Threat Intelligence Platform
This article appears to contain a large number of buzzwords. (July 2018)
Threat Intelligence Platform is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.
Traditional approach to enterprise security
The traditional approach to enterprise security involves security teams using a variety of processes and tools to conduct incident response, network defense, and threat analysis. Integration between these teams and sharing of threat data is often a manual process that relies on email, spreadsheets, or a portal ticketing system. This approach does not scale as the team and enterprise grows and the number of threats and events increases. With attack sources changing by the minute, hour, and day, scalability and efficiency is difficult. The tools used by large Security Operations Centers (SOCs), for example, produce hundreds of millions of events per day, from endpoint and network alerts to log events, making it difficult to filter down to a manageable number of suspicious events for triage.
Threat intelligence platforms
Threat intelligence platforms make it possible for organizations to gain an advantage over the adversary by detecting the presence of threat actors, blocking and tackling their attacks, or degrading their infrastructure. Using threat intelligence, businesses and government agencies can also identify the threat sources and data that are the most useful and relevant to their own environment, potentially reducing the costs associated with unnecessary commercial threat feeds.
Tactical use cases for threat intelligence include security planning, monitoring and detection, incident response, threat discovery and threat assessment. A TIP also drives smarter practices back into SIEMs, intrusion detection, and other security tools because of the finely curated, relevant, and widely sourced threat intelligence that a TIP produces.
An advantage held by TIPs, is the ability to share threat intelligence with other stakeholders and communities. Adversaries typically coordinate their efforts, across forums and platforms. A TIP provides a common habitat which makes it possible for security teams to share threat information among their own trusted circles, interface with security and intelligence experts, and receive guidance on implementing coordinated counter-measures. Full-featured TIPs enable security analysts to simultaneously coordinate these tactical and strategic activities with incident response, security operations, and risk management teams while aggregating data from trusted communities.
Threat intelligence platform capabilities
Threat intelligence platforms are made up of several primary feature areas that allow organizations to implement an intelligence-driven security approach. These stages are supported by automated workflows that streamline the threat detection, management, analysis, and defensive process and track it through to completion:
- Collect – A TIP collects and aggregates multiple data formats from multiple sources including CSV, STIX, XML, JSON, IODEK, OpenIOC, email and various other feeds. In this way a TIP differs from a SIEM platform. While SIEMs can handle multiple TI feeds, they are less well suited for ad hoc importing or for analyzing unstructured formats that are regularly required for analysis.
- Correlate – The TIP allows organizations to begin to automatically analyze, correlate, and pivot on data so that actionable intelligence in the who, why and how of a given attack can be gained and blocking measures introduced. Automation of these processing feeds is critical.
- Enrichment and Contextualization – To build enriched context around threats, A TIP must be able to automatically augment, or allow threat intelligence analysts to use third party threat analysis applications to augment threat data. This enables the SOC and IR teams to have as much data as possible regarding a certain threat actor, his capabilities, and his infrastructure to properly act on the threat. A TIP will usually enrich the collected data with information such as IP geolocation, ASN networks and various other information from sources such as IP and domain blocklists.
- Analyze – The TIP automatically analyzes the content of threat indicators and the relationships between them to enable the production of usable, relevant, and timely threat intelligence from the data collected. This analysis enables the identification of threat actor tools, technique and processes (TTPs). In addition, visualization capabilities help depict complex relationships and allow users to pivot to reveal greater detail and subtle relationships. A proven method for analysis within the TIP framework is the Diamond Model of Intrusion Analysis. The Diamond Model enables teams to build a clear picture of how adversaries operate and inform an overall response more effectively. This process helps teams refine and place data in context to develop an effective action plan. For example, a threat intelligence analyst may perform relationship modeling on a phishing email to determine who sent it, who received the email, the domains it is registered to, IP addresses that resolve to that domain, etc. From here, the analyst can pivot further to reveal other domains that use the same DNS resolver, the internal hosts that try to connect to it, and what other host/domain name requests have been attempted. The Diamond Model differs from the Cyber Kill Chain® approach (attributed to Lockheed Martin) which theorizes that, as a defender, an organization needs only to disrupt one link in the chain to compromise an attack. However, not all the stages of an attack are apparent to the defender. While reconnaissance steps may be detectable if an attacker is browsing its victim’s website, the weaponization stage remains hidden. The Diamond Model, however, focuses more on understanding the attacker (their TTPs and motivations). Instead of looking at a series of events, the Model looks at relationships between features to help defenders better understand the threat. This ensures a more effective overall response. Rather than play whack-a-mole with persistent threats, organizations build a picture of how they operate and can take steps to address those facts directly.
- Integrate – Integrations are a key requirement of a TIP. Data from the platform needs to find a way back into the security tools and products used by an organization. Full-featured TIPs enable the flow of information collected and analyzed from feeds, etc. and disseminate and integrate the cleaned data to other network tools including SIEMs, internal ticketing systems, firewalls, intrusion detection systems, and more. Furthermore, APIs allow for the automation of actions without direct user involvement.
- Act – A mature threat intelligence platform deployment also handles response processing. Built-in workflows and processes accelerate collaboration within the security team and wider communities like Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs), so that teams can take control of course of action development, mitigation planning, and execution. This level of community participation can’t be achieved without a sophisticated threat intelligence platform. Powerful TIPs enable these communities to create tools and applications that can be used to continue to change the game for security professionals. In this model, analysts and developers freely share applications with one another, choose and modify applications, and accelerate solution development through plug-and-play activities. In addition, threat intelligence can also be acted upon strategically to inform necessary network and security architecture changes and optimize security teams.
- "Threat Intelligence Platforms: The Next 'Must-Have' For Harried Security Operations Teams". Dark Reading. Retrieved 2016-02-03.
- Poputa-Clean, Paul (January 15, 2015). "Automated Defense Using Threat Intelligence to Augment Security". SANS Institute InfoSec Reading Room.
- "Technology Overview for Threat Intelligence Platforms". www.gartner.com. Retrieved 2016-02-03.
- "The Diamond Model of Intrusion Analysis | ActiveResponse.org". www.activeresponse.org. Retrieved 2016-02-03.
- Eric M. Hutchins; Michael J. Cloppert; Rohan M. Amin (2009). "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" (PDF). Lockheed Martin.
- MacGregor, Rob (May 29, 2015). "Diamonds or chains".
- "What's in a true threat intelligence analysis platform?". ThreatConnect | Enterprise Threat Intelligence Platform. Retrieved 2016-02-03.
- What is a Threat Intelligence Platform?
- Threat Intelligence Platform powered by ThreatQ
- Threat Intelligence Platform and data feeds by SecurityTrails
- TruSTAR Threat Intelligence Platform
- Threat Intelligence Platform powered by STIX and TAXII
- Threat Intelligence Platforms: The Next 'Must-Have' For Harried Security Operations Teams, Tim Wilson, Dark Reading, 6/2/2015
- Rick Holland’s Blog for Security and Risk Professionals (Forrester)
- John Oltsik’s Blog (Network World)