Embracing Automation in Cyber Threat Intelligence: The Key to Timely Protection

With every day that passes, it becomes clearer just how crafty and intricate cyberattacks can get. To protect against them, you need to know the methods of hackers and the principles of malware operation. With this insight, you can craft effective security systems, adapt and enhance your business operations, and put the right protective measures in place.

Taking a spin on the famous saying, "Whoever owns the information owns the world," we might say: "Those who own the most complete information about the attack methods are able to build adequate mechanisms for responding and protecting their company in cyberspace."

Let's talk about how to collect this information, where to store it, how to process it, and, most importantly, how to avoid being overwhelmed by the sheer volume of it.

Threat Intelligence (TI) representation across different levels

There is a lot of information on cyberattacks on the internet, and, as a rule, the most helpful information is contained in cyber threat reports (Threat Intelligence Reports). They are extremely valuable because they accumulate information collected by thousands of experts around the world, reflecting a community-driven perspective in information security.
Threat Intelligence can be divided into four primary levels: technical, tactical, operational, and strategic. Instead of diving into worn-out definitions, let's highlight the typical formats in which each level is presented:

• Technical — This usually involves network and host indicators of compromise (IoC) such as IP addresses, domains, URLs, email addresses, hashes, and so on. These are presented in both machine-readable and human-readable formats.
• Tactical — Here, you will find reports or messages in formats like STIX-MISP that detail the tactics, techniques, and procedures (TTPs) deployed by hacker groups and specific malware.
• Operational — This level provides reports on indicators of attack (IoA), which cover dynamics such as processes that take place when a threat is being executed.
• Strategic — Strategic reports shed light on the evolving thought patterns of hackers. They offer insights into trends and the overall direction in which hacker strategies are moving, often covering retrospectives over specific periods.

While there has been much discussion on the challenges of working with technical TI, there is a notable silence on the nuances of dealing with the other levels. Actually, this is not surprising considering that in many companies, data at these levels is still predominantly processed manually. It is curious that in the age of self-driving cars and ChatGPT, TI analysts often lean on human intelligence over artificial intelligence for these tasks. Let's delve into why this remains the case.

Key challenges with threat intelligence reports

Challenge 1: Information overload

With the surge in cyberattacks, it is natural that there is also a rise in the analytical materials covering these activities. Several thousand reports are published every year. This breaks down to roughly a dozen reports every day, each averaging around 10 pages. This adds up to an impressive 120 pages of technical content daily.

Expecting information security professionals (who are already occupied with the day-to-day tasks of maintaining a company's security) to process this volume of information is unrealistic. There is a clear need for dedicated TI analysts, and given the sheer volume, multiple TI analysts are likely required.

Challenge 2: The issue of complete and correct processing of reports

Every TI report follows a specific process for analysis and implementation:

• Reviewing the report thoroughly
• Assessing its relevance to your company's specific security posture/situation
• Extracting the hacker's techniques, tactics, and procedures highlighted in the report
• Converting these TTPs into detection rules
• Deploying these detections within security systems
• Refining detections based on their performance and results within your company's infrastructure

When you consider this rigorous process, it prompts the question: "How many personnel would be needed to effectively manage and implement this workflow?"

Challenge 3: Skillset complexity

TI reports, especially at the tactical and operational tiers, carry a unique challenge: they are packed with highly specialized information that demands both breadth and depth of knowledge from the analyst. For instance, one report might delve into the intricate workings of cryptographic mechanisms behind ransomware. Another might focus on the command protocols used in a specific malware, while yet another details the techniques a malicious entity employs to evade sandbox detections or antivirus software.

To truly grasp the contents of these reports and gauge their relevance, a TI analyst needs an extensive skill set. This ranges from understanding cryptography to having insights into operating system architecture. And if a threat actor employs social engineering, the analyst might even need a basic grasp of psychology.

Automation possibilities in processing TI reports using AI

While we are not at a point where artificial intelligence can entirely automate the parsing and analysis of reports, there is definitely room to use AI to simplify the life of TI analysts.

