Threat Intelligence Platform

Last updated December 13, 2023

Threat Intelligence Platform (TIP) is an emerging technology discipline that helps organizations aggregate, correlate, and analyze threat data from multiple sources in real time to support defensive actions. TIPs have evolved to address the growing amount of data generated by a variety of internal and external resources (such as system logs and threat intelligence feeds) and help security teams identify the threats that are relevant to their organization. By importing threat data from multiple sources and formats, correlating that data, and then exporting it into an organization’s existing security systems or ticketing systems, a TIP automates proactive threat management and mitigation. A true TIP differs from typical enterprise security products in that it is a system that can be programmed by outside developers, in particular, users of the platform. TIPs can also use APIs to gather data to generate configuration analysis, Whois information, reverse IP lookup, website content analysis, name servers, and SSL certificates.

Traditional approach to enterprise security

The traditional approach to enterprise security involves security teams using a variety of processes and tools to conduct incident response, network defense, and threat analysis. Integration between these teams and sharing of threat data is often a manual process that relies on email, spreadsheets, or a portal ticketing system. This approach does not scale as the team and enterprise grows and the number of threats and events increases. With attack sources changing by the minute, hour, and day, scalability and efficiency is difficult. The tools used by large Security Operations Centers (SOCs), for example, produce hundreds of millions of events per day, from endpoint and network alerts to log events, making it difficult to filter down to a manageable number of suspicious events for triage.

Threat intelligence platforms

Threat intelligence platforms make it possible for organizations to gain an advantage over the adversary by detecting the presence of threat actors, blocking and tackling their attacks, or degrading their infrastructure. Using threat intelligence, businesses and government agencies can also identify the threat sources and data that are the most useful and relevant to their own environment, potentially reducing the costs associated with unnecessary commercial threat feeds.^[1]

Tactical use cases for threat intelligence include security planning, monitoring and detection, incident response, threat discovery and threat assessment. A TIP also drives smarter practices back into SIEMs, intrusion detection, and other security tools because of the finely curated, relevant, and widely sourced threat intelligence that a TIP produces.

An advantage held by TIPs, is the ability to share threat intelligence with other stakeholders and communities. Adversaries typically coordinate their efforts, across forums and platforms. A TIP provides a common habitat which makes it possible for security teams to share threat information among their own trusted circles, interface with security and intelligence experts, and receive guidance on implementing coordinated counter-measures. Full-featured TIPs enable security analysts to simultaneously coordinate these tactical and strategic activities with incident response, security operations, and risk management teams while aggregating data from trusted communities.^[2]

Threat intelligence platform capabilities

Threat intelligence platforms are made up of several primary feature areas^[3] that allow organizations to implement an intelligence-driven security approach. These stages are supported by automated workflows that streamline the threat detection, management, analysis, and defensive process and track it through to completion:

Collect – A TIP collects and aggregates multiple data formats from multiple sources including CSV, STIX, XML, JSON, IODEK, OpenIOC, email and various other feeds. In this way a TIP differs from a SIEM platform. While SIEMs can handle multiple TI feeds, they are less well suited for ad hoc importing or for analyzing unstructured formats that are regularly required for analysis. The effectiveness of the TIP will be heavily influenced by the quality, depth, breadth and timeliness of the sources selected. Most TIPs provide integration to the major commercial and open-source intelligence sources.
Correlate – The TIP allows organizations to begin to automatically analyze, correlate, and pivot on data so that actionable intelligence in the who, why and how of a given attack can be gained and blocking measures introduced. Automation of these processing feeds is critical.
Enrichment and Contextualization – To build enriched context around threats, A TIP must be able to automatically augment, or allow threat intelligence analysts to use third party threat analysis applications to augment threat data. This enables the SOC and IR teams to have as much data as possible regarding a certain threat actor, his capabilities, and his infrastructure to properly act on the threat. A TIP will usually enrich the collected data with information such as IP geolocation, ASN networks and various other information from sources such as IP and domain blocklists.
Analyze – The TIP automatically analyzes the content of threat indicators and the relationships between them to enable the production of usable, relevant, and timely threat intelligence from the data collected. This analysis enables the identification of a threat actor's tactics, techniques and procedures (TTPs). In addition, visualization capabilities help depict complex relationships and allow users to pivot to reveal greater detail and subtle relationships. A proven method for analysis within the TIP framework is the Diamond Model of Intrusion Analysis.^[4] The Diamond Model enables teams to build a clear picture of how adversaries operate and inform an overall response more effectively. This process helps teams refine and place data in context to develop an effective action plan. For example, a threat intelligence analyst may perform relationship modeling on a phishing email to determine who sent it, who received the email, the domains it is registered to, IP addresses that resolve to that domain, etc. From here, the analyst can pivot further to reveal other domains that use the same DNS resolver, the internal hosts that try to connect to it, and what other host/domain name requests have been attempted. The Diamond Model differs from the Cyber Kill Chain® approach (attributed to Lockheed Martin^[5]) which theorizes that, as a defender, an organization needs only to disrupt one link in the chain to compromise an attack. However, not all the stages of an attack are apparent to the defender. While reconnaissance steps may be detectable if an attacker is browsing its victim’s website, the weaponization stage remains hidden. The Diamond Model, however, focuses more on understanding the attacker (their TTPs and motivations). Instead of looking at a series of events, the Model looks at relationships between features to help defenders better understand the threat. This ensures a more effective overall response.^[6] Rather than play whack-a-mole with persistent threats, organizations build a picture of how they operate and can take steps to address those facts directly.
Integrate – Integrations are a key requirement of a TIP. Data from the platform needs to find a way back into the security tools and products used by an organization. Full-featured TIPs enable the flow of information collected and analyzed from feeds, etc. and disseminate and integrate the cleaned data to other network tools including SIEMs, internal ticketing systems, firewalls, intrusion detection systems, and more. Furthermore, APIs allow for the automation of actions without direct user involvement.^[7]
Act – A mature threat intelligence platform deployment also handles response processing. Built-in workflows and processes accelerate collaboration within the security team and wider communities like Information Sharing and Analysis Centers (ISACs) and Information Sharing and Analysis Organizations (ISAOs), so that teams can take control of course of action development, mitigation planning, and execution. This level of community participation can’t be achieved without a sophisticated threat intelligence platform. Powerful TIPs enable these communities to create tools and applications that can be used to continue to change the game for security professionals. In this model, analysts and developers freely share applications with one another, choose and modify applications, and accelerate solution development through plug-and-play activities. In addition, threat intelligence can also be acted upon strategically to inform necessary network and security architecture changes and optimize security teams.
Collaborate - Threat Intelligence Platform also allows people to collaborate with the internal as well as external stakeholders.

