Plethora or cornucopia, there’s no doubt that there’s a ton of threat intel out there.
Frequently, organizations are hit by un-targeted attacks or targeted attacks using known infrastructure or malware. Threat feeds are a powerful way to identify such attacks, and security mature organizations often compare their logs against IoCs in threat feeds. They’ll then follow up when there’s a hit for deeper investigation and incident response.
But you can also burn a lot of time chasing down a log event that generated an alarm because an IP address showed up on a threat feed. Often only to find out the server behind that IP has long since been cleaned up.
So, there’s a need for triage when utilizing threat feeds. You can’t follow up on everything, so how do you choose which hits to evaluate and prioritize. In this real training for free event we will look at how to do just that.
First, we’ll consider threat feed meta data. Mileage varies in the amount of meta data you get in different feeds. Most feeds include at least some sort of type and confidence level. But other feeds provide:
- First seen
- Last seen
- Report ID from various incident response organizations
- Last updated
- Malware family
- Attack phase
But there’s additional ways to speed up evaluation of hits against threat data. In this webinar, we’ll discuss how different IoC types require different evaluation, including: file hashes, IP addresses, domain names, file paths, registry values, etc.
Finally, there’s the growing trend of Threat Intelligence Platforms (TIP) that can help. If you find yourself dealing with multiple threat feeds that have overlap between them, varying levels of quality, and duplicate alerts – well, these are all things TIPs are intended to address. So, we’ll look at how TIPs provide aggregation, cleanup and curation of threat feeds.
Nicholas Ritter, from our sponsor LogRhythm, will join to discuss how threat intelligence data can be a valuable addition to SIEM platform. He will discuss how broadening the context of threat list data enables it to be useful in more stages, including triage, threat hunting and response.
However, with this additional visibility comes the potential for additional analytics overhead or false positives. Nick will be reviewing lessons learned and best practices from the field to ensure that security analysts can most effectively leverage threat intelligence data.
Please join us for this real training for free session.