Page 38 - Cyber Warnings
P. 38
Accessing data from the Dark Web or other parking lot sites for stolen credentials or those that
have been exposed via a database attack allows you to know if your security program is
working.
Monitoring the Dark Web for your employees’ credentials should be supported and automated
through a threat intelligence platform.
3. How can we be better aligned with security operations?
Threat analysis needs to be an extension of a security operations team’s function to truly have
an intelligence-driven SOC. The challenge as defined by SANS is, “…to organically integrate
threat hunting into existing workflows so that it complements current security efforts.”
Threat analysts and security operations teams are often viewed as two separate entities each
with its own charter. This can lead to slower response times and non-aligned priorities.
The intelligence-driven SOC, prioritizes security events based on correlation with threat
intelligence IOCs first and true-positive correlations between different types of security relevant
log data second.
When security operations personnel that see a security event in log data, they should also know
in real-time if there is any threat intelligence data that might link the event to a previously seen
attack. This provides added context in the form of the attacker’s methods or techniques.
4. How do we know if we are monitoring for the right cyber security threats?
Threat hunting without context is an inefficient chase-anything-that-moves strategy. Using an
ad-hoc or first-in first-out strategy to look at threat intelligence data or perform incident response
is very inefficient. According to SANS, “Hunters need to consider ‘crown jewels’ analysis: They
identify the assets and information that are most vital to the organization’s mission so that they
can prioritize their efforts.”
In the context of known key assets, their value to the organization, their individual owners, and
real-time correlations between potential IOCs in log data to IOCs in threat intelligence data
creates threat hunting that is focused and meaningful.
With these three data sets, threat hunting is a proactive pursuit that is scalable, repeatable and
teachable.
Knowing you are hunting threats that are current, relevant to your business and low on false-
positives facilitates an active defense.
38 Cyber Warnings E-Magazine – July 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
