General Documents

Threat intel enrichment involves collecting evidence-based knowledge, encompassing context, mechanisms, indicators, implications, and actionable advice. This information pertains to an existing or emerging menace or hazard to assets, informing decisions regarding the subject's response to the identified threat. Threat intelligence data includes logs, network traffic, identity information, vulnerabilities, attacker tactics, techniques, procedures (TTPs), or malicious indicators of compromise (IOCs).

The lack of automation in threat intelligence enrichment poses significant challenges for analysts in their daily workflow. Relying on a manual process, deeply ingrained over the years, burdens analysts as they navigate numerous sources to enrich indicators. Challenges such as outdated tools, insufficient IT resources, and manual data gathering complicate enrichment. As the volume of threat intelligence rises, these challenges lead to delays in addressing potential threats. The core issue arises from both the overwhelming volume and the complexity of tools hindering the automation process. Consequently, analysts may need help to prevent breaches by malicious actors promptly.

The solution to effectively gather, analyze, and respond to threats is by automating the enrichment of threat intel data. The automatic enrichment empowers analysts to continually enhance the automation logic by configuring conditions as needed. The Enrichment Policy feature within Intel Exchange (Intel Exchange) serves as a facilitator for automating threat intel enrichment, allowing analysts to adapt automation conditions in alignment with the latest trends in the overall threat intelligence enrichment process.

This section provides examples of enrichment policies in Intel Exchange that will automatically enhance the threat intelligence received from various sources. The Intel Exchange enrichment policy feature makes it easy for users to set up automated enrichment based on the type of threat data object such as IP, Domain, Hash, URL, Vulnerability, and the threat data sources and types of enrichment tools.

What is an Enrichment Policy?

Enrichment Policies, defined by administrators, automate the process of enriching threat data objects through configured integration tools. These integrations play a crucial role in providing additional details about different threat data objects, such as IPs, hashes, domains, vulnerabilities, and URLs. Automatic enrichment gathers pertinent information about these objects, contributing to the calculation of the confidence score.

To create an enrichment policy, see Configure Enrichment Policy.

IP Enrichment Policy

The IP enrichment policy allows for the automatic enrichment of IP address indicators received from different sources, such as Crowdstrike and ISAC community sources. You can also create a domain enrichment policy if you want to perform automated enrichment of domain data type. In this example, we use Crowdstrike and ISAC as enrichment sources, but other configured tools can also be used as sources.

Vulnerability Enrichment Policy

The Vulnerability enrichment policy allows for the automatic enrichment of vulnerability CVEs received from the ISAC community sources. In this example, we use ISAC as the vulnerability source, but other configured tools can also be used as sources.

Respond Effectively to Threats

Automated threat intel enrichment helps achieve better threat awareness and faster threat response. It improves the detection and assessment of threats, prioritizes relevant and actionable threat intelligence, and integrates it into incident response and remediation.

Confidence Score Calculation

To ensure that the platform captures and analyzes the necessary information accurately, it is important to define enrichment policies. This will help to calculate the Confidence Score, which is used to determine the severity and impact of an object. It is a useful tool for effective threat assessment and prioritization.