Traditional Security Operation Centers (SOC) are reactive, relying primarily on preventative and signature based technologies. In recent years this approach has proven ineffective against both common and advanced threats that are increasing in sophistication, velocity and volume. It seems organizations are always one step behind their adversaries.
Instead, organizations should adopt a Detect and Respond mindset, acknowledging that they may already have been breached. This necessitates a SOC model that can adapt and evolve at the same rapid pace as the threat environment. A 21st century SOC must also be able to proactively identify gaps in the organization's security posture, and detect/root out threat actors that traditional detection technologies may have missed.
Using threat Intelligence (TI) that provides situational awareness of threat actors and their Tactics, Techniques and Procedures (TTP), can enable a SOC to be more strategically and tactically focused. The challenge is dealing with, and not being overwhelmed by, the sheer volume of threat Intelligence available and determining what is relevant to the organization. The solution is to operationalize TI.
Typically, TI is used as a machine-readable list of IP-Addresses, Domain Names and file hashes to be correlated with security telemetry data. This reduces a wealth of situational awareness data to a glorified signature. In an intelligence-driven SOC, TI instead is used to continuously determine and adapt strategic orientation and tactical execution.
Threat actors must have a motive, the means and the opportunity to successfully target an organization. Threat Intelligence can be used operationally to determine these.
Evaluating Motive
Threat assessments evaluate potential threats to an organization based on their motive. Assessing the motive of a threat actor considers the business activities and objectives of an organization. Does it hold critical, valuable or sensitive data that specific threat actors typically target? Does it fit a threat actors target profile? A Healthcare organization for example holds patient data that can be used by a variety of malicious actors, from nation states seeking insights into geopolitical adversaries, to cyber criminals extorting ransoms by encrypting the data to impact operational integrity.
Determining Means
Determining the means of a threat actor is also accomplished during the threat assessment and additionally during the initial discovery phase of a threat simulation. It can be deduced by analyzing their TTPs. For example, does a threat actor have access to a sophisticated toolchain to obtain a persistent foothold in an environment, do they have a recognizable Modus Operandi (MO)? For example, do they typically target privileged users via spear phishing. The TTPs and MO can then be compared to existing security measures to evaluate whether there are any existing gaps and to guide strategic decisions on where to focus budget, resources and required processes.
Assessing Opportunity
Assessing whether a threat actor has the opportunity to successfully target the organization is done using a combination of threat simulations, conducting objective based ethical hacking exercises and by correlating vulnerabilities discovered in the environment.
Vulnerability Remediation Prioritization
Research has consistently shown that the majority of malware, ransomware and exploit kits target a small subset of older and medium severity vulnerabilities. Most organizations prioritize remediation purely on severity, such as a CVSS score above 8. In practice this means that the majority of security time and resources are spent on remediating vulnerabilities that represent a high risk on paper, but not necessarily in reality.
An intelligence-driven approach will consider which vulnerabilities are actively being targeted by threat actors in the wild, who they are targeting, why and how. The vulnerability in this case is the anchor used to operationalize TI, because it allows the organization to correlate vulnerability intelligence with operational intelligence.
Threat Simulation
A threat simulation assesses an organization's existing security measures to verify that they can defend against a specific threat, and to identify gaps. If an attacker leverages spear phishing, the organization can evaluate whether its users have been trained to identify phishing attempts. Is there a prevention stack in place that can block these? If an attempt succeeds, can the organization detect the attempt or the consequent privilege escalation and lateral transfer, and is it able to contain the attack?
Objective-based Ethical Hacking
An objective based ethical hack will replicate the TTPs of a specific threat or threat actor. Rather than conducting a penetration test, where the goal is to identify exploitable vulnerabilities, an objective based approach will closely follow the same MO as a real-world threat. For example, the exercise will replicate sending a phishing email to the executive team, with the objective of being able to elevate privileges and move laterally within the network to gain access to the financial data of the organization. This permits a thorough assessment of people, processes and technologies to enable improvement, address gaps and identify mitigating controls.
These exercises must be conducted regularly and continuously to align and realign the organization's security operations and strategy to real world threats. The result is an intelligence-driven, adaptive and dynamic SOC.
About the Author: Oliver Rochford is the Vice President of Security Evangelism at DFLabs. He previously worked as research director for Gartner, and is a recognized expert on threat and vulnerability management, cyber security monitoring and operations management. Oliver has also been a security practitioner and white hat hacker for Tenable Network Security®, HP Enterprise Security Services, Verizon Business, Secunia® (now Flexera Software), Qualys®, and Integralis (now part of NTT Com Security).
