But deep down, you know you could be achieving more. Recently, Recorded Future co-hosted a webinar with SANS Institutewith the goal of helping security-conscious organizations identify and avoid some of the biggest pitfalls in threat intelligence. In particular, the webinar covered how organizations should think about selecting threat intelligence sourcesand the dangers of relying too heavily on a single source.
To kick things off, Dave put up a graph depicting some of the results from a SANS survey conducted last year on cyber threat intelligence. In this case, respondents were asked for their top three use cases for threat intelligence within their own organization. Straight away, we saw something interesting.
A very high proportion of organizations were already using threat intelligence to block malicious domains and IP addresses, with many also using it to add context to investigations or compromise assessments.
Very few organizations, though, went further than this. The third most common usage of threat intelligence was employed by less than a third of all respondents, and things only descended from there.
Common practice dictates that a threat intelligence initiative should start with a basic platform and a few open source feeds. Instead of solving an existing operational problem or addressing a known risk, using a single source can force you into a very reactive position, whereby analysts are forced to constantly triage new alerts that contain little if anything in the way of context. If all you currently have access to are stream-of-consciousness threat feeds, a lot of the really worthwhile aspects of threat intelligence are going to seem unattainable.
To further explain why many organizations are finding threat intelligence such a struggle, Dave put up a second SANS survey graph. Take a look at the top two barriers to effective threat intelligence: Lack of trained staff, and lack of technical capability. If you had to guess, it seems highly likely that this absence of buy-in from executives and budget holders is at least partly responsible for the lack of skilled personnel needed to implement and maintain a powerful threat intelligence facility.
Now, look at the rest of the barriers cited by survey respondents. For the most part, they relate to the high volume, lack of perceived relevance, and lack of prioritization. Put simply, many organizations are overwhelmed with alerts, too many of which are false positives.
Once again, this is an issue of starting from the wrong position. Since management buy-in can be difficult to come by, organizations seek to launch their threat intelligence initiative in what appears to be the easiest and cheapest way: open source threat feeds.
But in practice, these feeds are anything but easy to use. So if not with open source threat feedswhere should you start? Simple: Start by solving an existing problem. Of course, to have an understanding of which problems can be solved using threat intelligence, you do first need to understand what intelligence is potentially available.
During the webinar, both Dave and Chris spent some time covering the most common sources. There are hundreds of these available, covering every aspect of security you can possibly imagine. Implement a basic threat intelligence platform TIPand you have everything you need to start digesting truly unmanageable numbers of alerts.
Past attack forensics are a common example.
Offered by dozens of security vendors, often referred to as providers, commercial threat intelligence services vary wildly in quality and scope. At their best, they offer vital insights into one or more areas of intelligence with far fewer false positives than their open source alternatives.In order to gain the upper hand, your strategy must include a diverse means of gathering intelligence, both for a predictive and reactive approach.
A major source of intelligence that cannot be overlooked is the vast amount of data being produced by consumers, hackers, newsmakers, and bloggers every single day. Globally, almost every person and organization is communicating across multiple platforms and networks, as well as handling personal and corporate needs virtually - such as shopping, travel planning, and data management.
Finding like-minded communities and audiences online is the goal; however, wherever you have people congregating, especially if there is potential for monetary gain, the risk of malignant behaviour increases. Enter: Open source threat intelligence. Open source intelligence, or OSINT, refers to the process of gathering information from public, legal data sources to serve a specific function.
Some open sources might include social media, blogs, news, and the dark web. The purpose of seeking information from public data varies on the type of insights you wish to gather. Many industries and professionals look to open sources to uncover workplace security threats, protect executives, prevent loss, manage assets, gauge brand sentiment, and monitor conversations for creating marketing strategies.
Public safety and defense professionals use certain types of OSINT for investigations, prosecution, evidence gathering, and events monitoring. Note : it's very important that your data provider is compliant with all privacy laws learn more here. Access to these data sources is often free, but the true value lies in what can be analyzed and extracted from the data.
Organizations using OSINT for threat intelligence require the ability to detect key information quickly and efficiently. They can do so by using a threat intelligence platform. This data, when gathered and monitored effectively, can be extremely valuable for predicting, analyzing, and reviewing incidents at every stage of their occurrence. But where to begin?
