In the dynamic landscape of cyber security, rapidly detecting, comprehending, and mitigating cyber threats is essential for protecting digital infrastructure and ensuring uninterrupted business operations.
At The Missing Link, our approach to managing threat intelligence feeds is meticulously designed, using a blend of Azure services and in-house developed capabilities to provide Joint Cyber Security Centre (JCSC) partner organisations with actionable threat intelligence, precise, and timely threat intelligence. This strategy is a key component in enhancing our clients’ cyber resilience.
What is Threat Intelligence?
Threat intelligence is the process of gathering, analysing, and disseminating information about existing and potential threats to an organisation’s security posture. It involves collecting and processing data from various sources, including internal logs, external feeds, and human intelligence, to identify and understand the tactics, techniques, and procedures (TTPs) of threat actors.
By leveraging threat intelligence, security teams can gain actionable insights that enable them to proactively prepare for, prevent, and respond to sophisticated cyber threats. This proactive approach is crucial in maintaining a robust security posture and ensuring the resilience of digital infrastructure.
Types of Threat Intelligence
There are three main types of threat intelligence: strategic, tactical, and operational. Strategic threat intelligence provides a high-level overview of the threat landscape, including emerging threats and the motivations of threat actors. This type of intelligence helps organisations understand the broader context of cyber threats and informs long-term security strategies.
Tactical threat intelligence, on the other hand, offers specific information about individual threats, such as the steps involved in an attack and the vulnerabilities exploited. This detailed information is essential for developing targeted defences. Lastly, operational threat intelligence provides in-depth details about threats, including their nature, motive, timing, and process. This type of intelligence is critical for immediate threat response and mitigation efforts.
A phased approach to comprehensive cyber security
-
Phase 1: Enhancing detection capabilities with advanced technologies
To effectively integrate threat intelligence feeds for our customers, we employ a phased approach that ensures comprehensive security coverage. In Phase 1, we focus on enhancing detection capabilities by implementing technologies such as Extended Detection and Response (XDR), Endpoint Detection and Response (EDR), and Network Detection and Response (NDR).
Artificial intelligence plays a crucial role in this phase by enabling advanced threat detection through the analysis of vast data to identify patterns and anomalies. By prioritising detection, potential threats can be quickly identified and understood.
-
Phase 2: Integration for prevention and protection
Moving into Phase 2, we integrate these threat intelligence feeds into customers’ security controls to enhance prevention and protection measures. This includes incorporating the feeds with technologies like Secure Access Service Edge (SASE), Next-Generation Firewalls (NGFW), and Web Application Firewalls (WAF) to proactively block and mitigate threats, ensuring robust protection for their digital infrastructure.
Leverage Microsoft's CTIS for enhanced cyber defence
Microsoft‘s recent announcement regarding its direct integration with CTIS represents a significant leap forward in cyber defence, allowing organisations to leverage threat intelligence for enhanced security. This grants JCSC partner organisations unparalleled access to critical threat intelligence. This is validation of our existing framework, emphasising our ongoing commitment to offer a comprehensive threat intelligence solution that extends beyond a single intelligence feed or SIEM platform.
Enhance threat intelligence sharing with MISP
At the heart of our strategy lies the adoption of MISP (Malware Information Sharing Platform & Threat Sharing), a widely recognised open-source platform for the sharing, storage, and correlation of Indicators of Compromise (IoCs). We collaborate with global law enforcement agencies to enhance data collection and threat analysis through our advanced cyber security framework. Using MISP allows us to distribute essential threat data among our JCSC partner customers efficiently, arming them with the intelligence necessary to pre-empt cyber threats and enhance their cyber resilience.
Streamline threat intelligence distribution with the Azure ecosystem:
Our threat intelligence distribution framework is bolstered by an integrated Azure ecosystem, encompassing Azure Repos, Azure Functions, Azure Key Vault, Azure DevOps Pipelines, Microsoft Forms, and PowerAutomate. This setup facilitates the seamless management and dissemination of IoCs, significantly enhancing the cyber defence capabilities and cyber resilience of our customers.
Additionally, Bitdefender Advanced Threat Intelligence is integrated with various security platforms, further strengthening our threat intelligence distribution framework.
-
Microsoft Sentinel
For Microsoft Sentinel, we use the Threat Intelligence Upload Indicators API to populate the threat intelligence indicators table with Indicators of Compromise (IoCs). This ensures our customers maintain a comprehensive and up-to-date repository of threat intelligence within their Sentinel environment, enhancing their detection and response capabilities and contributing to their cyber resilience.
-
Exabeam
For Exabeam, we use an API to populate a Context Table with IoCs. This enables our customers to maintain a detailed and current repository of threat intelligence within their Exabeam environment, significantly boosting their detection and response effectiveness.
