Leveraging Threat Indicator Confidence

“Understanding the relevancy of a threat is a critical aspect of reducing risk in your environment”

The concept of Threat confidence is defined as a measure of threat relevancy to an organization. Threat confidence is a multi-faceted determination that encompasses multiple aspects of where and how threats can arise in the global Internet.

Determining threat confidence starts by having a model of the Internet and all communications that occur across it

                                             

Layer 1: Network Devices, Infrastructure and Connectivity

At the heart of the Internet model is the network itself. This includes both the endpoints (e.g. phones, laptops, servers) as well as the network infrastructure that those endpoints connect to and use to transport data between endpoints. Without devices or networks to connect devices, no communications would be occurring. But, without an understanding of how communications are transported between devices, the Internet is a black box that can be manipulated or subverted without organizations being aware of those negative impacts to their security.

Layer 1 is the basis of Threat confidence. A network device that never connects to your organization’s network is likely not relevant to any threat. Infrastructure that your organization uses to connect to the global Internet is extremely relevant to threat. Infrastructure that is insecure is likely a poor choice for your organization and will have a large impact on potential threats. Endpoints that connect to your network or communicate with your network are extremely relevant to threats.

Layer 2: Applications

The next layer in our model is the application layer and the (good or malicious) applications that run over the network devices and network infrastructure. Capturing which applications run on the network devices is vital to knowing what occurs on the network. Ability to identify applications and their associated behaviors (devices they communicate with, what ports and protocols are used, typical payloads exchanged, frequency of exchanges, etc.) contributes to a greater understanding and predictability of future events. Without this understanding, again the use of the Internet becomes a black box that can be manipulated and controlled from the outside. Botnets are examples of where an application has been created to take control of other devices and perform behaviors that are unexpected.

By characterizing applications and their expected behaviors, the lower layer of network threat confidence can be enhanced and then complemented with application threat confidence.

Layer 3: Users and Owners

Once we have built threat confidence for networks and applications, the next important artifact of global Internet use to determine is the user or owner information associated with the applications and network devices. Network infrastructure ownership is typically known due to the registration requirements when connecting devices to the global Internet. Both autonomous system and CIDR ownership can help organizations determine if those network entities should be communicated with and trusted. The reasons these technologies exist are legitimate but they can also aid threat actors. If an organization has determined a known malicious actor, then clearly any communications to or from that actor’s web site or server from their organization, irrespective of protocols or application, are likely worth further investigation.

Threat confidence is enhanced with greater knowledge of users or owners of networks.

Layer 4: Analyst

The role of the human threat analyst and the analysis they provide to enrich raw threat intelligence data cannot be overstated. Having automated means to gather network, application and user observations to provide to the humans for analysis is crucial. But there is a limit to automation as human knowledge and experience has yet to be captured by programmatic means. It is crucial to have human analyst as part of any threat confidence model that provides threat confidence for consumption by other security teams.

Many threat characteristics are known by organizations either verbally or orally that are not easily determined by programs. This type of information guides analysis and outcomes. Therefore having the analyst provide customization and annotations to the observations is a critical aspect of making the information relevant and actionable to an organization.

Threat confidence annotation and customization by the experienced human threat analyst is critical.

Layer 5: Workflow

The final layer for threat confidence is not really a layer in itself but a layer that connects and penetrates layers 1-4. It requires threat confidence to be integrated into an organization’s processes and security environment. Having threat confidence and relevant data has limited usefulness if the data cannot be acted upon quickly and effectively, without delays and dead ends. There are two factors that drive the usefulness of threat confidence:

Easy consumption of threat confidence by other systems and

Easily interpreted and actionable results.

Summary

Threat confidence can be an extremely powerful indicator to determine the relevancy of threat to an organization. To establish accurate threat confidence, a comprehensive approach encompassing network, applications, users, analysts and workflow is required.

Use Threat Intelligence to “Know More. Risk Less. Act Confidently.”