PART 2: Cyber Threat Intelligence and the SOC Level 1 Analyst


Read the first post on this topic here.

How the SOC Uses Cyber Threat Intelligence

In our previous post we introduced three use cases of how cyber threat intelligence helps SOC Level 1 analysts. Those use cases are summarized in this table:


Figure 1: Cyber Threat Intelligence Use Cases for SOC Level 1 analysts


In this post we discuss exactly how cyber threat intelligence helps SOC Level 1 analysts with those three use cases.

Machine-based prioritization

SIEMs and security analytics tools provide visibility into tens of thousands (up to millions) of events and threat indicators (such as suspicious domains and IP addresses, and files that may contain malware) found on an enterprise's network. Unfortunately, by themselves they can't discriminate very well between important threats indicators and false positives: threats that won't impact the business, or that will be thwarted by existing defenses.

However, by matching alarms and events with threat intelligence, SIEMs and security analytics tools can perform first-cut prioritization at machine speed. For example, SOC teams can create SIEM rules that match observed threat indicators with threat intelligence that connects those indicators with threat actors or campaigns that target the enterprise's industry, geographical areas of operation, software applications or infrastructure components. When matches are found, the SIEM will automatically increase the priority rating of that alert or event. (See the left side of Figure 2.)


Figure 2: Intelligence data feeds enable matching of threat indicators with context to prioritize and validate alerts. An intelligence knowledge base can provide detailed information and narratives to the analyst about attackers and threats.


Machine-based prioritization relieves SOC Level 1 analysts from the labor-intensive task of sorting through tens of thousands of low-level and irrelevant alerts each day.

Event and alarm triage

Although machine-based prioritization can do much of the heavy lifting, SOC analysts are still faced with the laborious tasks of figuring out which alerts and alarms are actually dangerous. Cyber threat intelligence can speed up this process by providing SOC teams with summary threat data that provides context and "situational awareness."

This threat data can take the form of tags and summary descriptions that link individual indicators with threat actors and targets, or of longer narrative descriptions that place the indicators in the context of campaigns and multi-stage attacks.

For example, threat intelligence can tell the SOC analyst quickly if:

  • Malware associated with an alert targets applications or systems present in the enterprise (say a specific accounting application, or POS systems at a retailer).
  • An IP address on the Internet that was contacted by a system on the network is associated with actors known to be targeting companies in the enterprise's industry.

Assemble evidence for analysis and validation

Threat intelligence can also help SOC Level 1 analysts further analyze threats and validate events.

For example, "context" can show whether or not a piece of malware detected on the network has been used before in advanced, targeted attacks, or whether a phishing email is likely to be part of a campaign targeting multiple top executives.

Intelligence maintained in a cyber threat knowledge base can provide additional detail and narrative, for example attribution of malware or phishing messages to a specific group or threat actor, analysis of the steps used in a multi-stage attacks, and recommended options for mitigation.

These cyber intelligence resources can help SOC analysts quickly assemble evidence to determine if alerts and events should be characterized as incidents that pose serious threats to the organization and should be escalated to the incident response team for immediate in-depth investigation.

The Bottom Line

As these use cases indicate, cyber threat intelligence can help your SOC Level 1 analysts:

  • "Shrink the problem" of an overwhelming number of security alerts and events.
  • Eliminate the inefficiencies of sorting through massive volumes of invalid and low-priority alerts.
  • Rapidly identify alerts associated with relevant threats to the enterprise.
  • Quickly assemble and assess evidence and make better decisions about which incidents to escalate.

Read Part 3: Cyber Threat Intelligence and the Incident Responder.