3865 WILSON BLVD. | SUITE 550 | ARLINGTON, VA 22203p 1.800.965.2708 f +1.703.229.4489www.ThreatConnect.com

WHITE PAPER

1

USING THE SIEM TO BRING THREAT INTELLIGENCE INTO YOUR SOC AND IR TEAMSWhat Ms. Pac-Man Can Teach Us About Pairing Your SIEM with a TIP to Battle Persistent Threats

EXECUTIVE SUMMARY ..............................1

WHAT THREAT INTELLIGENCE (TI) IS ..... 2

GETTING STARTED WITH TI & THE DIAMOND MODEL .......................................3

TRANSFORMING TI INTO DECISION MAKING .......................................................4

THREATCONNECT: TACTICAL, OPERATIONAL, AND STRATEGIC TI .......4

DOES YOUR SIEM DO THIS? ....................5

EXECUTIVE SUMMARY: HOW TO GAME THE THREAT

If you’ve ever played the arcade game Ms. Pac-Man, you know the simple goal is to avoid the ghost – whatever you do. But you also know that to win and get to the next level, you need strategy. It’s not just about avoiding the ghosts, it’s actually about outsmarting them, moving to the next level, and then fighting even bigger threats. Well, in life, as in the arcade game, the volume and sophistication of threats to your organization are increasing constantly. Endpoint security systems deliver the level of analysis needed to put threats in context or mitigate fast-moving

persistent threats (or in our case, ghosts).

Despite the prevalence of advanced threats (in higher levels, fruit dots, tunnels, etc), intelligence-driven approaches to security are still absent from many

organization’s defensive ecosystems.

But threat intelligence is a term that is broadly applied, and its true meaning is sometimes lost. Many threat intelligence services simply offer access to unprocessed, un-analyzed raw data. (Think chomping on endless power pellets.) Or perhaps your organization looks to its security information event management (SIEM) system for the security analytics and “intelligence” it needs to identify intrusions and attacks. SIEMs are a necessary part of a security infrastructure, but they were not designed to manage threat intelligence. They were not built to enable threat analysis teams and security operations centers (SOCs) to conduct the advanced querying

and analysis required to properly navigate today’s threat landscape.

When a cyber attack hits, your team needs to move quickly. But they also need to achieve and maintain a proactive posture that helps them aggregate threat data, analyze it rapidly, automate action, and produce tactical, operational, and strategic threat intelligence so that threats can be identified and remediated, before they cause damage to your network. Given these requirements, traditional SIEM alone isn’t enough.

TABLE OF CONTENTS:

3865 WILSON BLVD. | SUITE 550 | ARLINGTON, VA 22203p 1.800.965.2708 f +1.703.229.4489www.ThreatConnect.com 2

What Threat Intelligence Is (and What It Isn’t)

A great deal of confusion exists in the industry and marketplace today about what threat intelligence (TI) is. It’s commonly – and wrongly – assumed to be the collection of external indicator feeds (IPs, DNS names, URLs, etc.) into security information and event management (SIEM) platforms. Using these feeds, analysts would then act on information about threat actors. That’s a nice thought, but aggregating feeds and sending that raw data is not enough. Organizations must ask themselves: Do you want your team chasing false positives in a reactionary fashion, do you want your team to get overwhelmed by unvalidated data, or do you want your team acting on prioritized threats impacting your network? (As in, when you’re chasing Inky(s) in levels 1-16, get them ALL while the power pellet is still in effect or else get BEHIND them. Otherwise, you will not win!)

Threat intelligence is gained through a process and then enables decision making. It isn’t something you can ingest once and be done.

This paper will explain what threat intelligence is, and what it isn’t. We’ll also introduce a tried and trusted methodology for operationalizing threat intelligence – the Diamond Model, an approach to conducting intelligence on network intrusion events.

It’s a process that, when paired with your SIEM, will help your organization scale and outwit evolving, high-volume, high-impact threats in an agile and responsive way. (Kind of like figuring out that although Clyde’s behavior appears to be random, analysis reveals that he actually is the biggest threat. Who knew?)

!

True TI begins when your organization has knowledge of its adversaries and applies that insight for defense. It involves a shift from simply reacting to a threat to proactively using intelligence-driven security to inform decisions as to how you adapt to those threats.

