Evolving from Incident Response to Threat Intelligence
We have the pleasure to welcome Arnim Eijkhoudt as guest author to our blog, Arnim has been a household name in the CTI world for many years. EclecticIQ holds Arnim’s expertise in high esteem and his input regarding EclecticIQ Platform, which he and his team are using, is valued by our product team. As Team Lead at KPN-CERT, Arnim believes in a holistic approach to Threat Intelligence. In below blog post, he will familiarize you with this approach and take you on a journey through the evolution of Threat Intelligence.Threat Intelligence (TI) is the industry term for describing the practice of leveraging knowledge about your adversaries, technology and company exposure* to make informed decisions about security situations and improving the company’s overall security posture.
TI is frequently considered to be a separate activity or discipline at CERTs. With this article we aim to demonstrate that with a holistic approach to TI, a security organisation can improve their processes, move to proactively addressing security risk, reduce their costs by minimizing exposure and streamline their traditional CERT/incident handling processes.
Basic Threat Intelligence practices
TI commonly revolves around the processing and sharing of Indicators of Compromise (IoCs). IoCs are static pieces of technical information that describe the properties of a given threat, such as IP addresses, domain names, cryptographical hashes, email addresses, etc. TI analysts review the information, looking for coherence/correlation between the IoCs and threats. While these are great initial steps to get started with TI, combining and embracing threat intelligence and automation can bring much greater benefits. Horizontal and vertical integration of the two can be a powerful way of cost reduction through automatization, efficiency improvements, bridging gaps with risk management, red-/purple-teaming and incident handling.
Case Study: From Incident Handling to Threat Handling
KPN-CERT actively started using a Threat Intel Platform (TIP) in production in early 2016. Initially, the systems and processes ran parallel to our existing Incident Handling and ticketing systems, and it quickly proved to be instrumental in investigating and resolving a long-term fraud campaign. However, much of the initial TI work was done manually, and most of the information resided with dedicated analysts: determining which incidents to ingest into the TIP, searching for and enriching from additional sources, correlating information and processing the information for further use outside the TIP.
With the addition of more and more information feeds, this accelerated the equivalent of SOC ‘alert fatigue’ for the TI analysts: information pollution/ false positives and the resulting inability to filter out irrelevant information. For these and other reasons, it was therefore neither a sustainable nor scalable way to continue.
Back to the Drawing Board: Going 'all-in' on Threat Intelligence
In 2017, KPN-CERT decided to reposition its TIP and to restructure the existing processes around Threat Intel practices. Clear goals were set to aim for the TI maturity level of ‘Exposure Management’. This meant that TI would be repositioned as the overall way of working, with Incident Handling being a specific part of the overall TI process. Part of this transition would be the explicit focus on Site Reliability Engineering (SRE) principles. Every team member is expected to look critically at their work processes, and to develop and deploy automation tooling to eliminate manual work. This directly reduces overhead costs and the chance for human error as well. The strong focus on SRE closely aligns with the emergence and evolution of open TI protocols, standards and technologies such as STIX/ TAXII, MITRE’s ATT&CK, OASIS CACAO, etc. as well as the overall vision at KPN-CISO.
Transforming your organisation’s processes means making a significant initial investment. It can be a difficult ‘sell’, especially if the results only come at a later stage. Firstly, the expenditure of time and effort is significant, although it is also somewhat dependent on the existing culture and agility of the organisation. Secondly, by embracing these standards, technologies and the principles of SRE and TI, there is also the implicit choice for using those open standards and technologies while choosing for and deploying solutions that are compatible with these.
Nevertheless, the total cost of ownership (TCO) and subsequent cost reduction has shown to significantly outweigh those initial investments. For KPN-CERT, it has simplified everything from day-to-day incident handling to case investigations. In that sense, it is a ‘gift that keeps giving’. It will continue to simplify the future interconnection of systems and exchange of TI data, cooperation with industry partners, CERTs, government and NGO's organisations, etc.
Reaping the benefits at KPN
Interoperability and development
Investing development time into a middleware library continues to pay dividends. One of the first things KPN-CERT developed, was a middleware library for interoperability with its TIP. This middleware makes it easy and quick to develop new integrations, because there is a consistent API that abstracts the communication with the TIP. Development, prototyping and deployment of integrations now happen in the span of days or a few weeks, rather than multiple months or years. It also enables the transformation and exchange of data between other types of systems, further simplifying and enabling interoperability. Good examples are simple scripts that can take TIP data and transform these into rulesets for popular IDS. Lastly, it prevents being dependent on the TIP or other service providers for providing and maintaining interoperability or the interpretation and/ or transformation of TI between the systems.
Integrations and optimizing processes
At the outset, integrating ticketing systems into our TIP was one of the primary goals, making the Incident Handling part of the overall TI process and automatically allowing for correlation of information in tickets/incidents with other TI in the TIP**. This not only enables our incident handlers and TI analysts to automatically share data, but it also forms the basis for moving from handling separate (and sometimes seemingly isolated or unrelated) incidents to detecting recurring problems and persistent threats in an automated manner.
However, critically examining the systems that exist in your organisation can provide a wealth of other potential enrichment sources or threat intel as well. Good examples can be the development of integrations with asset management systems, so that information about affected systems can immediately be enriched with ownership information, software/ services running, previous incidents, change or request tickets, etc. This can even be taken further and to logical conclusions, e.g. by the automated parsing of vulnerability feeds and combining this with the asset management, vulnerability scanning information and emerging threat data from the TI analysts to determine real-time security exposure.
KPN-CERT has also developed many other integrations, such as the Kathe enricher, which provides the detection of malware families and strains through the use of ssdeep hashes. This effectively reduces cost by limiting the time spent reverse-engineering malware samples and by letting TI analysts define Courses of Action for families of malware, rather than having to deal with malware samples on an individual basis.
Bridging the gaps between TI, management and operations
By moving towards the TI maturity level of Exposure Management through these principles of automation, integration and interoperability, TI analysts can more easily determine the company’s exposure to security threats. The ability to determine the risks that the company faces, trends over time, emerging threats, etc. and to be able to do so in (largely) automated ways also improves reporting on operational to tactical levels. This, in turn, allows your TI team to more effectively report to and liaise with your Risk Auditors, Board of Directors and other decision makers in the company. Understanding and effectively reporting on risks will facilitate better focus and decision-making, truly improving your company’s security posture.
Perhaps you are just starting with TI or already in the later stages. Either way, KPN invites you to join forces with us in collectively fighting cybersecurity threats around the world, by embracing Threat Intelligence, intelligence sharing and supporting the open standards and protocols to do so. Threat Actors rarely work in a vacuum and rarely limit themselves to a single industry, so why should we?!
*Exposure can be any risk or vulnerability, known or unknown, technical or not
**KPN-CERT has achieved this by creating (and publishing) integrations with common ticketing systems, such as OTRS and ServiceNow