From the Summer 2022 Issue

Cyber Threat Intelligence Shapes the Future of SOC Operations

Dr. Paul de Souza
President | CSFI

Cyber threat intelligence is critical for Security Operation Center (SOC) operators because it provides information about the Tactics, Techniques, and Procedures (TTPs) that attackers use to target their organization. This information can help SOC operators map out the adversary’s kill chain and identify potential Indicators Of Compromise (IOCs). Additionally, cyber threat intelligence can help SOC operators understand the motives and goals of adversaries, which can assist in decision-making about how to best respond to an incident.

One of the main issues in collecting valuable IOCs via cyber intelligence techniques is that SOC operators are often required to know about the adversary’s TTPs. Since many IOCs are collected via reverse engineering, memory dumps, and honeypots, SOC operators must be highly trained in Cyber Threat Intelligence (CTI) to take SOC operations to the next level. This article tackles some challenges with and solutions for implementing cyber threat intelligence in SOC operations.

SOC teams are responsible for monitoring, detecting, and remediating IT threats across applications, devices, systems, and networks. SOCs attempt to use the latest technologies to determine whether an active threat exists within an organization or not while also determining its scope of impact on the network and assets. These SOC activities can be daunting and costly to implement with the right technologies and human talent. Intelligence drives operations, and dissemination of CTI is as critical as the crafting of CTI with a higher fidelity level. In recent years, the term “cyber threat intelligence” has become increasingly popular in the information security community. However, there is still much confusion surrounding what Cyber Threat Intelligence (CTI) is and how it can be used to improve SOC performance.

In order to understand Cyber Threat Intelligence, it is first necessary to understand the difference between “intelligence” and “information.” Intelligence is data that has been processed and analyzed to provide insights and understanding of a particular situation. Information, on the other hand, is data that has been collected but not necessarily processed or analyzed. Cyber Threat Intelligence can be defined as actionable insights and understanding of current and future threats derived from the analysis of data collected from various sources. This intelligence can improve Security Operations Center (SOC) performance.

SOC operators must be highly trained in Cyber Threat Intelligence (CTI) to take SOC operations to the next level.

There are many ways to collect and process data to generate actionable cyber threat intelligence. One common approach is to use a combination of human and machine-based analysis. This involves using a team of analysts who review data from various sources, including public information, social media, and dark web forums. They then work to identify patterns and trends that can be used to improve SOC performance. Another common approach is to use Artificial Intelligence (AI) and Machine Learning (ML) algorithms to analyze data automatically. This can be an effective way to quickly identify patterns and trends that humans would find difficult to discern.

Depending on its importance and time sensitivity, intelligence may be disseminated – or “pushed” – directly to SOC operators. It can be sent to an accessible database from which stakeholders can “pull” the intelligence they need. Intelligence flows by channels or methods, and the form intelligence takes can influence dissemination. Some intelligence can be transmitted almost instantaneously to multiple users via a digital communications link. The channel or means of dissemination is less important than the arrival of the intelligence at the proper destination on time and in a form readily usable to the client. Depending on the urgency and time sensitivity of the intelligence, it may follow established communications channels, or it may be broadcast to the entire SOC simultaneously as an alert or alarm.

The first step in implementing CTI as a force multiplier within your SOC is understanding the differences between tactical, strategic, and operational intelligence. These are used differently depending on what type of operation SOC operators are working with and how it fits into larger goals or objectives for an organization.

Tactical intelligence is a type of intelligence used to support tactical decision-making. It is processed and analyzed primarily to support immediate or short-term objectives. Workarounds and quick countermeasures to disrupt specific cyber-attacks or patch vulnerabilities can be examples of tactical intelligence.

Strategic cyber intelligence can help organizations assess and manage the risks posed by cyber threats. It can also help them understand the capabilities and intentions of their adversaries. It is more intent-centric, and it requires a better understanding of hostile intent. Operational intelligence combines technology, people, and processes that SOC operators can use to turn data into useful information for operational decision-making. By analyzing historical and real-time data, operational intelligence systems give SOC operators visibility into their operations to identify and correct problems in near real-time. Operational intelligence is a relatively new term, but the concept has been around for many years.

Fusing CTI into SOC operations relies heavily on human capacity and capabilities, the workforce!

The obstacles to training a workforce (SOC operators) in Cyber Threat Intelligence can be boiled down to two key challenges: lack of in-house expertise and the prohibitive cost of third-party training. These two problems are often compounded by a third challenge: the difficulty of keeping up with constantly changing technologies and the threat landscape.

Strategic cyber intelligence can help organizations assess and manage the risks posed by cyber threats. 

Fortunately, there are a few ways to overcome these challenges and get a team up-to-speed on Cyber Threat Intelligence. In-house experts can be leveraged to develop and deliver training, and various online resources can be used to supplement formal training programs. Finally, a careful selection of outside training providers can help reduce costs while still providing high-quality instruction.

SOC owners can look for cyber professionals with a variety of backgrounds. However, it is wise to think beyond technical capabilities and understand that many intelligence professionals can be precious in a SOC environment. Threat hunters are a relatively new type of security professional and one that is in high demand. Cyber threat hunters proactively seek out threats that have evaded detection by traditional security defenses. They use analytical skills, technical expertise, intelligence, and creativity to find clues that lead them to the sources of these threats. Deploying threat hunters and CTI experts as tier 3 operators can elevate the quality of intelligence-driven defenses resulting in more effective SOCs.

Threat Hunters proactively seek out potential threats and indicators of compromise rather than simply waiting for alerts to come in. This means that they can often identify threats before they have had a chance to do severe damage. CTI experts, on the other hand, can provide invaluable context about the threats that have been identified. This helps SOC teams better understand the risks posed by these threats and makes it easier to devise strategies for dealing with them. Together, Threat Hunters and CTI experts can make a powerful team capable of effectively protecting organizations from even the most sophisticated threats.

When it comes to Threat Hunting, there are a few key things that SOC teams should keep in mind:

  1. Clearly understanding the organization’s specific goals and objectives is essential. This will help prioritize which threats to focus on and make it easier to measure the effectiveness of cyber defense efforts.

  2. Having access to high-quality data is essential. This data can come from various sources, including security logs, network traffic data, and endpoint data. Having this data will allow the identification of potential threats more efficiently and can track the progress of an attack.

  3. Having the right tools in place is vital. Several different threat hunting tools are available, and it is crucial to select the ones that will best meet the organization’s needs. This may require trial and error, but it is vital to find the best tools for the team.

Finally, it is essential to remember that Threat Hunting is ongoing, not something to do once and then to forget about. Organizations need to continuously monitor their data and look for new ways to improve their processes.

At a high level among a long list of things a SOC team needs to do to be successful are the following:

  1. Understand the business and its goals.

  2. Identify potential security risks to the business.

  3. Create a security program that aligns with the business goals.

  4. Implement controls to mitigate identified risks.

  5. Monitor the environment for changes that could impact security.

  6. Respond to incidents in a timely and effective manner.

  7. Continuously improve the security program based on lessons learned.

In conclusion, for a SOC to better leverage Cyber Threat Intelligence capabilities, it needs a clear and concise understanding of what CTI is and how to integrate CTI into its existing security operations processes. Furthermore, the SOC must also be able to identify internal and external sources of CTI that can provide actionable intelligence. Lastly, the SOC should consider implementing a CTI platform that will allow easy consumption and sharing of Threat Intelligence among its team members. lock

Dr. Paul de Souza

Leave a Comment