Every Solution You Can Imagine – and More
What cybersecurity solution do you need? From Zero Trust to ADR, IAM, risk/privacy, data protection, AppSec and threat, securing digital transformation, to resiliency and remediation, we can build the right program to help solve your challenges.
A Single Partner for Everything You Need
Optiv works with more than 400 world-class security technology partners. By putting you at the center of our unmatched ecosystem of people, products, partners and programs, we accelerate business progress like no other company can.
We Are Optiv
Greatness is every team working toward a common goal. Winning in spite of cyber threats and overcoming challenges in spite of them. It’s building for a future that only you can create or simply coming home in time for dinner.
However you define greatness, Optiv is in your corner. We manage cyber risk so you can secure your full potential.
Indicators of Compromise (IOCs) are Not Intelligence
When discussing the topic of cyber threat intelligence, I frequently hear questions about Indicators of Compromise (IOCs). IOCs are not intelligence but are important data points within the intelligence process. Meta-data is a better way to think about how to connect the dots between assets, threats, threat agents, counter-measures and other variables that factor into cyber threat intelligence. Context is king, especially within threat intel, accomplished in part through meta-data.
When initial comments and questions from an individual are about IOCs instead of something more granular and meaningful related to cyber threat intelligence, it reveals a state of readiness and maturity in the organization. I have pondered on this for some time, and have realized that it’s the most tangible thing that someone can relate to from their vantage point and experience. It’s not unlike work I did for U-2 spy plane ops, where if I spoke to someone about their mission and unique operating environment, it is largely foreign to them. IOCs are a fine starting point for opening a discussion but should quickly migrate towards understanding the process of cyber threat intelligence and meta-data.
IOCs are generally collected from a large number of public and private sources on a global scale. Today the threat environment involves multi-minor-wave-unique variants, one-time use command and control (C2) servers and a myriad of other challenging realities. We can collect, parse, populate and attempt to use billions of IOCs daily and never gain much ground on lower risk or increasing threat visibility. Furthermore, global IOCs are those that impacted everyone else, not your network, not your email, not your CEO.
Inverting the focus of IOCs collection to enriching and maturing an organization’s specific IOC data first is a key recommendation for anyone new to the world of cyber threat intelligence. Take your anti-virus logs, incidents, and similar threat events and incidents, and act upon those IOCs. For example, collect all the original IOCs for the incident (e.g. email attachment data, hash of an email attachment, etc.) and immediately populate them into your environment. Then, enrich and mature your understanding of that threat further by using anti-virus, sandbox, and similar solutions and/or your own lab qualified operations. By doing this you now have a more robust context related to that specific threat and incident, enabling you to take additional actions and countermeasures.
Once you have robust specific and relevant meta-data related to IOCs, threats and assets you’ll have a big data problem on your hands. So many tickets, so much information, so many threats…and you’ll be drowning in all of them, sometimes without enough resources to manage. This is where having highly skilled and experienced staff is amazing if you can manage to obtain and retain such individuals. Additionally, a focus upon your infrastructure for big data analytics, correlation and threat modeling is key to enabling whomever is doing the work to find the signal through the noise. If this is not a focus of your current operations, it should be in your immediate future based upon the massive scale of attacks—especially in the world of malware since 2006.
Other meta-data also exists for IOCs and intel such as including and mapping the following information back to IOCs:
When you combine meta-data with a specific and relevant enrichment plan, context is the result. In the traditional world of IOCs you’d get a list of more information—often without any meta-data. This results in common problems like blocking the IP 127.0.0.1 not realizing that the loopback address was in your blacklist by mistake from some other source of the billions of records scraped from the list.
We don’t need more information and more data, we need intelligence.
With context from meta-data linked back to an IOC, identifying and removing false positives is a reality instead of an operational nightmare or surprise. Context enables experts to better qualify and respond to a threat too, such as understanding that an IP in a blacklist that may have just triggered an alert is linked back to possible espionage-based actions. The more context we can create the more value we can drive in our threat research and response, recursively.
July 29, 2016
Learn how Optiv’s cyber threat intelligence solution helps clients improve their threat response approach.
Let us know what you need, and we will have an Optiv professional contact you shortly.