With cyber extortion and ransomware estimated to cost £27bn to the UK every year, according to the Cabinet Office, the role of threat intelligence has risen to the forefront as businesses strive to manage the risks they face, says Jordan Cheal, pictured, Senior Security Consultant, at the risk and cyber consultancy Bridewell Consulting.
Security teams’ scrutinise many forms of information including specific observations of domains, IP addresses, and file hashes associated with possible cyber threats. They also probe written reports detailing a threat actor’s techniques, motivations and infrastructure. Microsoft’s cloud native Security Information and Event Management (SIEM) Azure Sentinel is of the most effective technologies for utilising this tactical level information to respond to threats. Azure Sentinel also provides a Security Orchestration and Automation (SOAR) capability by leveraging play-books underpinned by the Azure Logic App service, which can help detect and respond to threats, autonomously reducing the mean time to detect (MTTD) and mean time to respond (MTTR) to attacks.
Using platforms
Companies attempting to maintain a proprietary threat database are commonly faced with a very similar set of issues. These often include the high cost of storage, databases becoming unmanageable due to sheer volumes, or simply falling short in comparison to the quality of information available from the emerging technology discipline of community-driven Threat Intelligence Platforms (TIP). In response to this, several vendors have established open source community-driven threat feeds.
Some of the most popular examples of these feeds include: MISP (Malware Information Sharing Platform), Anomali, Minemeld, CRITS, Alienvault, OTX and Intelstack.
Using a TIP enables organisations to correlate, aggregate, and analyse threat data from multiple sources in real time to support defensive actions. These are essentially massive database platforms with a primary focus on hosting community-submitted threat feeds. Their users subscribe to threat feeds similar to how they would as a Twitter user, allowing them to pull in information for their own consumption. However, in this case these threats are established by a growing number of organisations, dedicated threat intelligence companies and security researchers.
Collaborative knowledge
As security teams deal with rising amounts of data generated by external and internal resources, they can turn to TIPs to help identify which threats are relevant to their organisation. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organisation’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation.
A true TIP differs from typical enterprise security products in that it is a system which can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers and SSL certificates.
The great thing about these platforms is their ability to provide organisations with the ability to granularly filter down the data based on attack vectors, hacking groups, organisations and even industries. So, for example, a SOC (Security Operations Centre) analyst at a bank can easily receive daily threat feeds from around the world based on any threats associated with banks and financial institutions.
This aspect is particularly important because it provides businesses with collaborative knowledge – taking advantage of information supplied by others – without necessarily being a direct recipient of that threat themselves. Additionally, it offers users large savings on costs from potential breaches which would otherwise have gone unnoticed.
Threat feeds are ingested by Azure Sentinel using built in Threat Intelligence data connectors. The ingested feed is stored within the log analytics workspace, and queried using the ThreatIntelligenceIndicator table, or through the new Threat Intelligence blade. These indicators, once stored, can then be used by joining the specific tables and interrogating your organisations data against matches to the indicators of compromise (IOCs). Internally generated intelligence can also be saved by creating a new entry within the Threat Intelligence blade.
Threat hunting teams can use these stored indicators as part of threat hunting tasks, by choosing a specific indicator or source, they can then review the context of the indicator and search for matches against the organisation’s logs.
Enabling a proactive approach
To help SOC analysts proactively seek out anomalies undetected by their security solutions, Azure Sentinel’s built-in threat hunting capabilities help users to get started by providing pre-defined hunting queries.
Threat hunting takes a proactive approach to identify ‘evil’ behaviour rather than relying on the typical reactive response. A good threat hunting team will know and understand the environment in order to identify any anomalous sources of activity within the organisation. It is important to be able to establish an accurate baseline of what is normal so that unusual behaviours and processes will stand out.
Several factors can trigger the hunting team to start proactively searching for threats: active campaigns, patterns of activity, threat intelligence by a third party or an organisation’s own internal threat intelligence team. Then there are historic incidents – a business can be alerted about the anniversary of an incident that occurred six months ago, for example, and may want to follow up to check it was properly remediated and eradicated from the environment.
It is also good practice to closely follow security blogs, social media and industry events for new and emerging threat behaviours. For example, an organisation within the oil and gas sector experiences a breach should automatically be interesting to other businesses within the industry. Their security and threat operations hunting teams should find out as much about that intrusion as possible, typically by intelligence sharing, to hunt through their own logs for signs of the same behaviour. The team should also be able to validate whether they are at risk based on their detection and prevention tools, and technology being targeted.
In cyber security it is crucial to augment reactive approaches to the threat with proactive ones as even if a breach is not visible through traditional security tools and detection mechanisms, this doesn’t mean it hasn’t occurred. Human guided threat hunting, supported by machine learning-powered tools like Azure Sentinel, can help to uncover infiltrators before they access sensitive data.
When it comes to putting together a balanced security team, organisations typically require experienced threat hunters – ideally someone with data science skills for the more advanced hunting techniques. This is where Azure Sentinel really comes into its own. Sentinel’s built-in features lower the barrier to entry for a hunting team by providing aids such as pre-defined hunting queries written by Microsoft and contributed to by the wider cyber security community. Microsoft blogs and documentation also introduce the more advanced guided investigations and threat hunting capability, leveraging Jupyter notebooks to query and visualise the data sources specified in your hunt.
About the firm
Bridewell Consulting recently became a Microsoft Gold Partner. Visit https://www.bridewellconsulting.com/. Its 24×7 Security Operations Centre provides a fully managed service for Azure Sentinel and Microsoft Defender and covers wider services such as Cyber Threat Intelligence, Vulnerability Management, Incident Response and Digital Forensics. See also this Bridewell blog about threat hunting.