Where you look for information depends on what you want to find. Performing a Google search is a simple form of OSINT, but when you are responsible for the safety and security of a particular person, place, or asset, you need to be casting a keen eye over multiple sources. Criminal behavior tends to be hidden, and it is unlikely a surface web search will take you there.
At Echosec, we have access to a broad range of sources between the open web and social media all the way into the deep and dark web. For a complete list of sources, contact us. Open source threat intelligence can be an invaluable addition to your protocol when handling internal processes such as:.
Financial industry : An overwhelming amount of financial crime and fraud activity occurs on the dark web. Dark web intelligence tools can help discover issues before they become a larger problem. Retail industry: Retail security teams working in loss prevention and asset protection are some of the most well-versed when it comes to the importance of open source data. Publicly available information can be gathered to discover a wide range of intelligence like individuals blatantly admitting to theft, tutorials on how to buy items with stolen cards, and how and where to steal from specific brands and buildings.
Understanding the threat landscape through information gathering can also protect against active threats like dangerous persons, incidents and natural disasters. How Does it Work? Rather, combining a selection of niche solutions to use in tandem is the best practice. Remember that the best OSINT tools will have a geographical element, giving a digital window to narrow down the data by specific locations.
Refine your strategy and choose tools to develop a tech stack devoted to the specific needs of your organization. Social media and discussion forum monitoring : Echosec is an open source threat intelligence and data aggregation platform that helps companies extract key information and gain situational awareness from publicly available information sources. Security teams use Echosec for predictive intelligence and real time issues management, as well as brand monitoring and post-incident review.
Read more about Echosec: Explore Echosec. Dark web and darknet intelligence: Beacon is a dark web discovery platform designed for threat intelligence. Beacon allows security teams to pull fully indexed data from deep and dark web sources such as Onion and Pastebin from their own browser no Tor required. You can filter by the type of information you're looking for, like credit cards, drugs, email and other criteria.
Read more about Beacon: Explore Beacon.This emerging technology is an advance on traditional anti-virus AV and firewall systems. A number of replacement technologies have emerged in recent years to improve on the protection afforded by traditional malware systems. Anti-malware programs compare the code of new programs running on a computer to a database of previously detected malware signatures.
There is a lot more info on each of the tools below, but in case you only have time for a quick glance, here is our list of the seven best threat intelligence platforms:.
How it Works
In the traditional anti-malware model, a central research lab investigates new threats to derive patterns that identify them. These malware characteristics are then distributed to all of the installed AV programs that the company has sold to clients.
The local anti-malware system maintains a threat database that contains this list of signatures derived by the central lab. The AV threat database model is no longer effective at protecting computers. This is because professional teams of hackers now engage in malware production lines with new threats appearing daily. As it takes time for research labs to notice a new virus and then identify its characteristics, the lead time for typical AV solutions is now too long to offer effective protection.
A threat intelligence platform still includes a threat database. In effect, each TIP installation becomes a composite detection, analysis, and resolution bundle. Each machine does not work alone, however.
Information on discovered new threats is shared among the users of a specific brand of TIP. Those downloads are derived from the discoveries made by the same TIP that is installed on other sites by other customers. Some producers focus on one specific type of device and one specific operating system. They might also provide protection systems for other types of devices and operating systems, but without the same level of success that they achieved with their core product.
Fortunately, we have done the legwork for you. Security Event Manager SEM from SolarWinds combines event tracking on your network with a threat intelligence feed supplied from an external source. This tool will not only detect threats, but it will automatically trigger responses to protect your system.
At the heart of this security solution, you will find a log analysis tool. This monitors network activity, looking for unusual events and it also tracks changes to essential files. Security Event Manager works from a database of known suspicious events and sniffs the network on the lookout for any such occurrences.
Some suspicious activities can only be spotted by combining data from separate sources on your system. This analysis can only be performed through event log analysis, and so is not a real-time task. Although SEM begins with an off-the-shelf threat signature database, the tool will adjust and expand that store of threat profiles while it is in service.