The slightly longer version: TI is the applicable knowledge of a threat’s capabilities (what they can do against you and how they might do it), infrastructure (where they’re going to come from), motives (why they’re doing what they’re doing), and their goals and resources. With that knowledge, your organization can establish intelligence-driven decision making about its security posture both at the tactical and strategic level, enabling threats to be fended off, before they even materialize. Your organization is also able to build threat profiles and proactively defend against persistent or repetitive threat actors.

This intelligence-driven security approach is a process that evolves continually and must be a consideration for every decision your organization makes regarding security. So how do you get started? How do you bring order to all the chaos of unstructured data, copious feeds, unseen threats, and unknown vulnerabilities (and little colorful ghosts)?

Deriving order from chaos starts with a proven methodology for intrusion analysis and deriving intimate knowledge about your adversaries. It’s a methodology known as the Diamond Model, and it’s the core methodology behind ThreatConnect, the most widely adopted and extensible Threat Intelligence Platform (TIP) available.

3865 WILSON BLVD. | SUITE 550 | ARLINGTON, VA 22203p 1.800.965.2708 f +1.703.229.4489www.ThreatConnect.com 3

Getting Started with Threat Intelligence: The Diamond Model

The Diamond Model methodology of intrusion analysis was first published by the Center for Cyber Threat Intelligence and Threat Research in a 2013[1] report by ThreatConnect’s Andy Pendergast in collaboration with Sergio Caltagirone and Christopher Betz. The Model was originally deployed within the U.S. government’s security infrastructure to help identify, track, and ultimately counter persistent threats based on an adversary’s tools, technologies, and procedures (TTPs). Since then, the Model has evolved into a methodology used by hundreds of analysts to conduct TI research for their organizations.

The Model works by breaking down each cyber event into four vertices or nodes, representing an adversary, capability, infrastructure, and victim. The connections between these vertices form a diamond shape. When you project this system across the evolving cyber landscape, you’re able to derive a multidimensional picture of the underlying relationships between threat actors and their tools, techniques, and processes.

Rather than look at a series of events or isolated alert feeds, the Diamond Model works on contextual and relationship-rich indicators so that organizations can better understand the nature of the threat, something traditional SIEMs can’t achieve on their own. With support for native pivoting, the Diamond Model lets you test whether events and data are related through hypothesis generation and then establish grouping functions that allow links to be drawn.

So, instead of trying to randomly react to a persistent adversary based on siloed, raw data, the Diamond Model enables you to build a clear picture of how adversaries operate and inform an overall response more effectively. It’s a methodology that is particularly useful when dealing with advanced attackers because it enables organizations to draw relationships between alternative methods of attack so that they can build a crumb trail and pinpoint the evolving threat.

Ultimately, the Model allows you to grow your graph of understanding of an adversary’s capabilities and infrastructure (IP addresses, domain names, and malware families in use) and the risk that they present to your enterprise – all essential prerequisites for driving decisions for mitigation.

To illustrate the Model at work, we applied it to the Star Wars Battle of Yavin (which led to the destruction of the Death Star in “Episode IV: A New Hope”). In fact, the entire movie is a study in the response to and consequences of a data breach (the plans for the Death Star were stolen and hidden in R2-D2). Had the Empire assimilated intelligence along the way and connected the dots using the Diamond Model, the outcome might have been quite different.

ADVERSARY

VICTIM

CAPABILITIES INFRASTRUCTURE

Figure 1: Diamond Model of Intrusion Analysis

Diamond Model Example: Battle of Yavin

https://threatconnect.com/diamond-model-threat-intelligence-star-wars/

3865 WILSON BLVD. | SUITE 550 | ARLINGTON, VA 22203p 1.800.965.2708 f +1.703.229.4489www.ThreatConnect.com 4

Transforming Threat Intelligence into Informed Decision Making

As you’ll see from the Star Wars example (please do read it, it’s fascinating stuff as well as a fun, easy read), using the Diamond Model to persistently ask questions about an adversary, you can grow the graph of intelligence around actors and the threats they represent. Then, you may quickly apply that insight to plan a course of action, mitigation, and execution.