-
Rapid7 InsightIDR
With Rapid7 InsightIDR, we leverage an API to populate a private community threat feed. This integration ensures that our customers receive timely and relevant threat intelligence, which is crucial for maintaining an effective security posture and swiftly responding to emerging threats.
-
CrowdStrike Falcon
For CrowdStrike Falcon, we use the custom IoC API to upload a list of IoCs. This integration enhances our customers’ endpoint protection by incorporating the latest threat intelligence directly into their CrowdStrike environment, improving their ability to detect and mitigate threats.
-
Netskope Threat Exchange
In the case of Netskope, we use their Threat Exchange module to upload IoCs. This integration empowers our customers to leverage shared threat intelligence within their Netskope environment, enhancing their ability to effectively block and mitigate cyber threats.
-
Other supported platforms
We also support seamless integration with Zscaler Internet Access, Cisco Umbrella, Cisco FTD, Palo Alto Networks NGFW, Fortigate NGFW, and Infoblox, ensuring comprehensive threat intelligence across a wide range of security platforms.
Automate threat intelligence dissemination with DevOps, automation and APIs
Automating threat intelligence dissemination with DevOps, automation, and APIs enables security teams to quickly and efficiently integrate threat intelligence into their existing security infrastructure. Threat intelligence platforms (TIPs) offer APIs that facilitate seamless integration with security information and event management (SIEM) systems, incident response platforms, and other security tools.
By automating the dissemination of threat intelligence, security teams can significantly reduce the time and effort required to respond to threats. This not only enhances their overall security posture but also ensures that they are always equipped with the most up-to-date and relevant threat information, enabling swift and effective incident response.
We have adopted a fully automated approach to disseminating the IoCs amongst our customers’ chosen security vendors. This process leverages premium cyber threat intelligence, utilising diverse data sources such as web crawlers and monitored botnets to provide comprehensive insights into real-world threats.
Leveraging the MISP API, and daily polls of high-fidelity threat feeds to access the most recent IoCs that are published by the ACSC (Australian Cyber Security Centre). Using Azure DevOps Pipelines and security vendor APIs, IoCs are pushed to our customer environments on an agreed-upon cadence.
Operational measures have been implemented to exclude any known false positive indicators that may be present within a customer’s environment, ensuring our analysts are responding to investigations that are associated with high-confidence threats.
Customise threat intelligence for tailored security solutions
What sets The Missing Link apart is our capacity to integrate bespoke and curated threat intelligence feeds, performing required exclusions of IoCs through a centralised and automated mechanism. Our cyber threat intelligence expertise is crucial in providing tailored security solutions, ensuring accurate and reliable threat intelligence.
This ability ensures that our partners can benefit from a customised intelligence service tailored to their specific needs and contexts. By offering the potential for such customisation, we ensure that the intelligence shared is relevant and highly actionable, empowering our partners to make informed security decisions and boosting their cyber resilience.
The role of security analysts
Security analysts play a critical role in the threat intelligence process. They are responsible for analysing and interpreting threat data to identify potential threats and provide actionable insights to security teams. By leveraging threat intelligence, security analysts can inform their decision-making and enhance their incident response capabilities.
They work closely with other teams, such as incident response and security operations, to ensure that threat intelligence is seamlessly integrated into the organisation’s overall security strategy. This collaboration is essential for maintaining a proactive and comprehensive approach to cyber security, enabling organisations to stay ahead of potential threats.
Measuring the effectiveness of ATP solutions
Measuring the effectiveness of advanced threat protection (ATP) solutions is critical to ensuring that an organisation’s security posture is robust and capable of defending against sophisticated cyber threats. This can be achieved by tracking key performance indicators (KPIs) such as detection rate, false-positive rate, time to detection and response, threat coverage, and incident response effectiveness.
By regularly reviewing and analysing these KPIs, security teams can identify areas for improvement and optimise their ATP solutions. This continuous evaluation process ensures that the organisation remains well-protected against advanced threats and can swiftly respond to any incidents, thereby maintaining a strong security posture.
A proactive and customised approach to threat intelligence management
In managing threat intelligence, our approach is marked by a blend of anticipation for technological advancements and a commitment to adaptability and precision. Threat hunting plays a crucial role in this proactive approach by identifying potential threats within an organization's network and endpoints.
We continue to refine our capabilities, aiming to meet and anticipate the evolving demands of our partners. Through this combination of cutting-edge technology and the potential for customisation, we solidify our role as a proactive, flexible, and trusted collaborator in securing the digital domain.
Are you ready to enhance your cyber resilience with our proactive and customised threat intelligence solutions? Contact us today to learn how The Missing Link can help safeguard your digital infrastructure and ensure uninterrupted business operations.
Written by: Ben Chalmers and Tim O'Connor
