Cyber Security.
25.06.24
In the dynamic landscape of cyber security, rapidly detecting, comprehending, and mitigating cyber threats is essential for protecting digital infrastructure and ensuring uninterrupted business operations.
At The Missing Link, our approach to managing threat intelligence feeds is meticulously designed, using a blend of Azure services and in-house developed capabilities to provide Joint Cyber Security Centre (JCSC)uti partner organisations with actionable, precise, and timely threat intelligence. This strategy is a key component in enhancing our clients' cyber resilience.
To effectively integrate threat intelligence feeds for our customers, we employ a phased approach that ensures comprehensive security coverage. In Phase 1, we focus on enhancing detection capabilities by implementing technologies such as Extended Detection and Response (XDR), Endpoint Detection and Response (EDR), and Network Detection and Response (NDR). By prioritising detection, potential threats can be quickly identified and understood.
Moving into Phase 2, we integrate these threat intelligence feeds into customers' security controls to enhance prevention and protection measures. This includes incorporating the feeds with technologies like Secure Access Service Edge (SASE), Next-Generation Firewalls (NGFW), and Web Application Firewalls (WAF) to proactively block and mitigate threats, ensuring robust protection for their digital infrastructure.
Microsoft's recent announcement regarding its direct integration with CTIS represents a significant leap forward in cyber defence, granting JCSC partner organisations unparalleled access to critical threat intelligence. This is validation of our existing framework, emphasising our ongoing commitment to offer a comprehensive threat intelligence solution that extends beyond a single intelligence feed or SIEM platform.
At the heart of our strategy lies the adoption of MISP (Malware Information Sharing Platform & Threat Sharing), a widely recognised open-source platform for the sharing, storage, and correlation of Indicators of Compromise (IoCs). Using MISP allows us to distribute essential threat data among our JCSC partner customers efficiently, arming them with the intelligence necessary to pre-empt cyber threats and enhance their cyber resilience.
Our threat intelligence distribution framework is bolstered by an integrated Azure ecosystem, encompassing Azure Repos, Azure Functions, Azure Key Vault, Azure DevOps Pipelines, Microsoft Forms, and PowerAutomate. This setup facilitates the seamless management and dissemination of IoCs, significantly enhancing the cyber defence capabilities and cyber resilience of our customers.
For Microsoft Sentinel, we use the Threat Intelligence Upload Indicators API to populate the threat intelligence indicators table with Indicators of Compromise (IoCs). This ensures our customers maintain a comprehensive and up-to-date repository of threat intelligence within their Sentinel environment, enhancing their detection and response capabilities and contributing to their cyber resilience.
For Exabeam, we use an API to populate a Context Table with IoCs. This enables our customers to maintain a detailed and current repository of threat intelligence within their Exabeam environment, significantly boosting their detection and response effectiveness.
With Rapid7 InsightIDR, we leverage an API to populate a private community threat feed. This integration ensures that our customers receive timely and relevant threat intelligence, which is crucial for maintaining an effective security posture and swiftly responding to emerging threats.
For CrowdStrike Falcon, we use the custom IoC API to upload a list of IoCs. This integration enhances our customers' endpoint protection by incorporating the latest threat intelligence directly into their CrowdStrike environment, improving their ability to detect and mitigate threats.
In the case of Netskope, we use their Threat Exchange module to upload IoCs. This integration empowers our customers to leverage shared threat intelligence within their Netskope environment, enhancing their ability to effectively block and mitigate cyber threats.
We also support seamless integration with Zscaler Internet Access, Cisco Umbrella, Cisco FTD, Palo Alto Networks NGFW, Fortigate NGFW, and Infoblox, ensuring comprehensive threat intelligence across a wide range of security platforms.
We have adopted a fully automated approach to disseminating the IoCs amongst our customers’ chosen security vendors. Leveraging the MISP API, and daily polls of high-fidelity threat feeds to access the most recent IoCs that are published by the ACSC (Australian Cyber Security Centre). Using Azure DevOps Pipelines and security vendor APIs, IoCs are pushed to our customer environments on an agreed-upon cadence.
Operational measures have been implemented to exclude any known false positive indicators that may be present within a customer’s environment, ensuring our analysts are responding to investigations that are associated with high-confidence threats.
What sets The Missing Link apart is our capacity to integrate bespoke and curated threat intelligence feeds, performing required exclusions of IoCs through a centralised and automated mechanism. This ability ensures that our partners can benefit from a customised intelligence service tailored to their specific needs and contexts. By offering the potential for such customisation, we ensure that the intelligence shared is relevant and highly actionable, empowering our partners to make informed security decisions and boosting their cyber resilience.
In managing threat intelligence, our approach is marked by a blend of anticipation for technological advancements and a commitment to adaptability and precision. We continue to refine our capabilities, aiming to meet and anticipate the evolving demands of our partners. Through this combination of cutting-edge technology and the potential for customisation, we solidify our role as a proactive, flexible, and trusted collaborator in securing the digital domain.
Are you ready to enhance your cyber resilience with our proactive and customised threat intelligence solutions? Contact us today to learn how The Missing Link can help safeguard your digital infrastructure and ensure uninterrupted business operations.
Written by: Ben Chalmers and Tim O'Connor
Author
The Missing Link
A phased approach to comprehensive cyber security
Leverage Microsoft's CTIS for enhanced defence
Enhance threat intelligence sharing with MISP
Streamline threat intelligence distribution with the Azure ecosystem
Automate threat intelligence dissemination with DevOps, automation, and APIs
Customise threat intelligence for tailored security solutions
A proactive and customised approach to threat intelligence management