How Incident Responders Use Cyber Threat Intelligence
In our previous post we introduced three use cases of how cyber threat intelligence helps incident responders (including SOC Level 2 and Level 3 analysts). Those use cases are summarized in this table:
Figure 1: Cyber Threat Intelligence Use Cases for Incident Responders
In this post we discuss exactly how cyber threat intelligence helps incident responders with those four use cases.
Incident validation and prioritization
Incident responders must prioritize incidents and decide which ones merit detailed investigations. Cyber threat intelligence can help them identify which incidents are most likely to be connected with attacks that target their organization by providing threat data with "context" such as likely threat actors, their motivations (financial, competitive, and ideological), their typical targets, and the impact of their previous attacks. (See Figure 2)
Summary threat data helps incident responders de-prioritize incidents that are targeting other types of enterprises (or consumers) and save scarce incident analysis resources for attacks that actually threaten important business processes or valuable information assets.
Figure 2: Intelligence data feeds provide context to prioritize and validate incidents. An intelligence knowledge base and custom analysis help incident responders quickly answer who/what/why/when/how questions about threats, and contain and remediate attacks.
Incident responders need to "pivot" from initial incidents to determine if the attacks are still in progress, to pinpoint changes made to systems and applications, and to identify possible damage in terms of stolen data and disrupted operations.
Incident responders can perform these tasks much more quickly and accurately if they have access to threat indicators with associated "context," and to a library of threat intelligence documents in a cybersecurity knowledge base. These resources provide the incident responders with detailed information about the identities and techniques of attackers, their targets, their TTPs, and the impact they have on targeted enterprises.
For example, if a malware sample is detected, threat intelligence might include the information that:
- This malware sample typically tries to contact a specific IP address on the Internet.
- This IP address is used as a command and control server by a specific cybercriminal organization.
- That organization has targeted competitors of the enterprise and other companies in the same industry.
- The organization's MO is to send phishing messages to multiple employees in the finance department, plant malware on their computers, then use captured credentials to attack the main financial database.
Incident responders could then investigate:
- Network logs, to see if other systems on the network have communicated with the same IP address.
- Email records, to see if members of the finance department have received phishing messages, and if they have responded to them.
- Network and endpoint anti-malware and IPS systems, to see if the malware sample or variations have been downloaded to other systems on the network.
- Access logs of the financial database, to see if there have been access requests from remote locations or abnormally large data downloads.
The threat intelligence, together with the investigation it supports, help the incident responders quickly form a complete picture of the attack and its effects.
Containment and remediation
Threat intelligence also helps incident responders work with other IT groups to contain attacks and remediate damage.
For example, information about the TTPs of threat actors can help enable the IT group to:
- Isolate infected systems.
- Block communications with external command and control servers.
- Disable user credentials compromised by phishing attacks.
- Remove malware or reimage infected computers.
Information about typical attacks can also be used to prevent future attacks, for instance by:
- Prioritizing the patching of vulnerabilities that pose the greatest threat to the enterprise.
- Providing education efforts related vulnerabilities exploited by known attackers (e.g., user awareness training against targeted phishing attacks, developer training against SQL injection attacks and cross-site scripting attacks).
- Focusing monitoring on the user groups and information assets most likely to be attacked.
"Reactive" hunt missions use cyber threat intelligence to search for undiscovered attacks related to current incidents. For example, if a current incident involves a phishing campaign, threat intelligence might show that this campaign is used by a particular hacktivist group that also employs other phishing campaigns and a type of "watering hole" attack. Since there is a strong probability that the group will use more than one type of attack, the hunt team can track down evidence of the other phishing campaigns and employees who have visited the hacktivist's watering hole website.
"Proactive" hunt missions start with the premise that threat actors known to target some organizations in a specific industry, or specific systems, are likely to also target other organizations in the same industry or with the same systems. Threat intelligence, particularly detailed threat intelligence documents maintained in a knowledge base, give the hunt team an accurate, detailed source of information on the threat actors most likely to threaten them, and about where to look for evidence of their presence in the corporate network.
The Bottom Line
As these use cases indicate, cyber threat intelligence can help your incident responders:
- Identify alerts that should be investigated immediately.
- Connect isolated indicators with threat actors and campaigns in order to quickly understand the source and targets of attacks.
- Perform in-depth investigations more accurately and completely and answer critical who/what/why/where/how questions about attacks.
- Block attacks in progress sooner, reducing their impact on the business.
- Prevent the same types of incidents from recurring in the future.
- Perform hunt missions to uncover attacks that are "dwelling" undetected on your network.