Posted July 25, 2018
Do any of these quotes resonate with you?
“If CTI vendors would provide more context to their data, it would be so much easier to know what to do if we see an alert” – Senior Director, Threat Research
“CTI vendors should figure out how to orchestrate their tools, they are falling behind on protecting because of alert fatigue and are missing legitimate issues”
– VP, Security Operations
Whether you’re a threat analyst researching the latest malware trends or a security operations manager, you benefit from automation. While the cybersecurity industry as a whole is still working to improve CTI automation, as an individual organization, here are 3 key insights into where you can start focusing your efforts for improvement.
Tip #1: Leverage Technology Standards-Based Systems
Before we discuss how systems can best integrate for automation success, there are two technology standards that play a role in CTI automation.
STIX/TAXII Version 2
- What it does: Focused on CTI analyst sharing; supports security operations; threat hunting; forensic analysis.
- Version 2 STIX is a significant reboot of the well-known standard STIX v1 with the following improvements:
- JSON, not XML
- Scale and performance improvements have been a significant focal area with the new standard to address some significant concerns with the earlier version.
- Simplicity and Clarity
- A common criticism that had very practical operational challenges was how STIX v1 could allow vendors and organizations to create different representations for effectively the same threat intelligence. This resulted in lack of interoperability and effective use of the intelligence without significant development to map them to a consistent model. With STIXv2, efforts have been made to reduce variability across implementations where there is only one way to do something.
- STIXv2 emphasizes core use cases and supporting data model and properties that significantly focus on pragmatic requirements instead of the swiss army set of capabilities in the original standard.
- Integrated Standard
- Increasing context that supports intelligence tradecraft beyond simple indicators is a key part of the standard in STIXv2 with the integration of the meta-data observations directly into the standard.
- Relationships as First-Class Objects
- By enabling relationships as first-class objects, STIXv2 addresses a key driver for constructing complex relationships across different intelligence that supports the semantic requirements of more context rich intelligence.
- Better-enables cross team collaboration.
- Easy Customization & Extension
- Finally, STIXv2 recognizes that industry requirements may change faster than the standard can address. There are now easier/standards-based methods to extend the STIXv2 format so that consortiums and sharing groups can extend the standard while leveraging the standard data model as the basis.
- JSON, not XML
- What it does: Focused on command and control orchestration primitives supporting incident response; threat hunting…etc.
- OpenC2 introduces the following characteristics to support command and control operations:
- As with STIXv2, JSON schema is the primary data format for OpenC2 commands.
- Mitigation Across All Protected Assets
- OpenC2 recognizes the importance of controlling all forms of security infrastructure across network, endpoints, servers, user policy systems, and security systems using a comprehensive command set.
- Mitigation Actions including
- There are many possible mitigation, remediation, and threat response options depending on the operational environment. OpenC2 introduces a broad set of commands examples include: Block, Allow, Move, Delete.
- Investigation Actions including
- Investigation workflows require a command set that can express many of the tasks that often are performed by human analysts or human’s driving machines.
- Examples include: Query, Scan and Locate.
If you would like to learn more about how more active threat response is possible check out this blog.
Tip #2: Think End-to-End, Not Step-by-Step
Consider the following hypothetical system deployment that highlights some of the key systems and interconnections in a typical security ecosystem.
This deployment may be simplified, but it highlights a reasonably complex set of systems that must work together in a coordinated manner across humans and machines. Many practitioners may choose to solve the integration of these systems and the human activities step-by-step rather than thinking about how all of these systems come together as a whole.
“Avoid step-by-step thinking solely. Think about the objective achieved by the end-to-end system”
How does one consider step-wise thinking vs. end-to-end thinking? Let me illustrate with an example.
- Step-by-Step, Objective-Based Thinking : What cyber indicators does the orchestration system ingest and how can I format them correctly?
- End-to-End Objective Based Thinking: What threats do I require real-time mitigation protection for and what are all the aspects of delivering that? For example, how will I collect, refine, and distribute the key artifacts of those threat intelligence so that I can do that in real-time once intelligence has been identified?
Whether you are a vendor building one or more of the systems shown in the diagram or an organization security team connecting these systems, there are several important aspects to keep in mind when you are building or integrating them:
- Interfaces & Data: How can you ensure each system has a fully developed data model and command options that support end-to-end objectives? Examples:
- Does the analyst team know where sightings come from?
- What data and format does the orchestration team require?
- Does the Threat Mitigation System have sufficient and standard data context from STIX2 to detect advanced threats?
- Can SIEM convert logs to sightings? What scale?
- Operations: Do the systems support a consistent operations model
- Does each system have common or similar mechanisms for identifying intelligence sources so that I can consistently operationalize different sources with associated metrics in the same way?
- Does each system across the command pipeline handle intelligence and command versioning in the same way so that I can easily update new changes across systems without significant development or operational burdens?
- Effectiveness: As most systems are developed independently, do they share a common vision of how intelligence and C2 are used in coordinated ecosystem?
- Are all systems designed to integrate? Can I get metrics and reports across all of the systems to know how the entire system is working well or not?
- Do systems that support both CTI and C2 work effectively such that improvements are easily found, or inefficiencies identified?
- Are important user roles and their specific requirements understood so that both individual systems and the combined system supports those?
Tip #3: Broaden the perspective to Technology, People, and Business Justification
While this might seem like the most obvious tip, I’m often surprised at how many companies are not taking a holistic approach to Cyber Threat Intelligence (CTI) automation to include three specific business areas:
- Business Justification
- Set specific success criteria. Doing so will help justify if the project accomplished the goals you set forth, if the project achieved the desired improvement, etc.
- Example Business Justifications:
- 100% coverage of all brand intelligence across social, surface, and Dark Net outlets producing weekly business risk reports to the C-suite.
- 10% reduction in false positive rates for infosec cyber indicators resulting in 30% security operations staff efficiency.
- Invest in standards-based technologies that support your requirements.
- Example Technology:
- STIX 2 Preferred compliant Threat Intelligence Platform & Data Feed Providers resulting in 50% reduction in custom engineering costs & staff.
- Ensure roles, objectives, and motivations are aligned to support success.
- Example People Alignment:
- Establish a tiger team with weekly/monthly personal goals across Data Collection, Data Aggregation, Threat Analysis, Security Operations, and Brand/Marketing with Executive C-suite sponsorship.
If you would like to learn about these aspects in more detail applying to successful Threat Intelligence Programs, please check out these:
- Blog: https://www.linkedin.com/pulse/5-insights-building-successful-threat-intelligence-programs-thomson/
- Webinar Series: https://www.linkedin.com/pulse/demand-webinar-series-how-build-successful-threat-programs-thomson/
CTI automation has evolved over the years and continues to be a critical cybersecurity operational need to protect many organizations. Every organization may have unique requirements and needs, but implementing the insights outlined above can help ensure CTI automation success. If you are considering CTI automation in your organization and would like to discuss the challenges and how to overcome them further, please contact me at @tweet_a_t or @LG_Cyber.