Effective exchange of information about threats among multiple participants works like collective immunity: the more participants are involved in this process, the higher the probability of successfully resisting the attackers. We will tell you in the article about the culture of sharing such data and what are the main pitfalls of this area.

What is data exchange culture, and why is it needed?

It is worth exchanging information about threats for at least three reasons. Firstly, to save money, because it is cheaper to prevent an attack than to eliminate damage from it. Secondly, to be socially responsible: to fight together with other companies against a common enemy. Finally, thirdly, to have a good reputation. A company is trusted not only by customers but also by investors if it is conditionally safe.

To date, it is possible to distinguish several types of data shared by TI exchange participants:

According to the 2021 SANS Cyber Threat Intelligence (CTI) Survey, 66.3% of companies use open sources to collect indicators of compromise and try to work with multiple sources simultaneously. It would seem that collecting indicators from open sources is a fairly simple task: you just need to download a txt or csv file from some web-site, and that’s it. In fact, there are many problems along this way. In this article, we will tell you what these difficulties can be, what the structure and format of the feed depend on, what metrics help to evaluate the usefulness of feeds, and also show what you can learn from the feed using a real example.

What are the pitfalls of open source TI

Let’s make a reservation right from the beginning: you cannot bypass problems when you are working with indicators from open sources. At the first loading of such indicators into security tools, you will receive thousands of positives per day. If you don’t even analyze the first 100 hits, you will most likely spit on this issue and just turn off the feed.

Let’s try to describe the main problems that will need to be resolved when collecting indicators from open sources:

Challenge

Each of the company’s subsidiaries and branches has its own IT and OT networks.

The OT Cyber security department’s main desire was to aggregate data on OT assets in one place because standing on this up-to-date data they could proceed with different compliance procedures: national and internal.

Inventory data was stored in absolutely different places:

• Industrial IDS and AV system databases
• Custom databases
• Electronic documents
• Paper documents etc

There was also one more complicated thing in this distributed chain of tenants – a lot of them were built based on one standard project, that’s why there were a lot of different subnets with the same addresses.

Colleagues felt the need for automation because it wasn’t at all efficient to try to gather all the information by email.

Results

After the PoC process, the Defensys SGRC solution was selected to close all the objectives.

The system works in multitenancy mode. With this functionality, all assets can be stored in the same location for future use in other cybersecurity processes, regardless of whether they have the same addresses.

All the inventory data from the sources described above is merged into specially designed asset cards forming the unified resource-service model of the OT part of the company.

The Defensys company has released a new version of its platform for automating cyber security management processes – Defensys SGRC 5.0. In this version vendor enhanced compliance, asset and vulnerability management features.

A lot of new regulatory standards strongly affect the system’s development. For instance, SAMA framework that was recently added to the Platform demands new reporting templates and assessment scales. The same thing is with GDPR, UAE IA Regulation framework and some other standards including in-house frameworks from customers that sometimes demand different mathematics to calculate resulting indexes after the audit is completed.

That’s why in Defensys SGRC 5.0 there appeared an “import/export” feature for audit types. The type affects what scale will be used for the assessment, what fields will be available for the filling and how will be statistics calculated. This feature significantly helps to quickly transfer all the needed preferences from the testing segment/installation to the productive server during the specific stage of some implementation project.

Challenge

The Computer Security Incident Response Team of MSSP, was facing a typical for a MSSP challenge of choosing the right SOAR platform for automation of their internal incident management processes.

Key Requirements

While choosing the product the company looked at several criteria with the following key requirements:

• MSSP-ready product with all necessary functions in place for delivering high-speed incident response service
• High quality and reliability
• Minimum resources required for product maintenance
  and support
• A mature development team and responsive first line
  technical support helping to adapt the product to their
  needs

The managed security service provider team selected 6 SOAR products for initial comparison 4 of which were tested during the pilot projects.

After comparative analysis and testing, the team selected Defensys SOAR platform.

The specifics of the MSSP

The MSSP has 3 Tiers for incident monitoring working 24/7 with separate response and maintenance groups, forensic, threat hunting and other experts. The whole team follows one single integrated workflow that regulates the incident management process and specifies tasks for each team member at certain stage. This automated workflow includes 140 playbooks covering more than 100 scenarios of threat
detection.

Threat Intelligence (TI) platforms work with knowledge about cyber security threats: attacks, attackers, targets, motivations, tools, malware, vulnerabilities and indicators of compromise. This knowledge must be fact-based – verified, timely, and sufficient to make decisions on adequate protection measures.

