[BreachExchange] ISOC: Operationalizing Threat Intelligence

[Audrey McNeil]

https://www.scmagazine.com/isoc-operationalizing-threat-
intelligence/article/742264/

Traditional Security Operation Centers (SOC) are reactive, relying
primarily on preventative and signature based technologies. In recent years
this approach has proven ineffective against both common and advanced
threats that are increasing in sophistication, velocity and volume.  It
seems organizations are always one step behind their adversaries.

Instead, organizations should adopt a Detect and Respond mindset,
acknowledging that they may already have been breached. This necessitates a
SOC model that can adapt and evolve at the same rapid pace as the threat
environment. A 21st century SOC must also be able to proactively identify
gaps in the organization's security posture, and detect/root out threat
actors that traditional detection technologies may have missed.

Using threat Intelligence (TI) that provides situational awareness of
threat actors and their Tactics, Techniques and Procedures (TTP), can
enable a SOC to be more strategically and tactically focused. The challenge
is dealing with, and not being overwhelmed by, the sheer volume of threat
Intelligence available and determining what is relevant to the
organization.  The solution is to operationalize TI.

Typically, TI is used as a machine-readable list of IP-Addresses, Domain
Names and file hashes to be correlated with security telemetry data. This
reduces a wealth of situational awareness data to a glorified signature. In
an intelligence-driven SOC, TI instead is used to continuously determine
and adapt strategic orientation and tactical execution.

Threat actors must have a motive, the means and the opportunity to
successfully target an organization. Threat Intelligence can be used
operationally to determine these.

Evaluating Motive

Threat assessments evaluate potential threats to an organization based on
their motive. Assessing the motive of a threat actor considers the business
activities and objectives of an organization. Does it hold critical,
valuable or sensitive data that specific threat actors typically target?
Does it fit a threat actors target profile? A Healthcare organization for
example holds patient data that can be used by a variety of malicious
actors, from nation states seeking insights into geopolitical adversaries,
to cyber criminals extorting ransoms by encrypting the data to impact
operational integrity.

Determining Means

Determining the means of a threat actor is also accomplished during the
threat assessment and additionally during the initial discovery phase of a
threat simulation. It can be deduced by analyzing their TTPs. For example,
does a threat actor have access to a sophisticated toolchain to obtain a
persistent foothold in an environment, do they have a recognizable Modus
Operandi (MO)? For example, do they typically target privileged users via
spear phishing. The TTPs and MO can then be compared to existing security
measures to evaluate whether there are any existing gaps and to guide
strategic decisions on where to focus budget, resources and required
processes.

Assessing Opportunity

Assessing whether a threat actor has the opportunity to successfully target
the organization is done using a combination of threat simulations,
conducting objective based ethical hacking exercises and by correlating
vulnerabilities discovered in the environment.

Vulnerability Remediation Prioritization

Research has consistently shown that the majority of malware, ransomware
and exploit kits target a small subset of older and medium severity
vulnerabilities. Most organizations prioritize remediation purely on
severity, such as a CVSS score above 8. In practice this means that the
majority of security time and resources are spent on remediating
vulnerabilities that represent a high risk on paper, but not necessarily in
reality.

An intelligence-driven approach will consider which vulnerabilities are
actively being targeted by threat actors in the wild, who they are
targeting, why and how. The vulnerability in this case is the anchor used
to operationalize TI, because it allows the organization to correlate
vulnerability intelligence with operational intelligence.

Threat Simulation

A threat simulation assesses an organization's existing security measures
to verify that they can defend against a specific threat, and to identify
gaps. If an attacker leverages spear phishing, the organization can
evaluate whether its users have been trained to identify phishing attempts.
Is there a prevention stack in place that can block these? If an attempt
succeeds, can the organization detect the attempt or the consequent
privilege escalation and lateral transfer, and is it able to contain the
attack?

Objective-based Ethical Hacking

An objective based ethical hack will replicate the TTPs of a specific
threat or threat actor. Rather than conducting a penetration test, where
the goal is to identify exploitable vulnerabilities, an objective based
approach will closely follow the same MO as a real-world threat. For
example, the exercise will replicate sending a phishing email to the
executive team, with the objective of being able to elevate privileges and
move laterally within the network to gain access to the financial data of
the organization. This permits a thorough assessment of people, processes
and technologies to enable improvement, address gaps and identify
mitigating controls.

These exercises must be conducted regularly and continuously to align and
realign the organization's security operations and strategy to real world
threats. The result is an intelligence-driven, adaptive and dynamic SOC.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180306/90487a18/attachment.html>