Decisions, however, require guidance. Decisions also require data clarity. If your threat data is broken apart in siloes or fed into an overloaded SIEM, accessing that data and identifying patterns to make informed decisions become impossible. To protect your business, you need a way to measure intelligence that’s coming to you, regardless of the source, for its relevance, accuracy, and timeliness. (Or as we like to say in Ms. Pac-Man, know your levels and know your mazes. And be ready, if you can get to level 6, the mazes begin to repeat at every 4th level.)

Perhaps the following is a familiar state for you (please feel free to nod your head as you read):

ą Your analysts are overwhelmed with tools, tasks, and tactical actions.

ą Alerts get missed.

ą Data is stored disparately (think spreadsheets and emails).

ą Decisions are made in a solitary confinement state.

ą And workflows across teams are broken and segmented.

ą Oh, and validating any kind of TI in this ecosystem is an exasperating challenge (ok, you can stop now).

Furthermore, if you’re to move from a reactive approach of alerting and blocking based on incident feeds to a point where you’re growing your knowledge, then you need a single mechanism to turn threat data into intelligence that can be integrated across your entire security ecosystem. This requires both a process (the Diamond Model) and a threat intelligence platform based upon it. That is the solution that ThreatConnect provides.

ThreatConnect: Tactical, Operational, and Strategic Threat Intelligence

Available on-premises or in the cloud, ThreatConnect is the only Threat Intelligence Platform (TIP) that was built for analysts by analysts. It brings together trusted communities, process excellence, and the Diamond Model of intrusion analysis to provide complete threat intelligence. With ThreatConnect, large enterprises and government agencies can aggregate all available threat data, analyze it rapidly, automate action, and then produce operational, tactical, and strategic TI all in one place.

The platform gives you a 360-degree perspective on your cyber adversaries’ tools, infrastructure, techniques, and processes, so you can identify threats further upstream and take action to keep your network safe.

Through automation and built-in workflows and processes, ThreatConnect accelerates collaboration across your own security teams and within your trusted community. It’s truly a comprehensive solution that goes beyond the limitations of traditional SIEM-based approaches to TI (which we’ll expand on below), to help organizations aggregate, analyze, and act on TI in one place.

READY!

3865 WILSON BLVD. | SUITE 550 | ARLINGTON, VA 22203p 1.800.965.2708 f +1.703.229.4489www.ThreatConnect.com 5

Here’s How It All Comes Together:

Aggregate

ThreatConnect collects, processes, and leverages data at each phase of the intelligence life cycle. The platform aggregates internal and external intelligence with the ability to parse out indicators and normalize data across STIX, CSV, custom XML/JSON, IODEF, OpenIOC, and many common formats, even email.

Analyze

Without analysis, data is virtually useless. ThreatConnect helps you refine and place data in context to develop an effective action plan. Our platform automates analysis, driving faster results in greater quantity and higher quality. The process is scalable and provides a greater level of technical detail.

Act

So, what do you do with threat intelligence? With ThreatConnect, you will act on your intelligence swiftly and precisely. ThreatConnect enables the dissemination, feedback, and requirements phases of the intelligence life cycle. The platform unites your team behind a common defense and gives you the knowledge to lead with certainty.

DOESN’T MY SIEM DO ALL THAT?Well, no. You spend your day glued to your SIEM, staring at multiple computer screens, monitoring and assessing your enterprise information systems looking for contextual analysis of a threat (for example whether it’s a one-off attack or part of a larger, coordinated series of attacks). Yet most SIEM solutions need threat intelligence, as defined above, in order to be effective. One of the reasons is the old adage, “garbage in, garbage out.” While SIEMs are great at handling multiple TI feeds, they aren’t well suited for ad hoc importing or for analyzing unstructured formats that are regularly required for analysis. Aggregating your feeds and simply sending the raw data to your SIEM is not enough. It’s kind of like stepping up to the Ms. Pac-Man console, playing a few times and still not getting past the first few levels. You understand the game and what it entails, but you aren’t understanding the real strategy of how to win.

SIEMs work by extracting threat data from other security tools (intrusion detection, firewalls, etc.) and infrastructure products – tools which can number in the hundreds and are often managed by different teams. Each of these devices must be configured to capture log data needed by the SIEM, a tedious, manual task made even more taxing when a threat emerges and each log configuration must be updated. Essentially, SIEMs are only as useful as the information you put in them, which can be hard to determine. With the abundance of TI feeds, SIEMs function

SIEM w/o TIP

GARBAGE IN

GARBAGE OUT

3865 WILSON BLVD. | SUITE 550 | ARLINGTON, VA 22203p 1.800.965.2708 f +1.703.229.4489www.ThreatConnect.com 6

very well as a compliance reporting and alert notification tool. SIEMs have a well-deserved place and function within your security infrastructure, but can’t be the only piece of your security analysis and threat intelligence program.

