Combating advanced persistent threats (APTs) requires using analytics to make threat intelligence relevant to an organization. But some organizations may need to reconsider their approach to analysis, said Justin Lachesky, cyber intelligence analyst at Lockheed Martin.
“Analysis is much more than collecting an alert or documenting an event,” Lachesky said.
Companies need to move away from the mindset of analyzing each incident as an independent event, he said during a webinar co-hosted with Cybereason on the four steps of combating APTs. Instead, enterprises should understand that attacks are complex and contain multiple stages, therefore look at incidents across the lifecycle the attack. Each incident should be observed in context of everything that is occurring in the IT environment.
“There’s a lot of threat data available but without having an understanding of what it means or how you can use it defensively, it’s usefulness it pretty limited,” Lachesky said.
Analysis is the process of collecting information to develop intelligence on the attack and how the enemy operates, he added. Without applying analysis, the defensive value of threat information is very limited. For example, handing a security analyst a potentially malicious IP address doesn’t offer much value from a defensive perspective.
A security analyst would wonder, “Where do I start? Should I look in HTTP? Should I perform perimeter scanning?” he said.
But using analysis to gain some context around the IP address makes it much more valuable to a defender. If you use analysis to determine that the IP address is hosting second stage malware, you can see where the address fits into the attack, he said.
“I can improve my understanding of the attacker in terms of their infrastructure, their tools, techniques and procedures. That feeds into knowing my enemy and improving my defenses,” he said.
Developing a process that transforms information into intelligence is a major challenge for companies given the scale and volume of data they receive, said Cybereason CTO Yonatan Striem-Amit.
An organization will rarely have specific information about a malicious IP address used by the hackers. A more practical approach would be for an organization to detect more generalized information, he said. For example, a business could use intelligence about the tools, techniques and procedures that hackers commonly use, such as using stolen credentials over certain tools and scripts, he said.
Knowing those details allows a company to search for these behavioral techniques, Striem-Amit said. Given the scope of modern IT environments, companies need a way to automatically search for behavioral indicators, including minor events, Striem-Amit said.
“You can transform information into something you can use to find that particular behavior,” he said.
Applying threat intelligence into a defense plan requires visibility into a company’s IT environment as well as an enemy’s actions, a point Lachesky and Striem-Amit covered in an earlier blog.
To learn the four secrets defenders can use to combat APTs, read our white paper.