023
ENTERPRISE SECURITY BLUEPRINT
CONTROL LAYER
02
The threat intelligence analysis process uses raw intelligence to generate actionable
intelligence – i.e., threat indicators that can be used to detect and prevent threats. Such
actionable intelligence answers the following questions:
What
malicious behavior should you look for? Examples include network
addresses, domain name resolution requests, URLs, system calls, and file hashes.
Where
should you look? On the network, inside emails or documents, on the
disk, in memory, etc.
How important
is this event or series of events? Metadata provides additional
information on the confidence level for the indicator, severity of corresponding
attack, etc.
How do we protect ourselves
against this attack? For example: should the
attack be blocked on the network or on the host? Is there a patch for this
vulnerability?
The following example demonstrates the threat intelligence analysis process:
Collect raw intelligence: A notice has been received that an attacker has
unleashed a campaign against financial sector targets. The attacker’s observed
TTP is to deliver documents – containing malware exploiting document reader
vulnerabilities – to targeted users using various channels (e.g., email, USB disks,
and subverted websites). When the unsuspecting user launches the malware, it
connects to a C&C server and uses a Remote Access Tool (RAT) to provide the
attacker access to the internal network.
Generate actionable intelligence: An Enforcement Layer sandbox executes a
document and identifies that it contains malware that attempts to drop a file
(the RAT) on the local file system. The sandbox computes unique hashes of the
document and the file and provides these as actionable indicators to the Control
Layer. Based on these indicators, the Control Layer then generates protections
against the attack and distributes them automatically to enterprise enforcement
points. The indicators are also shared with other organizations in the community.
Contain post-infection damage: Subsequent big data analysis of recorded
network data and host file systems may yield additional matches against
document and file hashes. This can help identify additional compromised hosts
and to automatically or manually generate protections to provide containment
for these hosts by restricting their access rights on the network.
Analyze security events: Further analysis of log data might indicate that there
is a statistical correlation between suspected hosts and specific outbound
connections. The target hosts can then be identified as potential C&C servers
and attacker drop zones, and the corresponding IP addresses or URLs can be
used as indicators to block further bot communications.
Big data analysis
can help identify
compromised
hosts