AI can be used to automate the following operations:

1. TI collection

• Scouring web resources of TI report providers for new posts
• Sifting through various messages and articles to single out TI reports
• An initial automated clean-up of the report, such as removing ads and extraneous content

2. Highlighting relevant info:

• Highlighting or extracting mentions of malware, hacker groups, hacker tools, and TTPs
• Identifying any cited legitimate software, services, or APIs
• Scanning for YARA, SIGMA rules within the text
• Extracting network and host indicators of compromise from the report
• Extracting geodata

Often, a cursory look at the listed objects is insufficient to gauge a report's relevance. In such cases, a concise summary can be invaluable. Highlighting the AI advantages in ITSM and InfoSec, you can use ChatGPT. This tool is adept at crafting abstracts of any size (often 500 words), describing the key points of the TI report using general terms and non-highly technical language.

Furthermore, TI reports often contain valuable attack patterns or malware info in the form of images. A single look at such diagrams can offer an analyst insight into the entire attack sequence (kill chain) without delving into the dense text of the report. One approach here is to utilize a pretrained neural network tailored to classify images from TI reports. For smaller companies with limited resources, partnering with TI vendors that already offer such a service could be a beneficial route.

Managing gathered threat intelligence data

At all stages of working with TI reports, a wealth of crucial data emerges – IoC, IoA, TTP, sequences in which TTPs are applied, etc. This data is invaluable, both immediately upon receipt (for swift incident response) and over the long term for incident investigations, enriching them with relevant content. Consequently, there is a strong case for building a knowledge base from this data, accessible at any moment.

Storing this vast data as disparate files, notes, or images is not efficient. The optimal approach to housing and navigating Threat Intelligence is through specialized platforms—specifically, Threat Intelligence Platforms equipped with connection graphs. These platforms break down threat reports into a model that vividly maps out the entire context of a threat in terms of interconnected data structures.

For instance, given a report on the threat stemming from a specific vulnerability, a Threat Intelligence Platform can depict it as a web of interconnected data:

• IP Addresses: e.g., "X. X. X. X. "— comprehensive list of addresses trying to connect to exploit the vulnerability.
• File Hashes: e.g., "dfslidywnsdx.dll " — numerous malicious libraries and files associated with the threat
• Vulnerability Records: e.g., "CVE-2023-4477" — detailed description from several aggregators and knowledge bases
• TTP from the MITRE ATT&CK matrix: e.g., "System Owner/User Discovery," etc.
• Hacker Tools: e.g., "Cobalt Strike " — with a detailed description of how to detect it in your infrastructure

TI platforms address challenges related to data organization and further augment the rich structure with analytical services. The result is a knowledge base that helps analysts solve the problem of situational awareness. In the event of an incident, they can harness this knowledge base, using its specific data points (like external IP addresses observed during a breach), to pull down, visualize, and comprehend a wealth of essential and highly relevant information.

Beyond aggregation: real-time and retrospective threat analysis

In addition to situational awareness, there is the pressing matter of implementing detections, integrating them into security systems, and adjusting these systems accordingly.

Threat Intelligence Platforms should not merely aggregate and supply vast amounts of TI data. They should be adept at automating the search for indicators amidst a barrage of "raw" events in an optimized manner. Tasking your SIEM with this duty is not pragmatic. Within a single industry, countless indicators may be pertinent to one enterprise, and an already overwhelmed SIEM would simply become overloaded.

Some advanced Threat Intelligence Platforms are equipped to carry out auto-detection, both in real time and retrospectively. That is to say, even if a report detailing a threat is assessed today, the platform verifies if such a threat was present yesterday or even a week prior (this duration depends on how long retro-data is retained).

Any discovered indicators are flagged as potential incidents. These incidents then undergo scrutiny. For example, if there are connection attempts from a malicious domain to a server within the "demilitarized zone" (DMZ), this is not particularly alarming. Such activities, often resulting from bots scanning the external perimeter, are commonplace. In such cases, your response might simply involve updating blacklists on the firewall using data from the TIP. However, if detection reveals a connection from your internal infrastructure to a command and control (C&C) domain, the severity of the incident surges dramatically. Such a scenario would necessitate a thorough investigation of the potential connection of the compromised machine to the command center.

Threat Intelligence has evolved from being just a buzzword to an essential tool for businesses. Nowadays, companies are figuring out how to harness its power without getting overwhelmed by the sheer volume of information. The solution? Embracing automation and artificial intelligence. AI-driven solutions can streamline many important tasks. Modern TIPs are not just databases; they automatically spot attacks using IoA and IoC, sifting through the vast "raw" data from security information systems and company infrastructures. Gathering insights, processing them, storing, and then deploying them to detect threats are the crucial steps in managing Threat Intelligence.