Aoibhín Hamill
Cyber Security Sales Engineer
Aoibhín Hamill Linked In
Let’s start with the basics – what is threat intelligence? It can encompass various meanings, but in my world, it involves collecting and analysing information about potential or existing threats targeting an industry or organisation. Threat intelligence is evidence-based knowledge used to understand a threat actor’s behaviours, motives, or targets, enabling informed decisions to prevent and respond to cyber threats and attacks.
What types of evidence are used in threat intelligence to shape these decisions?
Using multiple threat intelligence sources is essential to contextualise and verify information, painting a clear picture of effective actions. In our Managed SIEM services, we leverage six to seven different sources of threat intelligence, which we find most appropriate for our customer and analyst base.
Indicators of Compromise (IoCs)
IoCs are pieces of forensic data that suggest a system has been compromised, helping us, as cyber professionals, identify and respond to potential security breaches. Key IoCs include hashes, IP addresses, file paths, and URLs.
Threat intelligence feeds and platforms
Subscriptions and platforms are crucial tools to help us stay informed about the latest cyber threats. These services offer real-time updates on emerging threats and actionable insights to help anticipate, detect, and respond to threats effectively. For our Managed SIEM services, we integrate Threat Data Feeds from trusted providers like Orpheus Cyber and AlienVault’s Open Threat Exchange (OTX).
Threat actor profiles
This evidence links certain activities to specific threat actors or groups. With threat actor profiles, you can understand an attacker’s goals and motivations, such as financial gain.
Open-Source Intelligence (OSINT)
OSINT is publicly available information from sources such as social media, forums, news articles, and security blogs. These sources can be simple, useful, and interesting ways to stay updated on the latest threats.
Incident reports
Detailed analyses or reports of security incidents are exceedingly helpful in proactive cyber defence. Applying knowledge from past incidents to current threats ensures continuous improvement. Network captures, memory dumps, and logs can be collected to make informed decisions.
Vulnerability data
Knowing the exploitability of your assets is a key method for prioritising proactive cyber defence. The more vulnerable an asset is, the wider its risk radar stretches. Utilising tools like Tenable or Qualys is a great start. You can further contextualise your vulnerabilities with a threat intelligence platform, such as Orpheus Cyber.
How are decisions made in proactive threat hunting?
Now that we know what evidence we need and where we’re gathering it from, it’s time to put it all into practice. Ideally, you and your team will have the capacity to run proactive threat hunting exercises on a regular basis. Here’s a structured approach to effective decision-making in these activities:
1. Define Objective and Scope
Start by setting clear objectives for your threat hunting exercise. What specific threats do you want to identify? You may focus on insider threats, advanced persistent threats (APTs), or certain types of malware. Defining this is a key starting point to highlight the most relevant areas of your network.
2. Gather and analyse threat intelligence
Use multiple sources, such as IoCs, threat feeds, and OSINT. Collecting this data helps identify patterns or potential threats specific to your organisation. Platforms like Orpheus offer valuable insights by correlating vulnerability data with threat intelligence, providing a comprehensive view of the threat landscape.
3. Develop hypotheses
Based on the gathered information, develop hypotheses about potential threats. For example, if there’s an uptick in ransomware attacks leveraging remote desktop protocol (RDP) vulnerabilities within your industry, hypothesise that similar attempts might target your organisation.
4. Select tools and techniques and collect data
Use the appropriate tools for data collection and analysis, such as a SIEM tool for log analysis or a vulnerability management tool. Use methods like anomaly detection and behaviour analysis to spot unusual activities signalling malicious behaviour. Aggregate data from various sources, including network logs, endpoint logs, and user activity logs, to ensure sufficient visibility.
5. Conduct threat hunting activities
With your data in hand, search for IoCs, such as suspicious IP addresses or malicious URLs. Monitor for unusual behaviours, like unexpected user login attempts or strange data transfers. Use frameworks like MITRE ATT&CK to map these behaviours to known tactics, techniques, and procedures (TTPs) used by threat actors.
6. Investigate findings
If suspicious activity is identified, conduct a thorough investigation to determine its nature. Is this a false positive or a legitimate threat? This step involves a deeper dive into the logs and other internal data sources. The goal is to determine the root cause and the extent of the potential compromise.
7. Respond and mitigate
If the threat is confirmed, take immediate action. Isolate affected systems to contain the threat and prevent lateral spread across the network. Remove malicious files, terminate compromised sessions, and patch exploited vulnerabilities. Restore affected systems and data from backups once the threat is eradicated.
8. Document, share, review and improve
Document findings and actions taken. Sharing this with your team and the wider community improves collective defence mechanisms. Conduct a review of the threat hunting exercise to evaluate the effectiveness of your methods and tools. This will identify areas for improvement and keep your threat hunting playbooks up to date. Continuous improvement is imperative to proactive cyber defence abilities!
Threat intelligence is crucial for proactive cyber defence
In the ever-evolving landscape of cyber threats, threat intelligence is crucial for proactive cyber defence. It ensures the contextualisation and validation of information, leading to more effective threat mitigation strategies. Proactive threat hunting exercises, guided by clear objectives and supported by appropriate tools and techniques, allow you to identify and address potential threats before they cause significant damage. By continuously improving threat hunting methodologies and sharing findings with the wider community, organisations can enhance their overall security posture and stay ahead of emerging threats. Integrating threat intelligence into proactive cyber defence efforts is essential for maintaining robust security and protecting valuable assets in today’s digital world.
Softcat can support your organisation
Enhance your proactive cyber defence with our expert SOC and threat intelligence service offerings. For more details, reach out to your Softcat Account Management Team or email us at Cyberservicesteam@softcat.com.
Happy hunting!