Integrating Threat Intelligence (TI) (part 1)
To read part 2, please click here
Introduction to Threat Intelligence (TI)
Some terminologies and abbreviations:
- Threat Indicators- A list of all suspicious or known malicious entities like IP addresses, URLs, and files that can alert whenever usage is detected in your environment.
- Indicators of Compromise (IoC)- Indicates unique known behaviors and activities that shows signs of potential malicious intent or an actual breach available as open source or some paid-for services.
- Alert Definitions- It can built up be simply going through all the multiple TIs and IoCs that only triggers in the right context while also reducing alert fatigue from overloading the SOC with too many false-positives.
- Malware Information Sharing Project (MISP)- An open source Threat Intelligence Platform (TIP) as well as a set of open standards for threat information sharing including malware indicators, fraud, and vulnerability information.
- Adversarial Tactics, Techniques, & Common Knowledge (ATT&CK)- A knowledge base offering the known adversary tactics and techniques list with the help of real world observations integrated into the Microsoft Sentinel platform.
- Structured Threat information eXpression (STIX)- A standardized XML-based language to convey cybersecurity threat data in a small format.
- Trusted Automated eXchange of Indicator Information (TAXII)- An application layer protocol to communicate about cybersecurity threat intelligence over HTTP.
- MineMeld Threat Intelligence Sharing- An open source TI processing tool to extract indicators from various source and compile them into compatible formats for ingestion into Microsoft Sentinel.
- ThreatConnect- A third-party solution integrated with the Microsoft Graph Security threat indicators with comprehensive offering for an additional cost.
Choosing the right Intel feeds for your needs
TIs can be imported from multiple sources with the help of Microsoft Sentinel for better detection as well as prioritization of known threats and IOCs. The following Microsoft Sentinel Tools have various optional features:
- Analytics- Provides a set of scheduled rule templates which can be enabled to generate alerts as well as incidents according to the matches of log events.
- Workbooks- Contains a summary of the information about the TI imported into Microsoft Sentinel and any alerts that can be generated from analytics rules matching your threat indicators.
- Hunting- Hunting queries permits security indicators to use threat indicators within the context of common hunting scenarios.
- Notebooks- They can use threat indicators to help in the investigating the anomalies as well as hunting for malicious behaviors.
The TI feeds from open source like MISP Open Source TIP, MineMeld by Palo Alto Networks, or any that are based on the MITRE STIX/TAXII standards should also be obtained. You can also purchase additional TI feeds like ThreatConnect Platform from solution providers.
To read part 2, please click here
Comments
Post a Comment