In our last post, we began this new series and introduced you to the meaning of Threat Intelligence. In this blog post, we’ll expand on threat intelligence and discuss common indicators of compromise and the types of threat intelligence.
Indicators of Compromise
As the threat landscape continues to evolve, organizations are under more pressure than ever to manage their security vulnerabilities. Known as Indicators of Compromise, or IoCs, these digital footprints are evidence of potential intrusions on a network which allow infosec professionals to detect malicious activity.
Common indicators of compromise can include:
- Unusual network traffic patterns going in and out of the network
- Log-ins from a single account but from different global IPs, in a short amount of time
- Suspicious activity in privileged user accounts
- Abnormal geographical activities, such as access patterns and log-ins in a country with which your organization normally does not conduct business
- DNS request anomalies
- Repeated login failures from both non-existing and existing user accounts
- Sizable spikes in database read volume
Using IoCs to improve detection and response
IoCs are an important detail when keeping your organization safe from cyberattacks and malware. In order to better detect and respond to compromises in security, and to move faster in identifying incidents that may have gone undetected by other tools, organizations must use detailed monitoring of IoCs—which leads to improved intelligence gathering and proactive prevention.
A clear benefit of understanding IoCs is that security professionals can also use them to analyze malware behaviors and share any actionable threat intelligence with the security community. There is a global push for organizations to report their collected intel results in a to help other organizations and IT professionals. Open-source feeds include Information Sharing and Analysis Centers (ISACs), the FBI, and several other agencies that are in line with sharing threat data.
Understanding Indicators of Compromise can empower your organization and the people within the security operations center (SOC) to improve detection rates and mitigate security risk.
Types of threat intelligence
There are different levels of threat intelligence, and at each level, the context and analysis of the intelligence becomes more thorough. Threat intelligence can be more thoroughly understood when broken down into 3 subcategories:
-
- Strategic: High-level analysis and information/broader trends of an organization’s threat landscape.
This type of intelligence helps decision-makers better understand their organization’s security risks; therefore, helping them to make detailed cybersecurity investments.
- Strategic: High-level analysis and information/broader trends of an organization’s threat landscape.
-
- Tactical: Intel on the TTPs (tactics, techniques, procedures) of cyber criminals.
Usually automated, this type of intelligence is often generated for a more technical audience that is focused on identifying simple IoCs. This information is utilized to request improvements to security processes and controls, as well as to speed up incident response times.
- Tactical: Intel on the TTPs (tactics, techniques, procedures) of cyber criminals.
- Operational/Technical: The gathering of specialized details and insights from specific attacks and campaigns.
This type of intelligence is most utilized by SOC employees. This information can be used to help security teams understand the intent and timing of certain attacks and support the response to incidents. Operational or technical threat intelligence may often come in the form of reports from an automated threat feed.
Although some of these types of threat intelligence may overlap, the breakdown helps us to understand the myriad of functions each level contains.
If you’d like to learn more about Threat Intelligence and how DomainTools can help keep your organization safe, see these resources:
