HOW TO BUILD A

SECURITY OPERATIONS CENTER

(ON A BUDGET)

Chapter 4: How to Build a SOC: Threat Intelligence

The Recipe for Threat Intelligence = Context + Attribution + Action

Monitoring your environment for nefarious activity assumes that you know what those nefarious folks are doing, what “it” looks like, and how to find this activity across your critical infrastructure in the cloud and on-premises. The “bread crumbs” that these adversaries leave are usually of the same sort: IP addresses, host and domain names, email addresses, filenames, and file hashes.

With this amount of information, you can’t actually get that far. As a SOC analyst conducting an in-depth investigation, you need to be able to attribute these bread crumbs to specific adversaries, understand their methods, know their tools, recognize their infrastructure, and then build countermeasures for preventing attacks from them.

Some may refer to these “bread crumbs” or indicators (IOCs = indicators of compromise) as threat intelligence. This is far from the truth. On their own, without any context, they exist only as artifacts or clues. They can be used to begin an investigation but they rely on context, attribution, and action to become the high-quality threat intelligence that is essential for building a SOC.

Key Takeaways

Understand the differences among tactical, strategic & operational intelligence and the specific ways these are used when building a SOC. Examine the benefits of combining crowd-sourced and proprietary data sources and explore key aspects of AlienVault Open Threat Exchange® (OTX™) and the AlienVault Labs Security Research Team.

“Know thyself. Know thy enemy. A thousand battles. A thousand victories.”
— Sun Tzu, The Art of War

Context

It’s a cliché, but it’s true. Context is king. An indicator without the necessary context doesn’t tell you much, but with it, you’ll have an idea of its urgency, relevance, and relative priority. Answering these sorts of questions can get questions can get you closer to achieving the necessary context, once you have an indicator which may signal a potential threat:

  • What role does this indicator (or activity) play in an overall threat?
  • Does its presence signify the beginning of an attack (reconnaissance and probing vs. delivery and attack)? Or a system compromise? Or data leakage?
  • Is this threat actor known for this type of behavior?
  • Is there significance in the asset that’s been targeted?
  • How sophisticated is this particular indicator (e.g. malware sample)?
  • What are the motivations of the threat actor behind this activity?
  • What are the other activities that occurred on the same asset before and after this one?
  • What about my other assets now or in the past?

Attribution

Knowing who is behind an attack is an essential part of knowing how to respond, including understanding the full scope of an attack, as well as the key tactics to take in response. It’s very similar to how the FBI uses profiles to track down suspects. Intent and motivation are the principal factors in analyzing criminal behavior, and the same applies within the cyber security realm. It’s easy to get caught up in the technical aspects of a particular attack, and how an exploit might work. But don’t forget, these tools have a human face behind them, driven by either profit or other ill intent. And knowing these details will give you leverage in terms of uncovering their work as well as how to build better countermeasures.

Action

Knowing something is only valuable if you can do something with what you know. By its very nature, the value of threat intelligence is ephemeral. The details of an attack that you may discover today may not retain their value in one week, or one month. Because, as we know, the world is constantly changing. Attacker’s are constantly changing too. They change their methods, their tools, and their infrastructure. That’s why it’s essential to act on what you discover as quickly as possible, while it remains current, true, and reflective of the current risks at hand. In fact, if you cannot implement the intelligence that you’re currently collecting in terms of improved monitoring, active defense, and better decision-making, you might as well not have the intelligence at all.

With these three elements in place—context, attribution, and action—threat intelligence can accomplish its essential goals: assist the SOC team with making the right decisions when it comes to preventing an attack as well as decreasing the time it takes to discover one in action. It can also help the SOC team establish the urgency they need to gain executive attention and sponsorship.

3 Types of Threat Intelligence for SOC Teams

The following table outlines how each of the three types of threat intelligence—tactical, strategic, and operational—offer context, attribution, and action and enable a solid foundation for building a SOC.

 
TACTICAL
Offers clues (without context and attribution)
STRATEGIC
Provides context and attribution to inform action
OPERATIONAL
Applies context and attribution to enable action

Description

TACTICAL

Indicators, artifacts, and other evidence (e.g. IOCs) about an existing or emerging threat to assets.

STRATEGIC

“Big picture” analysis of adversary TTPs (tools, tactics, and procedures) conducted by security experts to arm and inform SOC teams in building an effective cybersecurity strategy.

OPERATIONAL

Updated signatures, rules, and other defensive countermeasures that “arm and inform” your monitoring infrastructure based on collecting and analyzing the latest raw indicators and other artifacts.

Use Case

TACTICAL

SOC analysts use these artifacts to detect emerging risks and share information about them with others to improve security for all.

STRATEGIC

SOC analysts and SOC leaders review to better understand adversary motivations and tradecraft, make more informed business decisions, and ensure alignment between their cybersecurity strategy and real world risk.

