Threat Intelligence as a Gamechanger for Security Management
Cyber Threat Intelligence includes evidence-based knowledge about existing or emerging threats. Enriched with analysis, mechanisms, indicators, implications and actionable advice, threat intelligence provides the necessary context to make informed decisions about security incidents.
Threat intelligence is the perfect starting point for targeted threat hunting. It also enables the creation of strategic situation pictures, from which measures for cyber prevention and optimised risk management can be derived. Threat intelligence is irreplaceable in acute cases when it comes to the early detection of potential incidents on the one hand and the targeted reaction to cyber security incidents on the other.
Markus Riegler, Head of Managed Defense at IKARUS Security Software, explains what threat intelligence is and how to use it efficiently.
What makes up the “intelligent” part of threat intelligence?
The key lies in the word context information. This is easy to understand with the example of an IP address. A single IP address in a list of threat information says practically nothing. Moreover, an IP address may again be classified as benign if the attacker desists from doing so. This means you need much more information – e.g. in which attacks this address has been seen, how often, when for the first time and when for the last time, where the attacks were carried out – worldwide, only in one country or even only against one industry or one company… Context also includes knowing who to attribute the IP address to, and thus perhaps the attacker infrastructure. Perhaps there is already historical data on this IP address.
What difference does this knowledge or context make in the practical work of security teams?
What makes the difference is above all the knowledge of the threats that affect my organisation or me. This starts with the concrete creation of situation pictures and risk analyses to be applied to a current situation of an organisation and goes all the way to support in an incident response case by checking whether an artefact found has already been applied in other cases. In all cases, threat intelligence allows for targeted and prioritised answers to concrete questions.
For whom is Threat Intelligence suitable? Which requirements should be met?
A Threat Intelligence Platform (TIP) is an expert system that requires dealing with threat information in advance. Without appropriate prior knowledge and experience in dealing with threat intelligence, the potential of a TIP cannot be fully exploited.
A TIP is like a library, i.e. a reference book that I can use to write my own analysis “books”. It therefore supports already installed service areas such as SOC, Incident Response, Threat Hunting, Risk Management or populating SIEM systems.
What does additional threat intelligence achieve that other solutions such as antivirus technologies, EDR, etc. do not?
Many defence technologies receive a set of threat information from the respective manufacturer. An antivirus scanner lives from its signatures. A NIDS lives from the matching package rules. However, this is always dependent on the sensor network of the manufacturer, does not bring any contextual information and the existing data is not visible to the users.
Threat Intelligence provides additional input for defence technologies such as EDR, SIEM, NIDS, etc. However, it is also an irreplaceable input in the case of Incident Response, Threat Hunting or Threat Landscape.
What can this look like in practice?
For example, a defence system triggers an alarm that contains information about a possible threat. I can compare this data with the threat intelligence. If there is additional information or context, I can quickly determine who or what I am dealing with. Also in the case of SIEM, it is possible to use threat information as input for the SIEM and to compare it with existing log data such as proxy logs or DNS logs.
A good application example would therefore be the connection of a SIEM system with a threat intelligence platform: At the beginning, I use filters and parameters to declare which indicators are to be transferred to the SIEM. These transmitted indicators (IPs, domains, URLs, files) are compared within the SIEM with existing log data from firewalls, proxies, DNS, DER, etc. If there is a match, this is transmitted back to the TIP as an alert. Case management can now be carried out within the TIP and, if known, the artefact can be enriched with further information.
What possibilities does the IKARUS threat.intelligence.platform offer and how does it differ from other solutions?
We offer different variants. The simplest is the one in which a client receives access directly to the IKARUS TIP and can start his own queries and investigations there. All data feeds within the IKARUS TIP are available.
The extended version is that the client integrates his own instance, which is “fueled” by the IKARUS TIP. This provides the advantage that the customer has a fully functional platform available within its infrastructure and that use cases such as integration into a SIEM are possible. IKARUS naturally supports the customer with its platform in the sense of a managed service. The entire service includes the platform as well as the moderated data feeds.
Air-gapped systems are a special case. Here, too, a connection to the IKARUS TIP is possible by exporting a maximum of daily data from an online instance and then importing it into the air-gapped instance. This is also possible via data diodes.
IKARUS offers the advantage of being able to enrich international data with local European threat information. The data quality and the combination of platform and data feed in one service are currently unique.