.
Every single customer I talked to is thinking about how they rationalise their estate.
But doing so right is fundamental to avoiding the mistakes too many companies have endured, such as multiple upgrades, complex integrations between your systems, and an inability to leverage innovation throughout your business.
IFS is committed to challenging that, challenging that reality, and doing better.
What makes IFS Cloud unique?
The launch of IFS Cloud is the result of us doubling our R&D investments over the last two years’ and termed 2021 as a ‘turning point’ for IFS.
We set about leveraging the assets we had, made some acquisitions, and did a truckload of engineering. And today, we have a single solution. We have taken away all the complexity, that very fragmented landscape.
At IFS, our single most important goal is to deliver value to our customers, and we want to provide a clear path for them to evolve to new business models, compete and win. IFS Cloud is unique and delivers on customer-centricity and experience as well as capabilities.
Instead of applications becoming more harmonised and easier to deploy, they’ve become more fragmented and more complex to deploy. And all that complexity sits with the customer. IFS Cloud delivers the full breadth of capability across all our solutions as a single harmonised application. I use the word harmonised, not integrated, because it’s not integrated. It is one application. It is one solution set. Our competitors who have made acquisitions claim to be integrated, but when you look, there are multiple databases, multiple data models, and they are tying them together in the background to make them work. That is not the case with IFS.
We listened to our customers, and they told us they don’t want to be prescribed whether they should deploy on-premise or in the cloud. Now, let’s not be confused – we are very clear in our messaging that customers should deploy in the cloud whenever possible. That is where they will get the most value in the shortest amount of time at the lowest total cost of ownership. However, because of the sophistication and complexity of the customers we deal with, some want the flexibility to be able to deploy on-premise or deploy in a private cloud.
Unlike many of our competitors, where if you deploy on-premise, that’s it, you’re on-prem, and you can’t necessarily move because there isn’t functional parity. That is completely different with IFS. For us, it is the same application that we have tooled to provide complete flexibility.
You said IFS Cloud would enable your customers to deliver on their moments of service. Can you please explain what the moment of service is? Every technology company thinks their technology is the center of the universe. And that is fundamentally flawed. Technology is never the center of the universe for the end-user. The customer experience and the moments of service for the end user’s customer is the center of the universe for the end-user. We are explicitly trying to come at this from a nontechnology perspective. With the moment of service, what we are helping them to do is to frame that problem in the perspective of their customer. So, what is the moment of service that you are trying to create for your customer? If the company can understand what the moment of service is and then orchestrate assets, customers, and people to deliver an outstanding moment of service, that is when the magic happens. There is no question that companies that can do that will win more often, get more repeat business, and be more profitable. What does matter is where you focus, and the focus has got to be the moments of service.
