Actionable cyber threat intelligence should inform a security operations center’s prioritization of the most critical applications and infrastructure to the business and threat hunt program in ways a security stack cannot. With hypotheses-led, defined use cases that focus on signatures and more importantly behavior, threat hunting programs can operationalize threat intelligence by mapping threats to data sources and decision matrices that provide alerts and subsequent action. As a deliverable, a SOC can then count the actionable alerts versus the total alerts and, if captured appropriately, a security program can scale by reducing time to respond with fewer resources.
Business needs for all company sizes increasingly require managed production environments to perform critical computational and data storage roles that are often administered by company IT professionals, as well as potentially providing services to both internal and external entities. As a preamble, most common production environments tend to be heavily Linux-based, while most corporate environments are either predominantly Windows or a mixed environment with Windows and MacOS machines. While it should be obvious that the production environment should be heavily protected from arbitrary access from the internet, it can be easily overlooked that protecting company and customer data necessitates security measures against the corporate and other internal networks.
Large companies take robust consultative approaches to integrating networks and applications post-acquisition. Rarely do acquiring security teams have the resources or cost-effective internal processes to do their own investigative cyber diligence on a pending acquisition. The most cost-effective option is intelligence analysis conducted “outside of the firewall”, analysis of unique data that combines automation and human investigation to provide timely and accurate insights into key man risk, network security, negative press, and infrastructure and network vulnerabilities. Informed by this analysis, “on-network” compromise assessments can then provide a comprehensive inspection to enable the acquiring party to move forward confident it is on stable ground from a security perspective.
Managed Intelligence: Shaping a Threat Hunt Program to Operationalize Data, Resource Accordingly, and Protect the Business
Deriving actionable intelligence to enhance organizational security is a challenge faced by all global companies and often further complicated by intertwined networks resulting from mergers and acquisitions. With the volumes of data, it’s important to shape a threat hunting program to be able to consume and operationalize data collected from various sources.
Security analysts responsible for vendor management have a unique combination of challenges, both human and technical. Questionnaires are a standard tool, but are also wrought with human error, both intentional and accidental. On the technical side, risk managers are unlikely to have access to a third party’s network. Furthermore, “on-network” investigations intended to provide appropriate cyber due diligence for third-parties, such as a penetration test or compromise assessment, are rarely completed within an actionable time period aligned with the risk manager’s work flow. Finally, while risk management tools aggregate useful insights in real time, they are unlikely to be tuned perfectly to an individual risk manager’s needs with a specific third party.
Managed Intelligence: An Overview on Signature and Personality-Based Attributions to Mitigate Risk for the Business
Continuing with Nisos’ series on providing context to enable actionable outcomes for Security Operations Centers (SOCs), we examine the differences between signature and personality-based attributions and how each plays a role for enterprises in prioritization efforts to define and defend threats. By focusing on the technical signatures and open source intelligence (OSINT) footprint of a group of actors, signature-based attribution efforts allow enterprises to contextualize their findings and better address the coverage gaps in security controls. Threat intelligence or actual incident events are often used by SOCs to test hypotheses or identify previous actions of an adversary. These signatures also form the basis for metrics that enable security resources to increase their own programs that illustrate how they reduced risk exposure to the business.
Managed Intelligence: Transitioning Cyber Threat Information to Actionable Threat Intelligence Provides Critical Context
Major organizations with significant intellectual property and brand name reputation face a constant onslaught of targeted cyber attacks and information operations campaigns, but often lack the capability to attain context-based attribution - the ability to define the how and the why behind an attack. Such organizations face scenarios ranging from opportunistic threats to financially motivated hackers, state sponsored actors, and even corporate espionage firms.
Linux monitoring is deceptively difficult. The most common tools for performing monitoring - the Linux audit system, log journals and syslog sources - are all, at best, standardized by Linux distribution, and at worst, unique per host in an enterprise environment. File-based logging can be spoofed by intruders, while kernel-based subsystems have performance issues. Many hosts will often be under low latency or high performance requirements, either due to cost saving measures on equipment, or due to an application that sees high utilization.There are few strong solutions today that don't leave gaping holes for intruders to achieve their low resource usage.
While the rapid shift from office to home or remote-based activity has allowed work to continue, the idea that corporate assets are physically leaving the corporate space, and with them access to proprietary or sensitive data, could be a disaster if your security policies and practices are not adapting to this new norm. Now more than ever, companies need to be evaluating information technology and security practices surrounding insider threats.
Insider Threats aren’t just individual malicious employees. They may be anyone who had or has privileged access to the environment. From the vendor partner to the totally unwitting employee, the impact is the same.
Download a list of threat indicators to help you determine who is a high risk to your company.