The log analyzer in SEM continuously gathers log records from incompatible sources and reformats them into a neural common layout. This enables the analyzer to look for patterns of activity across your entire system regardless of configuration, equipment type, or operating system. You will also be able to give the compliance reporting module a full run-through to ensure that the SEM fulfills all of your reporting needs. ManageEngine Log is a very comprehensive TIP that investigates all possible sources of log data to tighten up system security.
ManageEngine already offers a range of log management and analysis tools.Isn't it sad to have a lot of data and not use it because it's too much work? You can now leverage the value of your data without effort and in an automated manner. Check out MISP features. The primary goal of MISP is to be used. This is why simplicity is the driving force behind the project.
Storing and especially using information about threats and malware should not be difficult. MISP is there to help you get the maximum out of your data without unmanageable complexity. Sharing is key to fast and effective detection of attacks. Quite often similar organisations are targeted by the same Threat Actor, in the same or different Campaign.
MISP will make it easier for you to share with, but also to receive from trusted partners and trust-groups. Sharing also enabled collaborative analysis and prevents you from doing the work someone else already did before. Join one of the existing MISP communities.
You can get in touch with the MISP core team at the following email: info misp-project. The key is Automation Isn't it sad to have a lot of data and not use it because it's too much work? By giving you will receive Sharing is key to fast and effective detection of attacks.
Top 10 Popular Open Source Intelligence (OSINT) Tools
Join us! Twitter GitHub Gitter.The whole platform relies on a knowledge hypergraph allowing the usage of hyper-entities and hyper-relationships including nested relationships. From operational to strategic level, all information are linked through a unifed and consistent data model based on the STIX2 standards. Every relationships between entities have time-based and space-based attributes and must by sourced by a report with a specific confidence level.
The whole dataset could be explored with analytics and correlation engines including many visualization plugins, MapReduce and Pregel computations. The database engine performs logical inference through deductive reasoning, in order to derive implicit facts and associations in real-time.
Full control of data access management using groups with permissions based on granular markings on both entities and relationships. Necessary cookies are absolutely essential for the website to function properly. This category only includes cookies that ensures basic functionalities and security features of the website. These cookies do not store any personal information.
Any cookies that may not be particularly necessary for the website to function and is used specifically to collect user personal data via analytics, ads, other embedded contents are termed as non-necessary cookies. It is mandatory to procure user consent prior to running these cookies on your website. Open source application, community-centered approach. Knowledge graph The whole platform relies on a knowledge hypergraph allowing the usage of hyper-entities and hyper-relationships including nested relationships.
Unified and consistent data model From operational to strategic level, all information are linked through a unifed and consistent data model based on the STIX2 standards. By-design sourcing of data origin Every relationships between entities have time-based and space-based attributes and must by sourced by a report with a specific confidence level. Exploration and correlation The whole dataset could be explored with analytics and correlation engines including many visualization plugins, MapReduce and Pregel computations.
Automated reasoning The database engine performs logical inference through deductive reasoning, in order to derive implicit facts and associations in real-time. Data access management Full control of data access management using groups with permissions based on granular markings on both entities and relationships. Unified platform for all levels of Cyber Threat Intelligence. You need support or services, you want to know more about OpenCTI?
Knowledge management. The first purpose of the OpenCTI platform is to provide a powerful knowledge management database with an enforced schema especially tailored for cyber threat intelligence and cyber operations.
With multiple tools and viewing capabilities, analysts are able to explore the whole dataset by pivoting on the platform between entities and relations.
Relations having the possibility to own multiple context attributes, it is easy to have several levels of context for a given entity. Data visualization.Current security infrastructures offer many tools to manage this information but little integration between them.
This translates to a frustrating amount of engineering effort to manage systems and an inevitable waste in already limited resources and time. Threat Intelligence Platforms can be deployed as a SaaS or on-premise solution to facilitate the management of cyber threat intelligence and associated entities such as actors, campaigns, incidents, signatures, bulletins, and TTPs.
It is defined by its capability to perform four key functions:. The potential for any other party to access or interfere with the normal planned operations of an information network. Common threats today include:.
