I keep hearing the drumbeat of threat intelligence, and I fear that I'm missing something by not having threat intel integrated into security operations. What difference does it make?
Little Drummer Boy from Oneonta, NY
Little Drummer Boy,
You're undoubtedly aware of this based on your question, but there's a ridiculous volume of data that falls into the threat intelligence bucket these days. The challenge becomes figuring out what's of value to you and your organization, and then cultivating and maintaining a threat intelligence store to serve your needs.
There are entire classes about threat intelligence, so let’s focus on identifying the threat intelligence that has the most value to you and then look at how to gather and maintain threat intelligence within your security operations toolset.
Threat intelligence is voluminous and varied. IP addresses, file hashes, certificate serial numbers, file paths, domains...I could go on and on. These observables have different amounts of value and utility. If anyone has ever seen David Bianco’s Pyramid of Pain, you know what I mean.
David positioned this from a threat hunting perspective, but the concept applies to threat intelligence as well. While Tools, Techniques, and Procedures (TTPs) are tough to uncover, they can be tremendously valuable and provide high fidelity alerts when the security operations team knows what to investigate. At the base of the pyramid, there are IP addresses and file hashes. Adversaries change IPs and file hashes at the same frequency that I change shirts, perhaps even faster. In certain circumstances, it may make good sense to collect IP addresses and file hashes, but collecting the universe of them and then trying to figure out what is a high fidelity alert is not be a winning strategy.
This brings us to where our threat intelligence comes from. If we were to take all the threat intelligence available to us, we'd have a massive list that would consume all of our time just collecting and curating it, let alone making it actionable.
This picture is a crude illustration of the problem. There are many different kinds of adversaries (I called out three of the bigger ones), but even under those adversaries, there are many different groups with many different interests and targets. Only four industries are shown, but each has its own communities of interest to share information amongst their peers. Additionally, specific adversaries will target specific industries, so the concept of a neighborhood watch for the healthcare industry—to name a single example—is appealing. Certain organizations care about ALL of this, but in many cases, to defend your organization, you need to focus on the threats that could impact you rather than the entire universe of threats.
Are you concerned with financial crimeware? Then why have tons of ransomware or nation-state threat intel muddying your operational view? I'm not saying that adversaries can't overlap, but like everything in my SOC, I need to maintain focus. Communities of interest are important, but the best threat intelligence that I can gather is derived from security events and incidents that occur within my own organization!
Threat intelligence informs the SOC about events and incidents that have occurred and allow you to be more proactive in looking for them. With that background, how does this apply to Splunk Enterprise Security? One of the five frameworks within Splunk ES is the threat intelligence framework. This framework exists to handle the ingestion of threat intelligence directly from URLs or through the UI in CSV, IOC and STIX format. It also serves a standard path for threat intel to be processed and prepared for correlation with events that are collected by Splunk. If you want to go deep into the overall threat intelligence framework, you can check out my talk from .conf17 entitled "Enterprise Security Biology: Dissecting the Threat Intelligence Framework."
This visual does an excellent job of summarizing how threat intel can be loaded from internal or external sources and then normalized before being mapped to events for correlation and alerting.
As you can see, threat intelligence can be collected and correlated within Splunk Enterprise Security and can be very valuable in identifying threats within your organization. I hope this helps you understand the value of threat intelligence and how Splunk ES can make it easy for you to take threat intelligence and turn it into something meaningful!