Threat Intelligence Blog

Posted May 12, 2016


This blog series explores three fundamental challenges our customers have when leveraging a Threat Intelligence Platform (TIP). In this blog, we discuss the last challenge of operationalizing threat defense.

The TIP has become a critical part of any mature security operation environment, where threat analysis and relevant threat intelligence can drive the actions of other teams within an organization, as well as security mitigation technologies. The cross-functionality of threat intelligence is a foundational aspect of scoutPRIME’s architecture that drove us to create the concept of workspaces.

Team Collaboration

The key purpose of workspaces is to avoid unnecessary duplication of global Internet data and intelligence that all users may share. Workspaces accomplish this because they are an isolated container for all data including the threat intelligence within our system. In other words, workspaces allow different teams and individuals to work on threat intelligence data, reports, and analysis in isolation from other users or teams sharing the same physical system.

scoutPRIME has an innovative mechanism because changes to a specific workspace’s data are kept local to that workspace, while the underlying shared/global view remains the same. This is incredibly powerful as it allows changing global state to be updated for everyone while their local workspace view can inherit that shared state without requiring significant data replication or processing across all of the workspaces.

Workspaces can be customized even further, and individuals or teams have the ability to create their own threat intelligence or reports and dashboards on specific threat intelligence and change the scoring engine and all related information such that they can see changes to threat scores in isolation, etc.

SP3 image 1

One of the critical aspects of workspaces is to ensure all data local to the workspace remains local only. To achieve this, we had to ensure that all asynchronous notifications based on configured triggers would be isolated to the workspace. This isolation allows both threat analysts and security operations teams to share the same platform but having different requirements on data interactions between scoutPRIME and external systems such as SIEM or Firewalls.

SP3 images 2

Common Threat Team Operations

scoutPRIME focuses on threat team workflows that support their daily work tasks, as well as LookingGlass’ ability to deliver actionable threat intelligence. With that in mind, we wanted scoutPRIME’s dashboard to be customizable so different teams and individuals would only have to use widgets and tools necessary for their tasks.

Internet and Threat Investigation

For most threat analysts, search is the starting point for other workflows. scoutPRIME provides a comprehensive search capability that allows the user to easily express simple and complex combinatorial searches.

A simple search could include looking for an IP address, Classless Inter-domain routing (CIDR), Hash, Domain name, or a Threat Score.

SP3 image 3

An example of a complex combinatorial search could be pattern matching a set of common attributes across multiple different Observables that are associated with any network element.

SP3 image 4

scoutPRIME also provides customers with the ability to save searches so they can share searches with others in the same workspace, or keep a record of frequent searches without having to retype them. A saved search is similar to a bookmark within a browser.

Recalling user-defined saved searches is easily performed (as shown in the image below).

SP3 image 5

Similarly, the last executed searches performed in the workspace are logged for easy recall in a similar manner to a browser history keeping track of search history (as shown below).

SP3 image 6

Threat Relationship Exploration

Understanding the relationships between threat intelligence data or associated network assets is critical to discovering actionable, relevant threat intelligence, and scoutPRIME’s Graph Explorer widget let’s threat analysts do just that.

SP3 image 7

This widget creates a graph of where analysts can easily search and explore the connections between threat intelligence and networked intelligence. This information can also be expanded upon based on how the user wants to navigate the connected graph.

We often see customers use this feature to search for a specific malware hash that has been identified by one or more Observables and then to search for elements that have been associated with that Observable (and therefore the hash).

Optimized Threat Assessment Reporting

One of the key challenges our customers face is the sheer volume of threat intelligence and relevant threats to their organization. scoutPRIME fixes this with its summary view of threat scores for relevant assets, whether it is their own networked assets, third parties, or both that they wish to monitor.

SP3 image 8

The Confidence Summary widget provides customers with a dashboard that summarizes both real-time and historical scores for their selected collections and networked assets. A collection may be defined by the LookingGlass Threat Intelligence team to represent an industry sector or by an organization that wishes to represent all of their networked assets for a summarized view. In addition, security operations and threat teams may choose to represent threat incidents as a collection where they combine IPs, domain names, Observables, autonomous system numbers (ASNs), and any other related state to the incident in a collection providing them with an overall assessment of the incident and associated data.

Confidence Summary continuously summarizes all scoring associated with the collections and assets and allows the customer to double-click into any changes in threat intelligence within a sub-container that has caused changes in scores.

The example below shows how a user has zoomed into a communications sector, a ASN 7922, and a CIDR to review the network elements and their associated threat scores.

SP3 image 9

Another example would be where a global enterprise has networked assets across various countries and would prefer to see threat confidence scoring across each country at the top-level and then the ability to see each site within that country and their associated scores. Finally, within that site, they may wish to see what threat Observables have occurred in the last 24 hours to explain why scoring for the site has changed, and may have caused an elevated score on the country level as well.

Over the last few weeks we’ve discussed the three fundamental challenges we see organizations facing when leveraging threat intelligence platforms. Contact us to learn how scoutPRIME solves these issues related to collection, aggregation, and distribution; analysis and enrichment; and what we reviewed today, threat defense operationalization.

Additional Posts

LookingGlass Weekly Phishing Report: May 16, 2016

PHISHING REPORT: TOP TARGETS Week of May 8 – May 14, 2016 In this week’s phishing report, we ...

International Public-Private Cooperation on Cyber Security is Gaining Ground

By Emilio Iasiello, LookingGlass Cyber Threat Intelligence Group (CTIG) I recently attended ...