(The following is a guest post written by Nick Hayes, director of content marketing and communications at Flashpoint. You can see the original post here.)
Technical IOCs Only Take You So Far
It’s easy to overlook the human elements behind cyber threats and cyberattacks. We tend
to focus our time analyzing the technical mechanics behind executed attacks, their
vulnerabilities and exploits, and their potential mitigation techniques. While all important factors, they don’t account for the people behind the threat. This ultimately leaves you exposed and without crucial context to aid us as you allocate security resources and evaluate assets likely to be targeted.
Know Your Adversary’s Next Move
Remember: People are behind every cyber threat. People with different skill sets and tendencies who operate in different regions across the globe and are driven by a range of financial, political and ideological motivations. By homing in on these human behaviors, you can develop detailed threat profiles that include context about:
- Motives to unearth why and what attackers are after. Understand why attackers are attacking you. Are they singling out your organization or is your exposure based larger, distributed attack campaigns (e.g., WannaCry)?
- Tendencies to identify which exploits and attack methods they’ll use. Threat actors have their preferences when it comes to tactics, techniques, and procedures (TTPs), as well as the targets they choose as a result. Whether it’s out of familiarity, skill set, or historical success, these tendencies provide the context you need to set your security strategy and prioritize mitigating controls.
- Targets to assess your value at risk (VaR). Based on the above context, you can make further inferences as to which digital and physical assets may be vulnerable, as well as the financial and reputational value to the business that is potentially at stake.
Use SOAR to Accelerate Threat Intelligence Action
Intelligence is only as valuable as the decisions and outcomes that it facilitates, as well as the velocity at which these actions are taken. When threat intelligence is coupled with security, orchestration, automation, and response (SOAR) technology – such as with our Flashpoint-Siemplify integration – you unlock drastic improvements to operational and strategic tasks. More specifically, by supercharging your threat intelligence with SOAR, you can:
- Accelerate threat detection and response. Based on a range of predetermined parameters and threat indicators, you can trigger threat alerts and entire SOAR playbooks simultaneously. This ensures timely stakeholder notification, review, and response. And, as a result, it improves operational performance metrics, such as mean-time-to-detect (MTTD) and mean-time-to-respond (MTTR).
- Enrich CVE and other security data with deeper threat context. In addition to net-new threat identification, threat intelligence also offers valuable threat context about previously identified CVEs, IOCs, or other relevant security, access, and event data. With the right SOAR playbooks, you can unify security event data with deeper contextualized results.
- Eliminate manual analyst work, inefficiencies, and redundancies. Security automation relieves SOC analysts of mundane, repetitive tasks and reduces the number of dashboards and portals they need to use. In addition, SOAR playbooks can execute entire process workflows, which is particularly valuable for dealing with an overabundance of low-priority incidents.
- Extend threat intelligence to the security tools and applications you already use. Siemplify offers a wide array of security technology integrations for quick, easy implementations. They enable the continuous exchange of security data and threat intelligence to any one or more of these tools, as well as to any disconnected, in-house systems and applications you might also manage.
For an even deeper dive on this topic, please join us at SOCStock 2020, happening Thursday, for the Flashpoint session “The Human Side of Incident Response,” which goes at 4:30 p.m. ET.