Threat Intelligence plays a major role in the modern Security Operations Center (SOC). This threat data can help analysts to detect security incidents earlier, take more informed actions, and implement security controls to defend against known threats.
Threat Intelligence includes context about threat actors, their intentions and their methods. It also includes Indicators of Compromise (IOC’s), which include IP addresses, domain names, URLs, file hashes, and more, that are known to be malicious. If one of these blacklisted items shows up in your event logs, it’s a good indicator that your network has been compromised.
There are three broad categories where IOC’s are useful to SOC personnel. The first is detecting threats by analyzing logs for any sign of an IOC. Important logs include:
- Inbound firewall connections to detect recon activity
- Outbound firewall connections to detect malware calling home to command and control servers
- Web proxy logs to detect malicious sites spreading malware
- Network flow data to detect data exfiltration or unusual activity
The second use of IOCs is to triage and prioritize alerts from “noisy” tools like IDS/IPS, SIEM and UEBA. These security tools have to potential to create a large number of alerts that can overwhelm a SOC without the right processes in place. Cygilant’s SOC team makes extensive use of threat intelligence to prioritize alerts and investigate potential security incidents before raising the alarm with our security monitoring clients. IOC’s help security analysts focus on the most important alerts first.
And finally, IOCs provide a building block for continuous security improvements. Once you find an IOC in your environment, there are a number of sources (both commercial and open-source) that provide additional info on the threat. Understanding the attacker and their modus operandi allows the SOC to take proactive hardening steps, like blocking certain ports and services or updating IDS signatures. For example, a blacklisted IP detected in your logs is associated with a crypto-miner exploiting a vulnerability in Oracle servers. If you have the vulnerable software in question, now would be a good time to proactively remediate CVE-2017-10271.
Cygilant’s SOCVue security operations and analytics platform delivers continuous threat intelligence to help our clients detect, prioritize and respond to security threats.
Let the Cygilant SOC team deploy and manage SIEM and log management, so you can focus your team on high-value response and hardening activities. All alerts are correlated with our continuous threat intelligence in addition to being investigated by a human analyst. You are notified when action is required and provided with context and remediation guidance.