Threat Intelligence Enrichment Process Automation
Category: Analytics and SIEM, Data Enrichment and Threat Intelligence, Case/Ticket Management
Cyware Products Used:
Orchestrate (CO)
Cyware Fusion and Threat Response (CFTR)
Cyware Threat Intelligence eXchange (CTIX)
Third-Party Integrations Used:
Splunk SIEM: To perform internal enrichment and identify threat impact.
Tanium: To perform internal enrichment and identify threat impact.
ServiceNow ITSM: Response solution to onboard identified malicious indicators as incidents.
Problem Statement
Threat intelligence acts as a catalyst in combating advanced threat actors through insights into their tactics, techniques, and procedures (TTP). Organizations often consume threat intelligence from industry peers, independent threat hunters, or regulatory bodies. This intelligence usually comes in the form of an email, report, or blog post and is called unstructured threat data. In some cases, analysts need to enrich suspicious indicators from an incident that must be triaged. It is often a cumbersome process for security analysts to analyze and enrich threat intel data in their workflow. This is where security automation comes into play.
Solution
With the threat intelligence enrichment playbook, indicators are enriched automatically with more details and context to improve incident investigation with the Cyware Fusion and Threat Response (CFTR) and Orchestrate. The playbook gets triggered for any indicator of compromise (IOC) observed during an incident investigation.
How do we solve this problem?
The playbook starts automatically for any indicator of compromise (IOC) observation during an incident investigation.
Indicator Ingestion: The playbook automatically ingests and normalizes indicators from external and internal threat intelligence. Additionally, the playbook also extracts indicators from an incident when triggered at the time of the incident investigation.
Internal Enrichment: The playbook custom search queries to search in-house SIEM tools such as Splunk and Tanium to identify the presence of malicious indicators.
The playbook creates a Splunk search query to identify if the indicator is present in the internal logs.
The playbook creates a Tanium search query to identify if the indicator is present in the internal logs.
Filter and Format Indicators: The playbook filters identified malicious indicators and format them as IP, Hash, and URL.
CTIX Enrichment: The identified malicious indicators are sent to CTIX for enrichment. CTIX enrichment provides more information about the indicators including indicator score, Abuse IPDB score, and related Abuse Domains.
Create Incident: The playbook now collates all the information and creates a new incident in CFTR. You can also configure the workflow to create an incident ticket in the ServiceNow ITSM tool. If the incident already exists in CFTR, the playbook updates the indicator details.
Benefits
Reduce Analyst Workflow
While security analysts are already burdened with processing a large volume of threat alerts, the use of security automation helps reduce the workload by accelerating the analysis of unstructured threat information.
Actionable Threat Intelligence
With the automated enrichment and scoring of indicators based on contextual factors, the playbook provides actionable intel for security analysts for further action.