Article by ThreatQuotient director for APJC Anthony Stitt.
Cybersecurity teams rely on two primary open-source platforms within their security operations (SecOps). The first is malware information sharing platform (MISP), which allows the storing and sharing of indicators of compromise (IoCs) with other MISP users. The second is TheHive, designed for security incident response (IR). The two solutions are tightly integrated so that Security Operations Centres, CERTs and any security practitioner can act more quickly when incidents happen.
For organisations with limited resources or just beginning to build a SecOps practice, MISP and TheHive are easy-to-use tools to help teams react to malicious threats.
Organisations should leverage MISP and TheHive to create a cyber threat intelligence (CTI) practice in order to proactively mitigate risk from the full breadth of threats. To do this, they should consider a third platform that integrates with these two solutions and provides five essential capabilities for a CTI practice so that teams can get ahead of threats.
Aggregate all the data needed
To gain a comprehensive understanding of the threats organisations face, gathering internal data from across the entire ecosystem is critical. This includes the telemetry, content and data created by each layer in the security architecture, on-premises and in the cloud.
With the right internal threat data aggregated in a platform serving as a central repository, the next step is to enrich it with external threat data from the multiple sources the organisation subscribes to. This can include open source (MISP and others), commercial, government, industry, existing security vendors — as well as frameworks like MITRE ATT&CK.
Out-of-the-box connectors make this easy. But it’s also important to leverage custom connectors to ingest data from new sources of threat data as new crises occur — for example, the SolarWinds Orion security breach.
Security teams can derive more value from threat intelligence by organising relationships across the entire pyramid of pain. The pyramid of pain starts at the bottom with basic indicators and moves up to include malware families and campaigns, adversaries, and tactics, techniques and procedures (TTPs).
Make threat data usable for analysis and action
With all the threat data in one manageable location, it is crucial to understand where to focus organisational resources to mitigate risk.
To start, the platform must automatically deduplicate and normalise the data so that it is in a uniform format for analysis and action. Because these threat feeds will inevitably contain irrelevant data, the ability to prioritise threat data based on a definition of priority is critical.
Teams can ensure threat intelligence is accurate by enforcing expiration strategies that acknowledge the different life cycles of disparate pieces of intelligence. This allows teams to focus on sending relevant threat intelligence directly to the sensor grid (firewalls, IPS/IDS, routers, endpoint, and web and email security) to harden security controls.
Build organisational memory
This central repository is a structured library that also serves as organisational memory for learning and improvement. As new data and learnings are added to the library from the MISP community, TheHive and other trusted sources, intelligence is automatically re-evaluated and re-prioritised.
The CTI programme continues to improve by maintaining trusted information, and the library helps accelerate actions. For example, an analyst who is new to a specific threat can benefit from this shared knowledge to accelerate their analysis, decision-making and actions.
Support additional use cases
Because threat intelligence is the lifeblood of security operations, a CTI program allows organisations to address other top use cases. By integrating with TheHive, support for incident response is provided — however, by integrating with an ecosystem of tools, supporting other use cases is possible, including spear phishing, threat hunting, alert triage and vulnerability management.
In each of these use cases, context is critical to understanding the who, what, where, when, why and how of an attack. With the ability to analyse multi-source threat intelligence, security teams can determine the right actions to take.
Within the platform, real-time dashboards provide the data, metrics and status updates that are important for each specific stakeholder to monitor. This includes: providing regular reports to executive leadership with KPIs that are important to them, and immediate access to relevant intelligence organised in one location for ad hoc reporting on the latest threat.
When an attack happens, security teams can be ready with information about who is attacking, what is already known, and the steps being taken to mitigate damage.
MISP is an excellent source for information sharing when connecting with TheHive incident response accelerates. Leveraging the two solutions to create a CTI program takes an organisation’s SecOps to the next level.
With a platform that works with both and is purpose-built for threat-centric security operations, security teams aren’t just reacting to threats but proactively mitigating risk and even preventing attacks.