Page 28 - Cyber Warnings
P. 28
Five Ways to Optimize Threat Intelligence
Steven Rogers advises companies on ways for security teams to optimize
protection with relevant threat intelligence
By Steven Rogers, CEO, Centripetal Networks
Threat intelligence feeds – like firewalls and virus protection – have become part of the core
tools, a necessity, for most security teams. However, constant alarms and alerts make it difficult
to find time for anything else. On one hand, hiring a full team of security professionals to sort
through all of the alerts, may not be financially possible for many companies. On the other hand,
there is real concern that a threat could be missed that would severely cripple the company.
Additionally, a false positive may lead to an unnecessary system shutdown, which would result
in a major loss of productivity and profit.
For those charged with the job of sorting through the alarms, there are several steps that can
immediately reduce the amount of alerts, allowing the ability to optimize the data based on
relevant threat intelligence.
Five of these steps are:
1. Country Blocking. The OFAC (Office of Foreign Assets Control) list is the first place I
recommend looking at. You can add to the list from ITAR (The International Traffic in Arms
Regulations) and add any other countries unfriendly to your country's Law Enforcement. If your
company does not have any locations, employees or customers located in specific regions of
the world, you can block them from the network with little to no business risk. Reducing the
geographic area will immediately reduce the scope of alerts your security team needs to comb
through. However it is important to keep employees informed on which countries are blocked.
Specific decisions, changes to the blocked countries, will need to be made if someone is going
to work from or communicate with one of those locations.
2. Block specific malicious domain-based IOCs (indicators of compromise). Domains
are reused and resurface periodically, therefore, keep the blocked list updated and activated.
Keep a close eye out for domains that look similar to your company domain – a simple spelling
mistake, for example, inverting a number or two, can take your network down an unseemly path.
3. Block high-fidelity URL based IOCs (indicators of compromise). A malicious URL
string (eg,http://www.example.com/path/badfile.exe) is high-fidelity, it points to a specific
resource that is known to be malicious. When users access these URLs, either through spear-
phishing or browsing compromised sites, security tools produce intelligence matches that could
be avoided by blocking access in the first place. Blocking these indicator types provides an
immediate increase in security.
28 Cyber Warnings E-Magazine – June 2016 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