Without the right security data analytics, your organization faces the constant risk of becoming the next headline-making cyber-crime victim. Today’s threats require more robust and contextual analytics.

SIEM integration TI solutions have emerged to address this challenge. However, in order to maximize your threat intelligence, they will need to be supplemented with the analysis capabilities and built-in incident response workflows that underpin ThreatConnect. Furthermore, the “SIEM integration” that these solutions purport to offer lack true bi-directional integration, meaning they don’t have a feedback loop. SIEM integration TI solutions are only able to feed more data into SIEMs, and they cannot pull additional intelligence out of them.

Unlike most SIEMs, ThreatConnect can ingest and normalize multiple formats of TI from multiple sources. Our platform can also perform complex analysis and detect behavioral patterns that would otherwise take even the most-skilled analyst time to detect and significant effort to determine the details of the incident, understand the impact, and act, losing precious time as a threat evolves.

In addition, ThreatConnect allows you to evaluate which feeds provide the most useful threat intelligence for your particular security infrastructure. ThreatConnect allows you to rate your sources using a threat rating and confidence scale. Based on the threat rating and confidence, you can see which threat intelligence sources are providing the highest quality.

If you’re trying to operationalize your threat intelligence, aggregating your feeds and sending the raw data to your SIEM will need to be supplemented with a threat intelligence platform.

ThreatConnect’s built-in workflows let you act on TI in your SIEM, automatically pushing IOCs into your SIEM, comparing them with system logs. You spend more time monitoring your network, rather than chasing false positives. ThreatConnect’s sustained cycle of network monitoring, assessment, and defense makes you more productive and more effective.

Once your team has implemented ThreatConnect, you have broader, deeper access to validated TI. The platform automates the enrichment of indicators, ensuring that you have all of the information you need to thwart a threat, and leaving more time for analysis. Your TI team has a better way to refine threat data from open sources and premium intelligence feeds. They make sense of it, and that makes your life much easier.

0 1 2 3 4 5

SKULLS SHOW SEVERITY

0 50 100

SLIDER SHOWS CERTAINTY

WHITE PAPER

Footnotes:

[1] https://www.threatconnect.com/wp-content/uploads/ThreatConnect-The-Diamond-Model-of-Intrusion-Analysis.pdf

[2] https://www.threatconnect.com/camerashy-intro/

ThreatConnect observations allow users to see how relevant their intel sources are within the platform. By integrating with third-party intelligence providers, ThreatConnect can record how often a particular indicator is observed on a user’s network and tie it back to the source in the platform. Threat intelligence accuracy is key to allowing your analysts to focus their limited time on real threats to your security infrastructure.

ThreatConnect also has strong integrations with SIEMs that allow you to look up indicators in your SIEM to see if they are already in ThreatConnect, which will give them more insight into the indicator’s context. If not, your analysts can automatically add them to your threat knowledge base. Your teams can build a symbiotic relationship with your SIEM, enhancing their ability to work together seamlessly across tools.

Whether you’re getting started or are a mature business in need of a cloud-based or on-premises TIP (or pointers on how to win at Ms. Pac-Man), ThreatConnect is available in a variety of deployment editions to suit your requirements, local data security regulations, and your team’s preferred operational methodology.

CONNECT WITH US

Interested in learning more about how ThreatConnect can help unite your security team and protect your enterprise?

www.ThreatConnect.com

TOLL FREE: 1.800.965.2708 LOCAL: +1.703.229.4240 FAX: +1.703.229.4489

ThreatConnect, Inc. 3865 Wilson Blvd., Suite 550 Arlington, VA 22203

TI TeamIR Team

CONNECTED ON ONE PLATFORM

ISAC/ISAOPublic Community

SOC Team CISO/CIO

Private Community C-Suite/Board

Firewalls/UTM

IPS/IDS

SIEM

End-Point Protection

Intelligence Feeds

Web Proxy

Network Controls

Vulnerability Scanner

7