Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update. Learn More

Services
Capture
Managed Detection & Response

Eliminate active threats with 24/7 threat detection, investigation, and response.

twi-managed-portal-color
Co-Managed SOC (SIEM)

Maximize your SIEM investment, stop alert fatigue, and enhance your team with hybrid security operations support.

twi-briefcase-color-svg
Advisory & Diagnostics

Advance your cybersecurity program and get expert guidance where you need it most.

tw-laptop-data
Penetration Testing

Test your physical locations and IT infrastructure to shore up weaknesses before exploitation.

twi-database-color-svg
Database Security

Prevent unauthorized access and exceed compliance requirements.

twi-email-color-svg
Email Security

Stop email threats others miss and secure your organization against the #1 ransomware attack vector.

tw-officer
Digital Forensics & Incident Response

Prepare for the inevitable with 24/7 global breach response in-region and available on-site.

tw-network
Firewall & Technology Management

Mitigate risk of a cyberattack with 24/7 incident and health monitoring and the latest threat intelligence.

Solutions
BY TOPIC
Offensive Security
Solutions to maximize your security ROI
Microsoft Exchange Server Attacks
Stay protected against emerging threats
Rapidly Secure New Environments
Security for rapid response situations
Securing the Cloud
Safely navigate and stay protected
Securing the IoT Landscape
Test, monitor and secure network objects
Why Trustwave
About Us
Awards and Accolades
Trustwave SpiderLabs Team
Trustwave Fusion Security Operations Platform
Trustwave Security Colony
Partners
Technology Alliance Partners
Key alliances who align and support our ecosystem of security offerings
Trustwave PartnerOne Program
Join forces with Trustwave to protect against the most advance cybersecurity threats
SpiderLabs Blog

The Underdog of Cybersecurity: Uncovering Hidden Value in Threat Intelligence

Threat Intelligence, or just TI, is sometimes criticized for possibly being inaccurate or outdated. However, there are compelling reasons to incorporate it into your cybersecurity defense strategy. Let’s present some ways to use TI effectively as part of your security operations lifecycle.

 

What is TI?

Within the scope of this discussion, Threat Intelligence is a knowledgebase of tactical information about threat actors. That information may include IP addresses, domain names, URLs, and filenames—just to name a few. Some TI information may be time-sensitive, such as the most recent time a known threat group used a specific IP address or file to perform an attack.

Image 1 Microsoft Sentinel Threat Intelligence Dashboard. Courtesy Microsoft

Image 1: Microsoft Sentinel Threat Intelligence Dashboard. Courtesy Microsoft

 

What are TTPs, IOCs and APTs?

When discussing Threat Intelligence, it helps to know a few acronyms commonly used, such as TTPs, IOCs and APTs:

  • TTPs: Tactics, Techniques, and Procedures are the methods by which tactical threat intelligence is defined. For example, if a state-sponsored Russian hacking group is known to perform phishing attacks followed by ransomware and only attack government institutions, that group of information may be considered a TTP.

  • IOCs: Indicators of Compromise are specific values associated with threat intelligence, such as IP addresses, web domains, and hashes.

  • APTs: Advanced Persistent Threats are names and numbers assigned to well-known hacking groups that persistently attack one or more industry and/or government categories—a quick note. Tagging threat groups differs within the security community. For example, CrowdStrike likes to use names like “Cozy Bear,” while Mandiant would prefer APT23 to name the same APT group.

 

How is TI Used?

There are many ways to use TI data within the context of security operations workflows. Some common ways include:

SIEM Correlations
SIEM (Security Information and Event Management) can correlate logged events with lists of information, such as suspicious IP addresses from a TI list. So, if one of the IP addresses in the logs matches one of the IPs from the TI list, an alert can be generated. This feature is a common example used with Firewall and EDR logs, as well as many other log sources.

Threat Hunting
A common threat hunt method is to compare the information in security logs with known bad actor information provided by TI. This task is performed in a similar manner to the SIEM example above, matching logged information with TI lists.

Reporting
Running several different reports is a good way to present a variety of perspectives on logged events that match TI information. Reporting can provide a broader perspective on suspicious activity that was not detected by SIEM or threat hunting. An example would be to search ALL firewall logs from the past week for ANY matches to IP addresses in a TI list. If a match is found, then a threat hunt may be the next step to determine if additional suspicious behavior has occurred around the matching IP.

Situational Awareness Dashboards
When Russia invaded Ukraine, there was an increase in concern around cyberactivity initiated from Russian IP addresses. A situational awareness dashboard is one or more reports that represents activity from a known entity, such as a country’s IP range or other information provided by Threat Intelligence lists.

Mitre ATT&CK
Mitre is a US Government funded organization that researches ‘known threat actors’ and provides information to which other Threat Intelligence providers can map their data. This data provides for richer content. For example, if an IP address is known to be associated with ATT&CK’s threat actor group APT32, then that information can be included in the TI results.

Planning
Understanding your attack surface and knowing where attackers might focus their attention are important strategies when planning how to monitor and protect your network.
TI provides research details that can help identify threat groups targeting your organization or industry. This information can help to pre-emptively prepare for an attack by simulating known security incidents by those threat groups and performing attack simulations to test defenses.

 

Not Perfect but Useful

Attackers may not use an IP address more than once, in which case TI information associated with that attacker becomes immediately useless. As such, TI data can be very much hit and miss.

 

Free vs. Paid

If TI data is pulled from a free source, it's less likely to be well maintained than a paid source. Also, some or all of a paid vendor's TI information can be based on free sources, so it's up to the user to validate the information provided by TI.

 

Trust But Verify

When creating correlations in SIEM, try to add additional conditions that don't depend solely on TI. For example, "EDR alert AND TI match OUTBOUND AND suspicious user activity."

 

Summary

Although not always the most precise tool for detecting threats, using TI as a part of your security defense strategy can provide useful pre-emptive insights.

References

About This Blog Series

Follow the full series here: Building Defenses with Modern Security Solutions

This series discusses a list of key cybersecurity defense topics. The full collection of posts and labs can be used as an educational tool for implementing cybersecurity defenses.

Labs

For quick walkthrough labs on the topics in this blog series, check out the story of “ZPM Incorporated” and their steps to implementing all the solutions discussed here.

Compliance

All topics mentioned in this series have been mapped to several compliance controls here.

David Broggy, Trustwave’s Senior Solutions Architect, Implementation Services, was selected last year for Microsoft's Most Valuable Professional (MVP) Award.

Operational Technology Security Maturity Diagnostic

 

Latest SpiderLabs Blogs

Cloudy with a Chance of Hackers: Protecting Critical Cloud Workloads

If you've been following along with David's posts, you'll have noticed a structure to the topics: Part I: The Plan, Part II: The Execution and now we move into Part III: Security Operations. Things...

Read More

Trustwave Rapid Response: CrowdStrike Falcon Outage Update

Trustwave is proactively assessing and monitoring our clients who may have been impacted by CrowdStrike’s recently rolled-out update for its Windows users. The critical issue identified with...

Read More

Using AWS Secrets Manager and Lambda Function to Store, Rotate and Secure Keys

When working with Amazon Web Services (AWS), we often find that various AWS services need to store and manage secrets. AWS Secrets Manager is the go-to solution for this. It's a centralized service...

Read More