OPERATIONAL

SOC analysts get notified of the latest threats in their environment based on automated updates to their SIEMs, IDS, vulnerability scanners, and other SOC tools.

How it
Works in
AlienVault

TACTICAL

AlienVault Unified Security Management® (USM) receives continuous updates with the latest indicators from the AlienVault Labs Security Research Team. These updates leverage threat data from the larger community in AlienVault OTX, so they reflect in-the-wild attacks on organizations of all sizes from around the world.
Learn more

STRATEGIC

AlienVault Labs Security Research Team members spend countless hours researching the latest threat actors and their methods. These discoveries are integrated into the USM platform through continuous threat intelligence updates, which include rich, context-specific guidance on how to respond to threats detected in your environments.
Learn more

OPERATIONAL

The AlienVault Labs Security Research Team regularly publishes threat intelligence updates to the USM platform in the form of correlation directives, IDS signatures, vulnerability audits, asset discovery signatures, IP reputation data, data source plugins, and report templates. The Security Research Team also leverages the power of AlienVault OTX, the world’s largest crowd- sourced repository of threat data to provide global insight into attack trends and bad actors.
Learn more

Key Benefits

TACTICAL
  • Constantly updated in near real-time
  • Easily searchable
  • Easily shared
  • Easily integrated
STRATEGIC
  • Educates and empowers SOC team and leadership decision-making
  • Helps communicate the urgency of cyber security issues to execs, board members and other stakeholders
OPERATIONAL
  • Automatically detects the latest threats
  • Guides SOC analyst actions

Threat Intelligence Approaches

There are a few options for sourcing threat intelligence that will feed your SOC, and it’s helpful to understand what each brings to the table. Keep in mind that AlienVault has incorporated each one of these approaches into the USM platform.

Crowd-Sourced

One of the best innovations in the industry has been driven by the cybersecurity community itself. SOC analysts understand that there is a wealth of threat information that we’re all collecting and analyzing. When this information is shared, and SOC teams can collaborate with others on the latest threats and how to mitigate them, we can unite in making it more difficult for attackers to isolate any one of us.

AlienVault OTX is the world’s first truly open threat intelligence community to enable collaborative defense with open access, collaborative research, seamless integration with AlienVault USM, and plugin capabilities for other security products. OTX enables everyone in the OTX community to actively collaborate, strengthening their own defenses while helping others do the same.

Proprietary

Many cybersecurity hardware and software vendors (e.g. including Anti-Virus, firewalls, IDS, etc.) offer their own proprietary threat intelligence, based on the information they collect from their customers and their own threat research teams. Typically, proprietary threat intelligence sources rely on a variety of diverse sources when collecting and analyzing the latest threat data, which results in low false positives; high fidelity and highly credible analysis; and a variety of formats (feeds) to implement into your security monitoring infrastructure.

Threat intelligence provided by the AlienVault Labs Security Research Team helps IT practitioners who don’t have time to research the latest threats and write the rules to detect those threats. The Security Research Team spends countless hours mapping out the different types of attacks, latest threats, suspicious behaviors, vulnerabilities, and exploits they uncover across the entire threat landscape. It regularly publishes threat intelligence updates to the USM platform in the form of correlation directives, IDS signatures, vulnerability audits, asset discovery signatures, IP reputation data, data source plugins, and report templates.

.

Do-It-Yourself (DIY)

With the number of OSINT (open source intelligence or public intelligence) sources available, it is theoretically possible to “write your own” correlation rules or signatures to detect specific exploits or attack patterns. You can download IOCs from AlienVault OTX or submit malware samples to VirusTotal, then manually script correlation rules and apply them against your log data to detect them in your environment. But just thinking about all the work involved may make your head spin. Going through that manual process for the thousands of exploits that get published each day is simply not sustainable. For a small team with limited time and resources, this is a non-starter. You need help to keep up to date on the latest threats as they change.

FEATURE SPOTLIGHT: AlienVault USM and AlienVault OTX Integration

Real-time threat sharing and collaboration is one of the best ways that lean and mean SOC teams can protect their organization against the latest threats. Through cooperation and consolidation, SOC analysts help each other prioritize and react quickly to threats in their early stages. AlienVault USM will immediately trigger an alarm as soon as any OTX-reported actor is discovered interacting with your network or assets. OTX enables everyone in the OTX community to actively collaborate, strengthening their own defenses while helping others do the same via easily shared OTX Pulses.

SOC analysts can share these OTX pulse activity reports with key stakeholders in their organizations, to demonstrate the urgency of cybersecurity threats as well as how active collaboration can improve security for all. Because the AlienVault Security Research Team analyzes OTX threat data to generate the continuous threat intelligence updates they curate for AlienVault USM, SOC analysts using the USM platform can rest easy knowing that their security plans include built-in protections based on insights from the latest in-the-wild attacks on organizations of all sizes around the world.

Navigate Your Build

Watch a Demo ›
GET PRICE FREE TRIAL