Operational Deployments

Threat intelligence platforms can be deployed as a software or appliance (physical or virtual) on-premises or in dedicated or public clouds for enhanced community collaboration.

Related Research Articles

An intrusion detection system is a device or software application that monitors a network or systems for malicious activity or policy violations. Any intrusion activity or violation is typically reported either to an administrator or collected centrally using a security information and event management (SIEM) system. A SIEM system combines outputs from multiple sources and uses alarm filtering techniques to distinguish malicious activity from false alarms.

Threat modeling is a process by which potential threats, such as structural vulnerabilities or the absence of appropriate safeguards, can be identified and enumerated, and countermeasures prioritized. The purpose of threat modeling is to provide defenders with a systematic analysis of what controls or defenses need to be included, given the nature of the system, the probable attacker's profile, the most likely attack vectors, and the assets most desired by an attacker. Threat modeling answers questions like "Where am I most vulnerable to attack?", "What are the most relevant threats?", and "What do I need to do to safeguard against these threats?".

OSSIM (Open Source Security Information Management) is an open source security information and event management system, integrating a selection of tools designed to aid network administrators in computer security, intrusion detection and prevention.

Event correlation is a technique for making sense of a large number of events and pinpointing the few events that are really important in that mass of information. This is accomplished by looking for and analyzing relationships between events.

Log management (LM) comprises an approach to dealing with large volumes of computer-generated log messages (also known as audit records, audit trails, agement generally covers:

BasisTech is a software company specializing in applying artificial intelligence techniques to understanding documents and unstructured data written in different languages. It has headquarters in Somerville, Massachusetts with a subsidiary office in Tokyo. Its legal name is BasisTech LLC.

Prelude SIEM is a Security information and event management (SIEM).

Physical security information management (PSIM) is a category of software that provides a platform and applications created by middleware developers, designed to integrate multiple unconnected security applications and devices and control them through one comprehensive user interface. It collects and correlates events from existing disparate security devices and information systems to empower personnel to identify and proactively resolve situations. PSIM integration enables numerous organizational benefits, including increased control, improved situation awareness and management reporting. Ultimately, these solutions allow organizations to reduce costs through improved efficiency and to improve security through increased intelligence.

Security information and event management (SIEM) is a field within the field of computer security, where software products and services combine security information management (SIM) and security event management (SEM). They provide real-time analysis of security alerts generated by applications and network hardware. Vendors sell SIEM as software, as appliances, or as managed services; these products are also used to log security data and generate reports for compliance purposes. The term and the initialism SIEM was coined by Mark Nicolett and Amrit Williams of Gartner in 2005.

In computer security, a threat is a potential negative action or event facilitated by a vulnerability that results in an unwanted impact to a computer system or application.

An information security operations center is a facility where enterprise information systems are monitored, assessed, and defended.

Geographic information systems (GIS) play a constantly evolving role in geospatial intelligence (GEOINT) and United States national security. These technologies allow a user to efficiently manage, analyze, and produce geospatial data, to combine GEOINT with other forms of intelligence collection, and to perform highly developed analysis and visual production of geospatial data. Therefore, GIS produces up-to-date and more reliable GEOINT to reduce uncertainty for a decisionmaker. Since GIS programs are Web-enabled, a user can constantly work with a decision maker to solve their GEOINT and national security related problems from anywhere in the world. There are many types of GIS software used in GEOINT and national security, such as Google Earth, ERDAS IMAGINE, GeoNetwork opensource, and Esri ArcGIS.

