As more and more attacks occur, defenders are depending on threat intelligence to get early notification of attacks. By analyzing the latest indicators of compromise, organizations can act upon attacks targeting their industry and react quickly before they become a victim.
Additionally, according to the Gartner report “Designing An Adaptive Security Architecture for Protection from Advanced Attacks” by Neil MacDonald and Peter Firstbrook, published in Feb 2014 and refreshed in January 2016, “Comprehensive protection requires an adaptive protection process integrating predictive, preventive, detective and response capabilities.” The report states, “based on reconnaissance of hacker attention, hacker marketplaces and bulletin boards; on vertical industry interest; and on the type and sensitivity of the data being protected, this category is designed to proactively anticipate future attacks and targets so that enterprises can adjust their security protection strategies to compensate.” It would seem better understand of threat intelligence indicators of compromise can help with this regard.
The challenge for organizations is how to operationalize and weaponize this threat intelligence data -- from motivation and intent of adversaries, their campaigns and technical indicators, the malware used, and the vulnerabilities being exploited. In a recently published ESG research report titled, Threat Intelligence and Its Role Within Enterprise Cybersecurity Practices, 19% of organizations surveyed said they had difficulty analyzing and operationalizing threat intelligence data for risk management or incident response.
According to the SANs threat intelligence paper "Who’s Using Cyberthreat Intelligence and How?", 55% of organizations surveyed pushed their threat intelligence feeds to SIEM, adding to the challenges of noise that teams are already facing today.
The SafeBreach integration with threat intelligence vendors aims to enhance attack prediction. The solution enables organizations to consume threat intelligence indicators of compromise and transform them into hacker breach methods that can be executed within an environment. It allows organizations to proactively see which attacks are applicable in their environment in a practical, actionable manner.
The SafeBreach ability to weaponize threat intelligence and truly understand the activities that represent specific priority threats allows security analysts to dramatically improve their ability toanticipate future attacks, challenge their security defenses and train their security operations center (SOC) teams.
Here is an example of our integration with FireEye iSight Threat intelligence:
Today, threat intelligence feeds are typically sent to security information and event management (SIEMs). Thus, operationalizing threat intelligence and deriving value out of threat intelligence data today is very much dependent on specialized analysts. Watching and waiting to react as a defense is untenable. Simulating breach methods based on real-time threat intelligence enables organizations to proactively find weak spots in the specific context of their business and infrastructure.
There are a number of benefits in simulating threat intelligence feeds: