A Security Operations Center (SOC) team is tasked with continuously monitoring its environment in order to detect, analyze, and respond to cybersecurity incidents, and ultimately improve the security posture of the organization.
However, to effectively monitor their environment, it isn’t enough for SOC teams to deploy security systems and tools that will alert them to an indiscriminate number of events. They need to know what threat actors are doing, what their activity may look like, and how to find traces of said activity across their infrastructure.
Usually, the sort of traces that are left behind by threat actors and picked up by the monitoring systems will be either observables or even indicators of compromise (IOCs)—IP addresses, host and domain names, email address, filename and file hashes—which on their own and out of context won’t be enough to conduct an in-depth investigation.
For a proper analysis that can lead to attribution as well as to effective countermeasures against similar attacks being built, SOC analysts need to enrich and contextualize the traces found in their internal systems.
This is where an often-confusing concept comes in: Threat intelligence. To better understand it, we will walk through the most popular elements related to the subject matter.
Threat Intelligence: Sources, Feeds, Platforms, and Providers 🔗︎
Threat intelligence is actionable and timely knowledge that is rooted in data. It provides analysts with the necessary context to understand threat actor’s motivations, methods, tools, and infrastructure, thus helping them prevent or mitigate attacks.
Practically speaking, threat intelligence relevant to an organization is generated when combining the traces found in the organization’s internal telemetry—such as firewall and DNS logs—with threat data and information, be it via sources, feeds, platforms or providers.
Sources and Feeds 🔗︎
Open source intelligence (OSINT) and network telemetry constitute examples of threat intelligence sources. Threat intelligence feeds are non-prioritized streams of data that usually consist of non-contextualized IoCs or digital artifacts and focus on specific areas or data types such as suspicious domains, known malware hashes, and IP addresses associated with malicious activity, amongst others.
While free feeds are usually gathered from open sources, paid threat feeds may provide curated data from closed sources such as forums or constitute an aggregation of open-source feeds.
Platforms and Providers 🔗︎
A threat intelligence platform (TIP) is a software used to organize several feeds—free and paid—into a single stream. Lastly, a threat intelligence provider is a vendor that produces threat intelligence reports, for which they sometimes use a mix of human and automated analysis. The provider then offers the intelligence via premium data feeds, as a report, or as part of a software product. The human generated part may include TTP’s and attribution to a known Actor. The automated part is providing lists of observables in machine readable format.
A Dilemma: Incorporating Threat Intel into the SOC Team 🔗︎
It’s easy to see how one may stumble around in search for the right product to incorporate into their SOC team just by looking at the variety of options out there. With that in mind, SOC teams should first gain a comprehensive understanding of the following:
- Their network infrastructure
- The type of risks unique to their industry
- Where their security posture stands based on their current resources and capabilities to manage defensive and reactive activities
- Their available budget
- Resources they can dedicate to the project
However, even with the previous elements established, it is often difficult for SOC teams to choose the threat intelligence solution best suited to them, and to determine how to properly take advantage of the data it provides without further burdening the analysts. This is especially true for smaller, less mature teams that may not have the necessary tools, processes, or resources to help them prioritize data.
Maltego’s Top 13 Recommendations on Threat Intel for SOC Teams 🔗︎
According to the 2021 SANS Cyber Threat Intelligence CTI survey published in January 2021, the types of threat intelligence that are most helpful to SOC team operations are:
- Information about vulnerabilities being targeted by attackers
- Detailed information about malware being used in attacks
- Specific IOCs to plug into IT and security infrastructure to block or find attacks
- Broad information about attacker trends
- Threat behaviors and tactics, techniques, and procedures (TTPs) of the adversary (how they work)
Based on these criteria, in this whitepaper, we provide a list of high-quality threat intel options for small SOC teams that have proven to be amongst our end-users’ favorites and are suitable for all budget sizes. The list is sorted in alphabetical order and doesn’t indicate any ranking or preference.
Download this whitepaper for detailed descriptions and evaluations of the threat intelligence feed provided by each provider listed above. This will help you make accurate and suitable purchasing decisions for the needs and responsibilities of your SOC teams.