The cybersecurity threat landscape continues to grow, and security professionals need additional skills, tools and perspectives in their defence strategies to face them. An approach to do this is to protect your organization by integrating Cyber Threat Intelligence (CTI) into your Incident Response (IR) procedures.
CTI is an area of cybersecurity that focuses on the collection and analysis of threat information about current and potential attacks that threaten the safety of an organization or its assets, with the purpose of providing a proactive extension to Incident Response.
Incident responders have the big duty of identifying anomalies quickly, gathering data to triage the possible incident, and then recover from the situation. There is an important challenge in navigating and reviewing vast amount of data to determine which alerts indicate true threats and which are false positives and leaving less time for deeper investigations once true threats are identified. This shows a need of context information to enrich alerts to help analysts make faster and smarter decisions on specific indicators that might be associated with a particular group or type of threat. With threat intelligence, security teams can filter out false positives, prioritize the riskiest alerts and apply tactics such as automating certain aspects of incident response. Therefore, having a process in place to proactively evaluate threats for categorising the incident type and then guiding to appropriate responses for each threat scenario is essential to keeping an incident from becoming a security breach.
With well-planned incident response and threat intelligence services, an organization can identify potential threats before they take place. The ability to identify and respond to incidents as early as possible begins with an effective Threat Intelligence program and a robust Incident Response framework.
Threat intelligence procedures should be integrated in the phases of the incident response cycle (preparation, triage, remediation, and containment).
For this purpose, it is essential to identify solutions and tools to integrate cyber threat intelligence into incident response. Security professionals use tools such as SIEM (Security Event and Information Management) with the capabilities of collection of raw data and logs from the network and systems and event generation and SOAR (Security Orchestration, Automation and Response) with the capabilities of automation workflows definitions that derive in incident response solutions. Adopting threat intelligence enhances incident response when combined with SIEM and SOAR solutions.
Threat Intelligence in SIEM solutions:
By combining threat intelligence with SIEM platforms, incident responders can enrich indicators from their log files and prioritize alerts and notable events when high-risk domains are detected or when activity patterns reach certain thresholds.
Threat Intelligence in SOAR solutions:
Security analysts can improve efficiency in incident response by automating as much of the investigation as possible, using threat intelligence to structure rules and using risk indicators or the presence of connected infrastructure as decision points for executing automated actions.
Other approach that can improve the threat analysis and investigation procedures is the integration of SIEM and SOAR platforms with threat modelling frameworks (as MITRE ATT&CK and Cyber Kill Chain) and cyber threat hunting standards (as SIGMA and YARA rules).
For more information about Incident Response and Threat Intelligence, refer to these references:
Incident Response with Threat Intelligence – Author: Roberto Martinez
- Incident response and threat intelligence services – IBM (https://www.ibm.com/nl-en/security/services/ibm-x-force-incident-response-and-intelligence)
- Incident Response & Threat Intelligence – Guidepoint Security (https://www.guidepointsecurity.com/incident-response-and-threat-intelligence/)
- How to leverage threat intelligence in incident response to move from reactive tactics to a proactive strategy – Domain Tools (https://www.domaintools.com/resources/blog/how-to-leverage-threat-intelligence-in-incident-response/)
- Cyberthreat Intelligence as a Proactive Extension to Incident Response – Author: Larry G. Wlosinski, CISA, CRISC, CISM, CDPSE, CAP, CBCP, CCSP, CDP, CIPM, CISSP, ITIL v3, PMP – Date Published: 2 November 2021
- A Comparative Study on Cyber Threat Intelligence: The Security Incident Response Perspective; Authors: Daniel Schlette (Universität Regensburg); Marco Caselli (Siemens); Günther Pernul (Universität Regensburg); Published in: IEEE COMMUNICATIONS SURVEYS & TUTORIALS, VOL. 23, NO. 4, FOURTH QUARTER 2021; Date of Publication: 04 October 2021