What is Threat Analysis? Learn 5 Ways to Make it Actionable!
Lights, Camera, All Quiet on Threats (Set) – Action! – What goes into the creation of your favorite movies? They have a director, editor, post-production effects, actors, and a ton of extras. A lot goes on behind the scenes to make a film possible. Editor’s piece together shots to create the films we all enjoy. The role of an editor isn’t solely reserved for Hollywood; threat analysts work in the same landscape each and every day.
Allow me to explain.
Every movie needs an editor and that’s essentially what an analyst is. That editor must work creatively with the layers of images, plot, dialogue, and the actors’ performances to effectively tell the story of the film. Similarly, an analyst must conduct threat analysis. One can think of threat analysis as digging into specific details at a granular level to identify additional information, gain more context, and tell a story.
Movie directors are constantly putting pressure on their editors to conceptualize a finished film. Similar to a SOC manager putting pressure on an analyst to stay in front of their threats/adversaries and ultimately protect the organization. Both editors and analysts have processes in place to take action. Let’s walk through the 5 ways to make threat analysis actionable.
1. Logging – Processing/Triage
The first step is aggregation – bringing everything you know about the threats from all sources you have, together. Unfortunately a lot of the systems and processes that analysts are currently using are fragmented. Many analysts are not bringing threats from all sources together into one central location so that they have the optimal chance of making informed decisions to protect their organization. If your threat data isn’t in one location, this is a good place to start.
In order to find shots they want to use, an editor must keep track of the useful scenes. This consists of parsing through tons of film and tape to find the parts that matter to the film. Prioritizing the shots that were good and reprioritizing those that were bad are part of their day-to-day tasks. The tedious task of logging and prioritization exists not only in the life of an editor. When conducting threat analysis an analyst must perform triage. During this process an analyst is prioritizing threats based on their severity. During triage, an analyst looks at networking logs (VPN, email, firewall, endpoint), system logs (proxy, DNS, Appflow), technical logs (FTP, SQL, AVs), and other security and monitoring tools (NIPS, Data Loss Prevention, Device Logs, etc.).
Using our ThreatAssess feature one can filter and prioritize threats based on their scores.
2. Cutting Room – Eliminate False Positives
Anddddd cut! The trimming process is conducted to eliminate segments within the film or footage in order to piece together the sequence of the film.
Eliminating False Positives
For a cybersecurity analyst, reporting and eliminating false positives refers to indicators that have been erroneously classified as being malicious. In other words they are deemed bad when they are in fact clean. These false positives can be very costly and dangerous to an organization; e.g., making a wrong decision based on inaccurate data.. You know you’ve seen it – a scene in your favorite movie where you notice something that shouldn’t be there. It happens more than you think.
The editor allowed this False Positive: See the above scene from Harry Potter Chamber of Secrets that includes the cameraman
Fortunately within ThreatConnect, using ThreatAssess and/or CAL an analyst will be able to to see if the indicator has been marked as a false positive by anyone else. Being able to check indicators across the platform saves the analyst time and the possibility of error.
3. Post-production Effects – Enrichment
Post Production, which typically is the longest task within an editor’s process, includes: editing, fixing color, sound effects, final mixes, and other important fine-tuning to create a successful final production.
Analysts share these principles during enrichment. They create enriched indicators and find other indicators related to the same threat, campaign, or incident. This process of expanding from one data point (like a malicious host name) to related data points (e.g. IP Address resolutions of the malicious domain) is critical to an analyst’s workflow. It makes sure that any defensive actions take into account as much of the threat landscape as possible.
Here’s a look at how analysts enrich data in ThreatConnect.
ThreatConnect makes it easy for analysts to investigate adversaries and threats through enrichment and pivoting.
4. Continuity and Storytelling – Event timelines and crafting the story
At the end of the day, the processes, edits, scripting, dialogue, and filming all must work together to tell a story. If an editor can’t craft a story, it doesn’t matter how good everything else is. Adding more context and telling a story is vital in order for analysts to make sense of threat data and turn it into actionable intelligence. Intelligence delivered within the ThreatConnect Platform tells the story behind the data and shows how it is tied to other events in the Platform – providing the full picture, so you can make a confident decision on how to act. Learn how we apply this concept to defeating Stranger Threats in your network.
For example, understanding the relationship between a piece of malware and its network connections is critical in capturing what the malware is doing. Otherwise you have data points like file hashes and domain names with no concept of how each piece of the puzzle fits together or how they temporally relate to one another. For an analyst, telling a story is the process of weaving data into intelligence.
The image above is from our research team creating an event timeline of leaked document metadata and DNC Breach-Related Events
5. Actor Motivation/ Emotional Intelligence
A good director knows what motivates the actors and how she/he can encourage them to be at their best. In general, understanding why someone does something provides valuable insight. For an analyst, life is no different. Understanding why the threat actor is doing what he/she is doing is extremely valuable… and sometimes very hard to discern.
When conducting threat analysis, one of the most important steps towards threat intelligence is identifying actor motivation. Once you have a good concept of who is attacking you and why, this allows you to take action in a few different ways. First, you can review the tactics, tools, systems, and methods the adversary is using to attack you in order to better detect any of their activity. Does their malware call back over a specific port? Does it have a unique user-agent? Understanding these characteristics make it easier for you to detect potentially malicious activity. Second, having a solid understanding of actor motivation is helpful to better predict and defend the systems that will likely be targeted by the actor. For example, a financially motivated attacker is going to go after different targets than a script kiddie looking to deface your website. Understanding your adversary can give you a good idea of where you should start looking through logs and regularly monitoring. Once you are able to grasp an actor’s motivation, you begin to paint a picture and tell a story that will guide your analysis in the future.
Being able to craft a story is the responsibility of both the editor and the threat analyst. Understanding this 5-step process and following it allows analysts to be not only proactive, but effective. For a threat analyst, gaining context enables actionable threat analysis. By learning and understanding the threat actor and attack patterns you can envision the story, and from there, make better decisions to protect your organization. Whether you are just getting started with threat intelligence, or looking to grow your security program, ThreatConnect can help you take action today.