Data is a raw material, which is often unstructured, extracted in massive quantity, and requires processing before calling it an information and actionable intelligence. A good example is the Indicators of Compromise (IoCs). A big list of domain names or IP addresses can be ingested into the SIEM system to identify whether this list contains any malicious IP or not. If any suspicious IP is detected, then we can term this data as an actionable intelligence which has been evaluated from reliable sources, processed and enriched. Now, it can be used to identify trends, attack profile, and possible threats. In this article, we will see how data is gathered, processed, and act as an actionable delivery.
As a matter of fact, data gathering is the key to threat intelligence. However, data should only be collected from reliable sources. Unreliable or free sources can create many challenges. According to Matthew Cwieka, a security engineer, free data feeds bring the most challenges in terms of accuracy. He also suggests the Regression Testing of even information from paid feeds and bulletins. He further recommends the investigation of domains and IP addresses to avoid accidentally blocking of various legitimate IP addresses.
The reliable sources can consist of a broad range of open, deep and dark web, social media, telemetry, artifacts, as well as private and closed forums that can provide a huge variety of file hashes, domains, IP addresses, IoCs, registry keys, DLLs, file names, email addresses, email subjects, links, attachments, and so forth.
The Dark Web source refers to the collection of websites that exists on darknets, an encrypted network, that cannot be found by utilizing traditional browsers or search engines. Typically, the Tor Encryption Tool is used to hide the identity of Dark Web.
Converting Data into Actionable Delivery
In the previous section, we have seen that how data is collected from innumerable, reliable sources. The next step is to convert that data into an actionable delivery so that it can be used to identify trends, attack profiles, and potential threats. The security analysts target and contextualize this actionable delivery or intelligence to identify and prioritize the incidents based on their level of criticality.
Telemetry is the data which is gathered from the network and is sent to a receiving device for processing. The type of data that include in Telemetry is connection trials, downloads, uploads, port scanning, and so on.
There are two types of telemetry from a security perspective: The Vendor Aggregated Telemetry and the Internal Telemetry. Vendor Aggregated Telemetry is the data of the same type gathered by third-party vendors to identify Macro Trends in both malicious and legitimate traffic. On the other hand, Internal Telemetry data is collected within organizations to observe trends and find malicious behavior.
Telemetry has verified data, and it is readily available anywhere. Whether it is a Vendor Aggregated or Internal Telemetry data, you can take a deep dive into threat actors’ TTP (Tactics, Techniques, and Procedures), often in real-time, and can also be utilized to swiftly observe incoming attacks.
Using Artifacts to Identify Threats
If the attack has occurred successfully, threat actors may have left some artifacts which are some pieces of information such as logs, registries, configuration files, patches, or so on. These articles can be used to identify attacks and upcoming threats to your corporate critical assets.
Ingestion of Data into SIEM
Once the data is converted into an actionable delivery, it can be ingested directly into the SIEM solution through the flexible plug-ins and APIs. In addition, further actions can be performed using a threat list that can be utilized to block a list of domains, create signatures for incident response platforms, or create firewall rules.
Removing Language Barriers of Data
Data may be given in multiple languages or non-English, which will certainly lead to the language barrier for analysts. However, this problem can be addressed by using modern technologies such as Machine Learning (ML) and Natural Language Processing (NLP). In addition, Artificial Intelligence (AI) is another intelligence solution that assists in learning the language of threats data and identify malicious terms. These technologies make data language neutral and help analysts or machines to analyze it without worrying about the original language in which such data is given. Once the data is in a readable and understandable form, it can further be used to identify trends, attack profiles, and possible threats.
Data is the digital currency in this age. The companies can use data to identify trends, attack profiles, and possible threats. In this article, we have gained an insight into data gathering, using telemetry data, barriers to data, ingestion of data into SIEM, removing language barriers, and converting data into actionable delivery. This information reveals the importance of data and can help to avoid notorious attacks and future cyber security risks to your organization.