Is that IP blacklisted or a false positive? Has it happened before? Were there any associated events? Should I keep it under supervision or just ignore it?
These are just a few of the countless questions a security professional has to answer every day. And the worst part? They rarely have enough time or information to be confident of their answers.
In fact, with the advent of sophisticated threats, security incidents have become so common that some teams would rather report false positives than risk an attack. And if an excess of caution doesn’t affect your team, the opposite just might. The incredibly common phenomenon of alert fatigue can desensitize security professionals to valuable information!
The truth is, regardless of their types and numbers, alerts are not the real problem. Their purpose is not to guide, but to inform. The actual issue is context. Context sets intelligence apart from mere data - it’s the main ingredient in making it actionable.
The Why behind the What
Most modern security solutions can easily pinpoint the exact nature of a threat and its source. What they can’t do is evaluate its relevance or draw the link between a security alert and your company. In other words, they can tell you WHAT it is, but not WHY you’re seeing it.
For that, you need to evaluate four types of factors, all part of the wider concept of “security context”: internal factors, external factors, historical data and security network intelligence.
Internal factors represent contextual information about the enterprise’s own systems. This information can be anything from the system’s type and function to its location, industry, connected systems and security status. This helps security professionals prioritize alerts: it’s important to learn that an employee visited a suspicious website, but not as important as a brute-force attack on a user with administrative access.
External factors usually pertain to the information one has about the threat: IP information, owner and location. This helps better understand the attacker’s intent. External context can also tell security if similar activity is happening anywhere else in the industry.
Historical data aims to answer a single question: is there a pattern? It can show whether the suspect IP has targeted other systems or the same industry in the past, or if IPs from that exact location have engaged in malicious behavior. Furthermore, it might help security professionals better understand the potential damage of an attack.
Finally, security network intelligence is the unique context your provider can add to the above data. This information can vary from showing a system’s known vulnerabilities to a list of common false positives. Such data is also helpful when an alert becomes a threat and security is already looking for solutions. It’s then that known patches, fixes, or tutorials can prove vital.
Can Classic Security Handle It?
Typical security suites may help fend off common threats but are often underpowered when fighting large scale ones. First of all, the amount of raw information generated by security sensors is difficult to tackle, even for MSSPs. Small security teams might find it impossible to digest (even with a SIEM or SOAR orchestration platform in place).
Secondly, some attacks are simply too sophisticated and well-targeted. Take the recent discovery of the Red Curl group, a threat actor focused on stealing data and funds from very specific industries, such as insurance, consulting, and engineering and construction.
Red Curl attacks are incredibly hard to detect, as they use legitimate services to communicate with their Command and Control servers and send customized phishing e-mails. Furthermore, the group has created a custom trojan linked to a cryptojacking malware. The right context could connect all those elements for you – without it, you might not even know they are part of the same attack.
However, to get the context right, the security professional would need a system able to operate large data streams, to process, clean, and enrich information, and to provide it in an actionable format. In other words: threat intelligence.
According to a commonly accepted definition, threat intelligence is “evidence-based knowledge that includes context, mechanisms, indicators, implications, and actionable advice, about an existing or emerging menace or hazard.”
A proficient threat intelligence vendor should be able to provide a few easily recognizable features, such as context (in all its manifestations), efficiency (the speed at which information is delivered), specificity (detection accuracy), and easy integration (with your SOC’s existing system).
Modern threat intelligence solutions also provide industry verticals that allow you to better recognize the threat landscape around your company’s or client’s domain. This lets your security team focus on the right data set and build relevant threat-hunting models.
How We Can Help
Bitdefender’s new Advanced Threat Intelligence solution eliminates long-standing blind spots for security analysts and enables them to thrive in an increasingly dangerous and complex world of cybercrime.
Our solution delivers real-time insights into the cyber-threat landscape to Managed Security Service Providers (MSSPs), Managed Detection & Response companies (MDRs), security consulting and investigations firms, and large enterprises with a Security Operations Center (SOC) that need to block and understand ingenious attacks and threat actors.
Bitdefender Threat Intelligence solution does not just provide context, it provides the right context. We offer global insight into unique, evasive malware, APTs, zero-days, and C&Cs that are hard to catch and that SOC analysts often lack visibility into.
Our extensive security network includes more than 500 million machines and performs 7 billion queries per day. By integrating the STIX 2.0 and TAXII protocols, we increased our capacity to deliver best-in-class know-how to our clients and partners.
Our unique, platform-agnostic approach, compatible with any SIEM familiar with consuming a REST API, lets other security professionals integrate our cyber-threat intelligence in minutes on any platform or infrastructure.
Furthermore, Bitdefender’s Advanced Threat Intelligence offers industry tagging that will deliver only the most relevant information, in case of a security threat.
In other words, our solution takes away the guesswork in alert management and provides the context that stops threats from becoming incidents.