750x350 option 1 (1)

Agile Threat Intelligence: How I Learned to Stop Worrying & Love the Machine

By Omer Carmi – July 23, 2020

Today’s security organizations simply cannot effectively manage the huge amount of data points they need to digest. Whether you are a financial institution trying to cope with the constantly increasing volumes of leaked credit cards, a hospital looking to patch its critical vulnerabilities, or an enterprise hoping to prevent the next data breach--the current approach is becoming more obsolete by the minute.

Sixgill pioneers the Continuous Investigations/Continuous Protection (CI/CP) approach to security. CI/CP uses automation tools that empower security teams to collect, analyze, research, and respond after each intel development as seamlessly as possible. Focusing on maximum security readiness at any given time, Continuous Protection naturally leads to Continuous Investigation.

CI-CP Graphic 5.1

The cornerstone of the CI/CP framework lies in quickly and intuitively connecting the dots between a singular tactical incident, and the broader strategic landscape. 

It all starts with a real-time collection mechanism that enriches your data lake. In order to support a continuous CI/CP process, you must ensure there is a continuous stream of valuable data from the darkest corners of the underground. It is vital that these collection mechanisms be agile enough in order to seamlessly adjust themselves to the changing nature of the threat actors’ ways of communications. For example, such a collection mechanism should be able to automatically explore new forums on the dark web, or new malicious groups on an instant messaging platform, but it should also prevent flooding the data lake with spam.

CI/CP requires context. Thus any data point that is being collected should be processed, structured and correlated with other datasets in order to complete the bigger picture. Data, even if in a raw form, is never collected in a vacuum. Every IP has a “story”. Every post has an author. Every product that is sold on the dark web has a customer base. These details matter when you want to create CI/CP-driven processes. 

CI/CP pushes for a sense of ecosystem. When implementing CI/CP, you have to make sure that the data enables you to respond seamlessly with each intel development. CI/CP advocates integrating threat intelligence feeds with your security platform - whether it is a SIEM, SOAR, EPP or VM--in a way that each meaningful data point will trigger an action on your end to mitigate the threat.

Implementing a CI/CP driven threat intelligence process empowers you to have a full-cycle of agile responses. As soon as a new data point reaches the data lake, it is pushed to your security platform and is correlated with other indicators you already have. The data is aggregated, and the appropriate playbooks are triggered. After preventing the initial threat, you should now circle back to the data point that triggered the incident and thoroughly investigate it to understand the causes of the incident, and take actions to improve your security posture. CI/CP leverages an investigative portal that allows you to slice and dice the data and investigate it with minimum effort. 

For example, let’s assume that a prominent threat actor had created a malware and distributed it on the dark web. Traditional threat intelligence feeds will detect the new malware only once the malware is sold and weaponized, or even when the attack has already happened. When taking a CI/CP approach,  you shift left and look to detect the malware when it is initially offered for sale on the dark web. By using a real-time collection mechanism, you can extract the malware hash already in the preliminary phase, and block it on your SIEM, SOAR or EPP before anyone has even downloaded it. The next step is to circle back to your investigative platform and understand who authored the malware that was targeting you. Context is king here. You need to make sure that you understand the threat actor’s motivations, TTPs, social network and patterns in order to assess their next steps. With the information at your fingertips, you can now take the appropriate actions to ensure your organization's security.

A CI/CP framework is a must in order to cope with today’s explosion of data and the fast changes in the threat landscape. Implementing a CI/CP approach depends on having an automated and real-time collection mechanism, a predictive feed of IOCs curated from the underground in a contextual way, and an investigative portal to investigate escalated incidents. For us, enhancing your security organization with a CI/CP process is like going to a knife-fight armed with an Uzi. You’ll hit the incoming threats faster and in a more scalable way than ever before. And yes, I’ve just made this reference.

For me, a CI/CP framework means that my team is less concerned with having to do the same boring and tedious tasks over and over again, but can benefit from embracing automation. The key here is to embrace automation with a grain of salt - the human being is still in the loop, and still has authority over the outcome. Yet they are supercharged with the brainpower of the machine. This approach is way more than an evolution of the threat intelligence cycle - it’s nothing short of a revolution.

Want to learn more about how you can tackle the most critical threats impacting your organization? Click here to request a demo.

Don’t miss out on the latest

Get Industry updates
straight to your inbox.