Defence engineering and threat intel — no stone left unturned
Article by ThreatQuotient regional director for APJC Anthony Stitt.
Every breach starts as a compromise that goes unnoticed and unactioned, often because existing security devices have too many events, too little context and cannot prioritise. Providing these systems with threat intelligence is the lowest cost and most effective way to improve contextualisation and blocking new attacks.
Frameworks like MITRE ATT&CK provide suggestions about detecting certain types of attacks, including where to collect logs from and the pseudo-code required on the system itself — for example, intrusion detection system (IDS) signatures.
In a large network, it is not uncommon for users or devices to be compromised from time to time. What seems to be missing for many organisations is the capability to detect and remediate these compromises consistently, reliably and in a reasonable timeframe. As a result, attackers can gain unlimited dwell time to escalate from compromise to breach. According to IBM’s The Cost of a Data Breach Report, the average time to detect significant data breaches is around 220 days from the point of initial compromise.
While there are many factors at play, understanding the limitations of defences requires examining how blocking and detection systems leverage cyber threat intelligence (CTI). There is a three-way relationship between the security information and event management (SIEM), threat intelligence platform (TIP) and defences that forms the basis of how these ‘systems’ work together.
The TIP provides priority indicators of compromise (IoCs) to the SIEM and receives sightings from the SIEM based on those IoCs. The SIEM then receives logs and alerts from Defences, and the TIP receives IoCs from Defences and provides signatures and IoCs for detection and blocking.
The Defence’ system’ can include many components that TIPs are designed to integrate with, including firewalls, intrusion detection and prevention systems, domain name systems (DNS), and email and web gateways. A TIP can push signatures to defence systems, for example, a DNS blocklist that is continuously updated with the latest risky domains and IP addresses.
Furthermore, a TIP can interface with intelligence collection systems like a sandbox, honeypot, deception technology or a phishing analysis system. These tools are good sources of internal intelligence from which a TIP can collect, normalise, score and share CTI so that attacks detected in one area are shared across organisational systems for collective immunity.
Much has been written about extended detection and response (XDR), which is the capability for unified threat visibility across networks, endpoints and the cloud. The XDR concept focuses on a given vendor’s ability to leverage their intelligence across their portfolio of defensive systems, starting with EDR. This closed loop has two limitations: the vendor’s technology is needed everywhere, and organisations are limited to that vendor’s threat intelligence. The modern reality is that nearly all organisations have a diverse mix of security vendors and a platform helps share any data and intelligence, so they behave like a single unified system.
With Open XDR (integrating disparate point products from different vendors into a unified system), the TIP receives intelligence from internal, paid, open, ISAC, CERT, and partner sources, and shares this with the SIEM, EDR and defences. The SIEM and EDR tools provide the TIP with real-time analysis and sightings of IoCs based on this intel, and if detected, the TIP will send these IoCs for detection or blocking.
This intel on IoCs is shared with the SIEM and EDR tool while the TIP receives logs and alerts from defences. The vendor will send this intel via signatures and rules to their devices on the customer’s premise. The SIEM, EDR and defences work together to provide sightings of IoCs to the TIP and, if of a malicious nature, will block them.
Even if an organisation used a single vendor throughout, a TIP still opens the environment to external and internal CTI over and above the vendor’s threat analysis capabilities. After all, no vendor has 100% coverage on threats, especially new and customised attacks.
A CTI program that prevents even a single breach each year will pay for itself. But, unless an organisation is suffering data breaches constantly, it’s unlikely to have any hard data to calculate an ROI. Instead, one approach is to track the organisation’s ability to detect compromises and determine which of those were exclusively detected with intelligence from the CTI program.
Another approach involves measuring threats blocked by defences resulting from unique signatures versus the cost of detection in the SIEM or EDR and subsequent handling via the SOC. Companies can estimate or calculate the risk reduction by implementing defence in-depth, using different types of IoCs (domains, file hashes, etc.) associated with a campaign or style of attack.
While internally gathered intelligence is contextually relevant, it often lacks details, which can be added through enrichment by analysts. A fusion centre also helps by correlating internal intelligence with external intelligence — adding a rich layer of details and content.
It improves the confidence of analysts, expands the set of related IoC’s to watch for, adds information like common vulnerabilities and exposures (CVEs) and MITRE ATT&CK tactics, techniques and procedures (TTPs), and even leads to adversary attribution. For this reason, internal intelligence and external intelligence complement each other well, and a TIP is designed to bring the two together as a force multiplier.