Skip to main content

General Documents

Automate Threat Intel Enrichment using Enrichment Policies

Abstract

Download PDF

Category: Cyware Product

Cyware Products Used:

  • Intel Exchange (CTIX)

About Threat Intelligence Enrichment

Threat intel enrichment involves collecting evidence-based knowledge, encompassing context, mechanisms, indicators, implications, and actionable advice. This information pertains to an existing or emerging menace or hazard to assets, informing decisions regarding the subject's response to the identified threat. Threat intelligence data includes logs, network traffic, identity information, vulnerabilities, attacker tactics, techniques, procedures (TTPs), or malicious indicators of compromise (IOCs).

Problem Statement

The lack of automation in threat intelligence enrichment poses significant challenges for analysts in their daily workflow. Relying on a manual process, deeply ingrained over the years, burdens analysts as they navigate numerous sources to enrich indicators. Challenges such as outdated tools, insufficient IT resources, and manual data gathering complicate enrichment. As the volume of threat intelligence rises, these challenges lead to delays in addressing potential threats. The core issue arises from both the overwhelming volume and the complexity of tools hindering the automation process. Consequently, analysts may need help to prevent breaches by malicious actors promptly.

Solution

The solution to effectively gather, analyze, and respond to threats is by automating the enrichment of threat intel data. The automatic enrichment empowers analysts to continually enhance the automation logic by configuring conditions as needed. The Enrichment Policy feature within Intel Exchange (Intel Exchange) serves as a facilitator for automating threat intel enrichment, allowing analysts to adapt automation conditions in alignment with the latest trends in the overall threat intelligence enrichment process.

How do we solve this problem?

This section provides examples of enrichment policies in Intel Exchange that will automatically enhance the threat intelligence received from various sources. The Intel Exchange enrichment policy feature makes it easy for users to set up automated enrichment based on the type of threat data object such as IP, Domain, Hash, URL, Vulnerability, and the threat data sources and types of enrichment tools.

What is an Enrichment Policy?

Enrichment Policies, defined by administrators, automate the process of enriching threat data objects through configured integration tools. These integrations play a crucial role in providing additional details about different threat data objects, such as IPs, hashes, domains, vulnerabilities, and URLs. Automatic enrichment gathers pertinent information about these objects, contributing to the calculation of the confidence score.

To create an enrichment policy, see Configure Enrichment Policy.

IP Enrichment Policy

The IP enrichment policy allows for the automatic enrichment of IP address indicators received from different sources, such as Crowdstrike and ISAC community sources. You can also create a domain enrichment policy if you want to perform automated enrichment of domain data type. In this example, we use Crowdstrike and ISAC as enrichment sources, but other configured tools can also be used as sources.

IP_Enrichment.png
Vulnerability Enrichment Policy

The Vulnerability enrichment policy allows for the automatic enrichment of vulnerability CVEs received from the ISAC community sources. In this example, we use ISAC as the vulnerability source, but other configured tools can also be used as sources.

Vulnerability_Enrichment.png
Enrichment Policy Priority

You can assign a priority to enrichment policies so that more important policies are given precedence over those with a lower priority. This feature also enables the system to prioritize higher precedence policies in case of low resources.

Execution Type for Enrichment Policy

Intel Exchange provides the flexibility to select the execution type (sequential or parallel) for your policies. As various enrichment tools use different methods to enrich data - some consuming fewer API calls while others consume more API calls - the execution types enable you to effectively utilize the available system resources.

What is the difference between Sequential and Parallel execution types?

The sequential execution type triggers enrichment tools one after another, following the order of their set preferences while the parallel execution type triggers all selected enrichment tools simultaneously.

To know more about execution types, see Sequential vs Parallel Execution Types.

Benefits

Respond Effectively to Threats

Automated threat intel enrichment helps achieve better threat awareness and faster threat response. It improves the detection and assessment of threats, prioritizes relevant and actionable threat intelligence, and integrates it into incident response and remediation.

Confidence Score Calculation

To ensure that the platform captures and analyzes the necessary information accurately, it is important to define enrichment policies. This will help to calculate the Confidence Score, which is used to determine the severity and impact of an object. It is a useful tool for effective threat assessment and prioritization.