Let’s keep it simple! The SOC’s goal is relatively straightforward: to limit or eliminate damage caused by cyber attacks. This damage can be related to money, availability (uptime) or brand reputation.
A SOC’s effectiveness in minimizing cyber damage is a function of three capabilities:
- Stopping attacks before they begin
- Quickly triaging and investigating threat alerts
- Shortening an attack’s dwell time
Based on those capabilities, let’s take a look at the stats of average SOC performance:
- 53% of cyber attacks occur without detection.
- SOCs typically take between 24 and 30 minutes just to triage an alert.
- 42% of attacks are only detected two or more days after the initial compromise.
As you see, the picture is not pretty.
So what’s wrong with today’s approach to cyber threats? Why don’t companies and organizations more effectively detect these threats and defend themselves?
It’s not just a matter of technology failing to properly collect and process data. It’s not just a matter of human effort. And it’s certainly not just a matter of enterprises failing to realize the importance of cybersecurity.
The problem largely boils down to this: Even though most mature organizations use cyber threat intelligence as a foundational element of their SOCs, too many of them are insufficiently protected because they rely on an incomplete view of their cyber threatscape.
Telemetry-based threat intelligence solutions are one popular type of technology among today’s SOCs. These solutions offer high-quality data, but they typically only provide SOCs with actionable information that lags a cyber campaign. Meanwhile, solutions that use sensors to capture a wider variety of indicators of compromise (IOCs) unfortunately tend to offer information of low quality and do not instill confidence in the ability of SOCs to defend themselves.
Looking beyond the obvious
While telemetry-based intelligence is essential, looking to where attackers operate can give us actionable insights to improve SOCs’ performance.
It is well documented that threat actors often operate on what is sometimes referred to as the “Deep and Dark web” – although I prefer the term “underground sources,” because these sources include Closed/ Limited access Dark Web, Instant Message groups etc.
What do the attackers do there? Well, plenty. Their activities encompass the entire breadth of the Cyber Kill Chain/MITRE ATT&CK framework and beyond. As a result, high-quality intelligence from underground sources is almost always an early indicator compared to telemetry-based intelligence.
Here are some of online threat actors’ steps that most often accompany cyber attacks:
1. Before MITRE ATT&CK
- Collaborating online to create new malware or in some cases plan an attack (we can consider this as division of labor)
- Buying and selling malware, so others can weaponize it
- Buying and selling domains to be used for an attack
2. During MITRE ATT&CK
- Recruiting insiders to gain access to sensitive information
- Buying credentials to facilitate lateral movement
3. After MITRE ATT&CK
- Monetizing their attack by selling stolen data, such as personally identifiable information (PII)
Winning the cyber threat equation
How can rapid access to relevant intelligence from underground sources enable SOCs to improve the outcome of the cyber threat equation? Well, let’s look at it again.
1. Stopping attacks before they begin: The early or preemptive nature of intelligence from underground sources means you can block the attacks before they begin. If you know a domain or piece of malware is getting sold, you can block it before it gets weaponized. And knowing about leaked credentials means you can change those credentials or force multi-factor authentication (MFA).
2. Speeding up triage and investigations: Knowing you have a problem and the nature of the problem is half the solution. Access to systems that offer a “Google” of underground sources means you know if any IOC was discussed via these sources, who the actor responsible for this communication is, etc. This allows you to more quickly and easily hunt and find out if these indicators are malicious.
3. Shortening the dwell time: Knowing where you are in the MITRE ATT@CK framework means you can deploy appropriate actions to neutralize the threat (or, depending on your approach, watch the threat to see the threat actor’s motive). For instance, knowing if an IOC points to an isolated threat rather than a sustained campaign would result in a different security response.
Let’s face it: Today’s SOCs face an uphill battle in changing the cyber threat equation in your favor. A comprehensive threat picture can give you an upper hand.
In other words,it's time to include Intelligence from underground sources to improve your SOC’s performance.
To see how Sixgill’s cyberthreat intelligence solutions empower you to detect threats quickly, efficiently, and early, schedule a demo today.