In a general sense, an Indicator of Compromise (IoC) is a digital artifact that clearly indicates the described object’s potential maliciousness and/or the fact that the information system has been compromised.

In the process of working with TI data, the following indicator types can be used as:

• IP addresses
• domains
• files
• links
• hash sums of files
• email addresses
• bank cards
• accounts

The life cycle of an indicator of compromise

Each indicator has its life cycle, i.e. the time during which it preserves its malicious activity with a high probability. Some indicators can be “dangerous” for several days, some – for months. When its lifetime expires, the indicator becomes irrelevant, in other words, it becomes obsolete.

Challenge

The Bank combines a variety of solutions and services for collection and analysis of cybersecurity alerts. To make the incident response process more efficient the bank needed an advanced tool which would allow to relate incident alerts to assets and users, automatically assign tasks to members of the cybersecurity department team, automatically collect context and additional data from multiple sources and automate security operations. The implemented automation had to accelerate incident response and help to minimize the potential damage to the bank.

Key Requirements

• Incident response automation
• Automated collection of additional information
• Automated task assignment and management for the employees
• Automated vulnerability management process

Defensys products

PoC for Defensys SOAR lasted for a quite long time comparing to the average period of testing Defensys products and proved all the features of the cybersecurity management platform which combines Defensys SOAR and Defensys SGRC products to cope with the tasks.

All critical assets were discovered and structured in the Defensys platform during the testing period. Tight integration with security tools in use and external monitoring services was configured.

Defensys has updated Defensys Threat Intelligence Platform (TIP) to version 2.5. Key changes have affected the logic of enriching Indicators of compromise, working with the bulletin tool and vulnerability cards, and there have also been major changes in the system interface.

In the new version of Defensys TIP, the logic of enriching IoCs has been improved with additional context. Now users can configure the maximum number of days for storing enrichment data. After the specified period, the system will automatically re-request the enrichment data, which will help users process information related to indicators more accurately.

A significant part of the improvements in the new version of Defensys TIP is related to improvements in the bulletin tool. Threat and vulnerability bulletins are used to inform employees / community / customers / colleagues about new security threats, current vulnerabilities in software and hardware relevant to a particular infrastructure or organization. The platform now has the ability to create bulletins for multiple vulnerabilities, while in the new version it has become even more convenient to work with the vulnerabilities section: the presence of a bulletin and its identifier are displayed for each vulnerability.

Sometimes it is rather hard to briefly explain what threat intelligence means since many things depend on the context in which the term is used: this may be both a process and an action. There is a number of academic terms, for example, from Gartner and SANS Institute.

TI definitions

Cyber threat intelligence is a knowledge about adversaries and their motivations, intentions, and methods that is collected, analyzed, and disseminated in ways that help cybersecurity and business staff at all levels protect the critical assets of the enterprise.

Definitive Guide to Cyber Threat Intelligence

Threat intelligence is evidence-based knowledge, including context, mechanisms, indicators, implications and actionable advice, about an existing or emerging menace or hazard to assets that can be used to inform decisions regarding the subject’s response to that menace or hazard.

Gartner, McMillan (2013) from Tactics, Techniques and Procedures (TTPs) to Augment Cyber Threat Intelligence (CTI): A Comprehensive Study

The set of data collected, assessed and applied regarding security threats, threat actors, exploits, malware, vulnerabilities and compromise indicators.

SANS Institute

Defensys announces the out-of-the box support of SAMA framework and GDPR since the current version of the SGRC platform. Now users can perform audits with these standards along with other preinstalled entities and add new requirements to the existing control checks framework.

“During the latest projects of the SGRC in the GCC region especially in the KSA we’ve seen the demand in compliance procedures with these frameworks, so we made it available for all our customers. These are not only lists of requirements but also customised assessment scales, fields for each of the requirements and a possibility to add these requirements into the existing control checks framework, when similar requirements from different standards are mapped with a control, that you assess once and this information is used by Defensys SGRC to automatically set the proper assessment for the requirement inside a specific compliance procedure with a specific standard.

And our customers still have the ability to add their own frameworks and check-lists just using Settings menu of the system without any programming. In our opinion this feature will help cybersecurity specialists to save even more time for performing compliance campaigns with all the local and worldwide standards. In the nearest future we plan to expand this list with frameworks from UAE” – says Andrey Chechetkin, Deputy CEO of Defensys.