Counter-IED efforts are done primarily by military and law enforcement with the assistance of the diplomatic and financial communities. It involves a comprehensive approach of countering the threat networks that employ improvised explosive devices (IEDs), defeating the devices themselves, and training others. Counter-IED, or C-IED, is usually part of a broader counter-terrorism, counter-insurgency, or law enforcement effort. Because IEDs are a subset of a number of forms of asymmetric warfare used by insurgents and terrorists, C-IED activities are principally against adversaries and not only against IEDs. C-IED treats the IED as a systemic problem and aims to defeat the IED threat networks themselves.

The term kill chain is a military concept which identifies the structure of an attack. It consists of:

The Co-Managed IT security service model entails security monitoring, event correlation, incident response, system tuning, and compliance support across an organization's entire IT environment. Co-Management allows organizations to collaborate with their managed security service providers by blending security expertise of the provider with the contextual knowledge of the customer to optimise security posture.

Open Threat Exchange (OTX) is a crowd-sourced computer-security platform. It has more than 180,000 participants in 140 countries who share more than 19 million potential threats daily. It is free to use.

Cyber threat hunting is a proactive cyber defence activity. It is "the process of proactively and iteratively searching through networks to detect and isolate advanced threats that evade existing security solutions." This is in contrast to traditional threat management measures, such as firewalls, intrusion detection systems (IDS), malware sandbox and SIEM systems, which typically involve an investigation of evidence-based data after there has been a warning of a potential threat.

A blue team is a group of individuals who perform an analysis of information systems to ensure security, identify security flaws, verify the effectiveness of each security measure, and to make certain all security measures will continue to be effective after implementation.

Security orchestration, automation and response (SOAR) is a group of cybersecurity technologies that allow organizations to respond to some incidents automatically. It collects inputs monitored by the security operations team such as alerts from the SIEM system, TIP, and other security technologies and helps define, prioritize, and drive standardized incident response activities.

Network detection and response (NDR) refers to a category of network security products that detect abnormal system behaviors by continuously analyzing network traffic. NDR solutions apply behavioral analytics to inspect raw network packets and metadata for both internal (east-west) and external (north-south) network communications.

References

↑ "Threat Intelligence Platforms: The Next 'Must-Have' For Harried Security Operations Teams". Dark Reading. 2 June 2015. Retrieved 2016-02-03.
↑ Poputa-Clean, Paul (January 15, 2015). "Automated Defense Using Threat Intelligence to Augment Security". SANS Institute InfoSec Reading Room.
↑ "Technology Overview for Threat Intelligence Platforms". www.gartner.com. Retrieved 2016-02-03.
↑ "The Diamond Model of Intrusion Analysis | threatconnect.com". www.threatconnect.com. Retrieved 2023-03-15.
↑ Eric M. Hutchins; Michael J. Cloppert; Rohan M. Amin (2009). "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" (PDF). Lockheed Martin.
↑ MacGregor, Rob (May 29, 2015). "Diamonds or chains".
↑ "What's in a true threat intelligence analysis platform?". ThreatConnect | Enterprise Threat Intelligence Platform. Retrieved 2016-02-03.

External links

Threat Intelligence Platforms: The Next 'Must-Have' For Harried Security Operations Teams, Tim Wilson, Dark Reading, 6/2/2015
Open source threat intelligence sources: Abuse.ch, MalcOde

This page is based on this Wikipedia article
Text is available under the CC BY-SA 4.0 license; additional terms may apply.
Images, videos and audio are available under their respective licenses.

[1] "Threat Intelligence Platforms: The Next 'Must-Have' For Harried Security Operations Teams". Dark Reading. 2 June 2015. Retrieved 2016-02-03.

[2] Poputa-Clean, Paul (January 15, 2015). "Automated Defense Using Threat Intelligence to Augment Security". SANS Institute InfoSec Reading Room.

[3] "Technology Overview for Threat Intelligence Platforms". www.gartner.com. Retrieved 2016-02-03.

[4] "The Diamond Model of Intrusion Analysis | threatconnect.com". www.threatconnect.com. Retrieved 2023-03-15.

[5] Eric M. Hutchins; Michael J. Cloppert; Rohan M. Amin (2009). "Intelligence-Driven Computer Network Defense Informed by Analysis of Adversary Campaigns and Intrusion Kill Chains" (PDF). Lockheed Martin.

[6] MacGregor, Rob (May 29, 2015). "Diamonds or chains".

[7] "What's in a true threat intelligence analysis platform?". ThreatConnect | Enterprise Threat Intelligence Platform. Retrieved 2016-02-03.

[1]

[2]

[3]

[4]

[5]

[6]

[7]