Is automation the future of mature threat intelligence? asks Chris O’Brien, Director Intelligence Collaboration at incident response and threat hunting intelligence feed product company EclecticIQ.
All too frequently, news headlines report on the latest cyber-attack to befall an enterprise, focusing mainly on who was behind the attack as well as the effect on the business and its customers.
Organisations are spending hundreds of millions of dollars each year on their security processes to ensure they aren’t the next name behind the headlines, but are they getting it right? And is the cyber-security industry, as a whole, doing all it can to ensure their success? Automation is key when it comes to fighting increasingly complex cyber attacks at scale, enabling organisations to react faster and more efficiently. Here are three considerations for organisations looking to bolster their threat intelligence.
The first steps
Getting the right tools in place at the right time, with the right purpose, is vital and automation is a good starting point. While much of the core component technologies are not new, it is their application to the specific problems faced by each organisation that makes them powerful: Automating upstream intelligence feeds so that Security Operation Centres can improve outgoing response activities, for example. Or automation of the fusion process according to intelligence requirements to present a consolidated threat picture. There are some important rules to remember:
– Timeliness only depreciates: Getting the intelligence you need to defend against a cyber attack at the right time is vital; Processing those feeds only decreases that timeliness. So make sure your automation can scale;
– Say what you mean and mean what you say: Too many intelligence feeds (both in and out) use specific terminology and contiguous prose. Wherever possible, use open standard and structured vocabularies (such as STIX) to ensure you get your point across efficiently; and
– Garbage in equals garbage out: No amount of processing can make up for poor quality data feeds.
It is the ultimate aim of Threat Intelligence to move our Security Operations from reactive to proactive – or even predictive. As we see the progression of Artificial Intelligence (AI) and Machine Learning (ML) we can begin to dream big about the potential applications but much of the benefit of simple automation can still be realised today. Take the time to understand where the bottlenecks are in your internal processes and apply automation judiciously.
Solutions
Threat intelligence is a key tool in the fight against adversaries. That isn’t because adversaries are constantly using more and more sophisticated tooling – quite the contrary. In fact, the growing risk of cyber security attacks is not the sophistication but rather the volume and speed. An APT doesn’t need to develop a super-advanced attack vector while there are still unpatched vulnerabilities available to exploit. So don’t be fooled by super-high tech automation capabilities that profess to protect from the most advanced APTs.
Instead, look for automation solutions that remove the menial jobs from your analysts. Automate the processing of data and its application to real-network action. Seek out the solutions that identify trends in threats, identify the clear and consistent messages, then apply a sensible response for your environment. Superior APT-style attacks are expensive to defend against – yes – but they are also expensive to launch. By raising the bar of your defence the adversary will have to work that much harder to have their way with your network and, hopefully, will just not bother.
More mature processes
The race to stop attacks, and the adversaries behind them, can often feel reactive, but it’s important to remember that it’s a marathon, not a sprint. In fact, ensuring that conditions are right in order to gain the upper hand against adversaries requires a long term investment in both tooling and processes. For starters, we already know that the threat intelligence process involves manual steps which have the ability to be automated. Initially the automation will focus on more static processes but can gradually be applied to more and more complex tasks as the work of analysts is transferred to the automation. For example: Basic ML to implement incoming data classification probably isn’t necessarily implementable straight out-of-the-box for your team because there will be some training or customisation of the engine to really make it work. But over time, these tasks can become more and more sophisticated, freeing up your analysts to look at more strategic threats.
As our ability to automate more sophisticated Threat Intelligence practices grows there will be huge opportunity to grow our detection capabilities as well. Currently, we think in terms of IOCs (Indicators of Compromise) and potentially TTPs (tactics, techniques and procedures) – but as we think in more abstract concepts there will be a call to implement more abstract detection mechanisms for malicious activity ‘types’ – similar to the event-clustering of Security Analytics. This will present analysts with the opportunity to start to develop more value-add investigations, based on verified information detected through the automation process. Furthermore, automation will open up the career path for threat analysts allowing them more time to do the work they enjoy and deliver real business impact. As we move into the future of threat intelligence, analysts should always learn the basics before automating a process both to help inform the design of automation as well as being able to do their role should the automation break.
