By Milad Aslaner, Senior Director, Cyber Defense Strategy, SentinelOne
For many Security Operations Centre (SOC) teams, defending against cyberattacks is largely reactive, as they confront increasingly complex threats and widening attack surfaces, resulting from remote working and a vast array of cloud applications that provide unauthorised users with a myriad of system-access points.
While a swift and thorough response to security incidents is key, it is also essential to understand the bigger picture as to how, when, and why an incident occurred. Responding to a threat without viewing it holistically can lead to an infinite loop, where we contain a threat only to wait for an adversary to leverage the same attack methodology again.
Unfortunately, the moment you begin to contain a threat, your actions may set off alarm bells for threat actors, triggering them to accelerate their attack or stealthily change techniques. For this reason, it’s critical for SOC teams to spend time analysing how, when, and why an incident occurs.
Importance of cyber threat intelligence
Cyber threat intelligence (CTI) consists of information on the tactics, techniques, and procedures (TTP) of adversaries, and it enables organisations to make more informed and data-driven decisions about their cybersecurity programmes, driving more successful protection and detection of – and response to – today’s cyberattacks.
As Gartner affirms, “[e]vidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice about an existing or emerging menace or hazard to assets…can be used to inform decisions regarding the subject’s response to that menace or hazard.”
CTI helps organisations recognise blind spots, providing SOC teams with valuable insights into the threat landscape that ultimately allow them to mitigate risk. By applying threat intelligence to identifying and understanding the relationship between adversaries and their TTP (tactics, techniques and procedures), security analysts are empowered to take the most effective proactive steps for their particular environment.
Threat Intelligence challenges facing organisations today
The cyber threat landscape continues to evolve, with attacks like the DarkSide ransomware campaign against Colonial Pipeline – causing the shutdown of the American oil company’s pipeline and the payment of about $5 million in ransom – and SUNBURST, the malware variant behind the SolarWinds corporate attack that compromised the data of more than 30,000 public and private organisations, just the tip of the cyberattack iceberg.
In recent years, hoping to better prepare for emerging threats and take informed action, many companies have attempted to leverage cyber threat intelligence. However, in practice, SOC teams often aren’t seeing tangible results. According to Information Security Forum’s research, 82% of their members have cyber threat intelligence capability, with the remaining 18% planning to implement one, yet only 25% of those members believe their current capability achieves their desired objectives.
This is largely due to the common pitfalls of modern threat intelligence, such as the inability to effectively process, correlate, and analyse data, given the enormous volume of data from signals and telemetry, which collects measurements or other information at remote points and automatically transmits it to receiving equipment. Most threat intelligence solutions depend heavily on human intervention to consolidate, parse, enrich, and validate data, and their analyses can focus too deeply on who the attackers are, versus how to remediate and take action.
Another issue is that threat-intelligence sources are often siloed, and teams lack the right technology and processes to connect and correlate their data for a more complete picture. Consequently, it has become costly and time-consuming to operationalise CTI, with threat researchers struggling to separate the meaningful insight from the noise.
Leveraging AI for threat intelligence
With incident queues continually growing, it’s no surprise that response-time metrics like ‘mean time to detect’ (MTTD) and ‘mean time to respond’ (MTTR) are rising. Given that one of the biggest obstacles to performing these types of in-depth analyses is time and resources, the key question is how organisations can acquire and evaluate the intelligence they need, without adding even more work to an already overloaded team.
One of the most effective ways to realise the full value of cyber threat intelligence is to combine the best of artificial intelligence with human intelligence. Doing so resolves two primary pain points: the amount of data that requires manual processing and the time it takes to manually correlate and contextualise it.
By utilising AI-powered autonomous security tools, security professionals can offload a great deal of labour-intensive, manual work they previously struggled to keep up with. These AI-driven platforms can perform TTP (tactics, techniques, and procedures) analysis and correlate incoming threats at scale and in real time.
Some platforms even provide a console from which SOC teams can investigate a particular incident, accessing information on when a threat was first seen, when it was last seen, and the scope of the breach. Such platforms can also quickly identify the type of threat, for instance, a ransomware campaign, and even provide insights on how each of the adversary’s steps maps to the TTP of the MITRE ATT&CK framework, which is a globally-accessible knowledge base of adversary tactics and techniques based on real-world experiences that enables the development of crowd-sourced cybersecurity defences.
Cyber attackers are employing novel and ever-more sophisticated techniques to infiltrate networks and systems, and most security teams today are simply too overloaded to perform in-depth, meaningful analyses for all of their incident investigations. But with the help of AI-driven autonomous tools, SOC teams can now access real-time threat modelling, incident correlation, and TTP analysis at scale, empowering human threat analysts to make informed, data-backed decisions. This combination of artificial and human intelligence provides context, enrichment, and actionability to cyber data, and allows organisations to take a more automated and proactive approach to their defences – not only keeping up with your attackers but even staying one step ahead.