Threat intel is broken.
As we’ve spoken about before, generic threat intel wastes a lot of time. It’s not efficient, and often it’s not even effective. Spending all day blocking IOCs that may just be white noise means you never really know how effective you are, amounting to tons of busy work and not much to show for it. Scouring through deep and dark web pages may be helpful at times, but it’s not going to really save an organization. As technology evolves, so does the threat actor. Threats and techniques change on a daily basis, making the job of the cyber defender incredibly difficult. Our approach to threat intel is the use of deception technology to collect real-time threat intel specific to your environment. This is revolutionary, because it allows you to collect and take action on objectives that are 100% specific to your network and your organization.
In order to understand who the threat actors are that are targeting you, what their motive is, and what their capability is, we need to adopt a new approach to threat intel. The threat intelligence lifecycle is a widely accepted framework for how to approach the gathering and usage of threat intel. However, our team of experts in cybersecurity and threat intel has created a new version of this lifecycle, one that depicts the future of threat intel, the new version of threat collection.
The new Threat Intelligence Lifecycle is all about aligning your threat intel needs with your cybersecurity strategy and your organization’s specific attack surface. Read on as our team, led by Amyn Gilani, Chief Growth Officer, walks you through the Threat Intelligence Lifecycle 2.0.
1) Planning & Direction
Align your cybersecurity plan to your business objectives by understanding your organization’s risk exposure and attack surface.
Planning and direction is the first part of the Threat Intelligence Lifecycle 2.0. The journey to valuable threat intel includes identifying what you want to protect. Every security team knows which external and internal assets are valuable, things the business can’t operate without. Building deception assets around the critical business assets is a foundational step for using deception technology to gather actionable, real-time threat intel.
➤ THE RESULT: Deception environments that mimic critical assets are created.
2) Collection:
Collect real-time, meaningful threat actor behaviors via deception assets and beaconed fake collateral.
Once you identify what’s important in step 1, you want to protect those assets. The deception environments created serve as speed bumps around internal infrastructure, and with them you’re starting to collect information externally. Deception is the only security tool that allows you to collect external and internal intel. No other threat intel company can collect intelligence on your internal network.
➤ THE RESULT: Not only are you collecting intel internally, you’re collecting at the kernel level, so you don’t miss a single process. Detect TTPs and actions at the kernel level of a workstation, with all the detail you need to make the intel actionable.
3) Processing
Gathering context and technical data from Threat Actor database, MITRE ATT&CK integration and Engage integration.
It’s all about context. After you’ve collected this tailored threat intel, what are you going to do with it? CounterCraft’s Platform has a threat actor database that does loose attribution and helps you understand the threat actor. Find out who is in these decoy networks, whether they are advanced, state-sponsored ATPS or script kiddies. Thanks to integrations on the CounterCraft Platform, you can watch their lateral movement highlighted for analysts on the MITRE framework. Know who is going after your infrastructures, and have evidence in hand on who is attacking you and what their motive is.
➤ THE RESULT : Manage the event, and ultimately make security control uplifts. MITRE frameworks translate telemetry into real processes of the ATT&CK framework. Being able to highlight attack methods for analysts is extremely helpful, providing valuable insight.
4) Analysis
Analyze the attack behavior and the attacker’s motivations to understand who the attacker is and what they want, have done, and will do next.
At this point, the team must make unbiased and objective analysis of the intel. This step is often aided with various analytical frameworks, from the Cyber Kill Chain to MITRE ATT&CK.
➤ THE RESULT: Use an analytics platform to assess the attack events and security events even further.
5) Take Action
Make security control uplifts and integrate threat intelligence and automated rule sets into your SIEM, TIP, SOAR and other security applications.
The biggest consequence of the broken state of threat intelligence is how difficult it makes it to take action on it. Loads of white noise makes for a tedious, time-consuming job for threat analysts. With the use of CounterCraft’s Platform, you have clear direction on how to manage the intel you receive. Behaviors can even be logged in your SIEM or used to make control uplifts using your SOAR platform. The platform includes 46 integrations, which allows intel to be communicated to virtually anyone or anywhere in your organization, informing strategic intelligence as well.
➤ THE RESULT: Based on what you learn, you realign your deception assets to get more intelligence. You’re learning more, testing more and more hypotheses. At this point in the cycle, you can now reconfigure and start anew.
The Takeaway
Threat intelligence analysts have been trained to operate using whatever is available in the market. Unfortunately, that form of consuming intel has proven to be ineffective and resource inefficient. Consuming threat intel feeds from other compromises is not a one size fits all, it’s reading yesterday’s paper. Imagine the power of replacing irrelevant, dated intel with specific, actionable threat intel. Deception technology is the ONLY way to collect relevant intelligence specific to your environment. Replace your tired threat intel lifecycle with our Threat Intelligence Lifecycle 2.0.