Knowledge of a threat gained by human analysts or identified by events within the system. Intelligence is a broad term, but a TIP presents analysts with specific kinds of intelligence that can be automated, including:. A packaged product that integrates with existing tools and products, presenting a threat intelligence management system that automates and simplifies much of the work analysts have traditionally done themselves.
These teams are focused on operational day to day tasks and responding to threats as they occur. A TIP provides automation for routine activities such as integrations, enrichment, and scoring. These teams look to make predictions based on associations and contextual information between actors, campaigns, etc.
A TIP provides management with a single platform through which to view reports at both technical and high levels. This enables them to effectively share and analyze data as incidents occur.
A Threat Intelligence Platform automatically collects and reconciles data from various sources and formats. Ingesting information from a variety of sources is a critical component to a strong security infrastructure. Supported sources and formats include:. Collecting data across a wide variety of feeds results in millions of indicators to sort through per day, making it vital to process data efficiently.
Processing includes several steps, but is comprised of three main elements- normalization, de-duplication, and enrichment of data.
These are expensive to address in regards to computational exertion, analyst time, and money. A Threat Intelligence Platform automates these processes, freeing analysts to analyze rather than manage collected data. Data that has been normalized, vetted, and enriched must then be delivered to systems that can use it for automated enforcement and monitoring.
Based on background knowledge, certain IPs, domains, and more should not be accessed or allowed within the network. A Threat Intelligence Platform works with SIEM and log management system vendors behind the scenes, pulling down indicators to push across to security solutions within the customer network infrastructure. The burden of establishing and maintaining these integrations is therefore lifted from the analysts and instead shifted over to the SIEM and TIP vendors.
A Threat Intelligence Platform provides features that aid with analysis of potential threats and corresponding mitigation. More specifically, these features help analysts to:.
A TIP will take all the possible data, enrichments, and other context available and display that information in ways that provide value, such as in dashboards, rulers, alerts, and notes. A Threat Intelligence Platform also aids analysts by automating the research and collection processes, significantly reducing response time. Some specific functionalities of the analysis part of a Threat Intelligence Platform include:.Data you store is immediately available to your colleagues and partners.
Store the event id in your ticketing system or be informed by the signed and encrypted email notifications. Importing data can also be done in various ways: free-text import, OpenIOC, batch importsandbox result import or using the preconfigured or custom templates. Thanks to this automation and the effort of others you are now in possession of valuable indicators of compromise with no additional work.
How often has your team analyzed to realise at the end that a colleague had already worked on another, similar, threat? Or that an external report has already been made? When new data is added MISP will immediately show relations with other observables and indicators.Free Cyber Threat Intelligence Platform
This results in more efficient analysis, but also allows you to have a better picture of the TTPs, related campaigns and attribution. The discussion feature will also enable conversations between multiple analysts resulting in win-win for everyone. You can get in touch with the MISP core team at the following email: info misp-project.
An efficient IoC and indicators database allowing to store technical and non-technical information about malware samples, incidents, attackers and intelligence.
Automatic correlation finding relationships between attributes and indicators from malware, attacks campaigns or analysis. Correlation engine includes correlation between attributes and more advanced correlations like Fuzzy hashing correlation e.
Correlation can be also enabled or event disabled per attribute. A flexible data model where complex objects can be expressed and linked together to express threat intelligence, incidents or connected elements.
Built-in sharing functionality to ease data sharing using different model of distributions. Advanced filtering functionalities can be used to meet each organization sharing policy including a flexible sharing group capacity and an attribute level distribution mechanisms.
A graphical interface to navigate seamlessly between events and their correlations. An event graph functionality to create and view relationships between objects and attributes.
Advanced filtering functionalities and warning list to help the analysts to contribute events and attributes. Flexible free text import tool to ease the integration of unstructured reports into MISP. Many default feeds are included in standard MISP installation. Starting with MISP 2. Real-time publish-subscribe channel within MISP to automatically get all changes e. Sharing with humans Data you store is immediately available to your colleagues and partners.
Collaborative sharing of analysis and correlation How often has your team analyzed to realise at the end that a colleague had already worked on another, similar, threat? MISP 2. Join us! Twitter GitHub Gitter.