At iSIGHT Partners, we are often asked exactly how cyber threat intelligence benefits different groups within an IT organization. To answer those questions, we are publishing a series of posts on CTI use cases for the SOC Level 1 Analyst (Part 1 and Part 2), the Incident Responder (Part 3 and Part 4), the CISO, the Threat Intelligence Analyst, the NOC Analyst, and the team responsible for vulnerability and patch management. This is the first of two posts focusing on the Incident Responder.
Grace (and Skill) Under Pressure
Whatever you call the incident responders in your enterprise - the incident response (IR) team, SOC Level 2 or Level 3 analysts, the computer security incident response team (CSIRT), or something else - the job takes a unique combination of skill, knowledge and grace under pressure.
Incident responders investigate suspected incidents and determine which might have a major impact on the organization, attribute incidents to threat actors and research the tactics, techniques and procedures (TTPs) of those actors, develop complete pictures of attacks in progress, and work with other groups to block the attacks, recover securely, and prevent similar incidents in the future.
Incident responders must possess an impressive array of skills to perform these tasks. Among many other topics they must understand:
- The dark side: social engineering, how attackers put together campaigns and complex attacks, the technology behind web-based attacks, malware, "privilege escalation," data escalation and other attack techniques.
- The network and security devices in the enterprise, how they work, and how they can fail.
- The information assets of the enterprise and the business impact if they are destroyed or stolen.
Challenges: Go Faster, But Don't Miss Anything
Incident responders must be able to work fast. According to the Verizon 2014 Data Breach Investigations Report (DIBR), 51% of web attacks succeed in exfiltrating data within hours of the initial compromise, while only 14% are discovered and only 7% are contained in that time period. Clearly incident responders need to step up their game to close what Verizon calls the "detection deficit."
Working fast involves both prioritizing incidents quickly and accurately, so the organization can focus on those attacks that pose the most risk to the business, and performing in-depth investigations of serious incidents rapidly and thoroughly.
But incident responders typically lack easy access to the data needed to validate and prioritize incidents. They also need to perform laborious web searches to find information connecting threat indicators with specific threat actors and their TTPs.
Many enterprises have also embraced the idea of "hunt missions," where teams search for attacks that may be "dwelling" and operating unseen on the network (the Verizon 2014 DIBR mentions that 52% of web app attacks are discovered only months or years after the initial compromise). But hunt missions are very difficult unless you have some idea of where to start looking for clues, and most hunt teams have very little to go on.
Use Cases for Cyber Threat Intelligence
There are four primary use cases for incident responders using Cyber threat intelligence:
- Incident validation and prioritization, to determine which incidents have the highest potential for negative impact on the business
- Incident analysis, to quickly answer the who/what/why/when/how questions about attacks
- Containment and remediation, to disrupt attacks in progress and eliminate vulnerabilities
- Hunt missions, to uncover previously undiscovered attacks.
In our next blog post we will examine exactly how cyber threat intelligence helps incident responders with those four use cases.