Blog

Automated Threat Intel Processing

This year 2018 in cyber security is about governance, automation and intelligence. More and more, critical infrastructure services are available only in the space of “cyber”. At the same time, malware incidents are causing immense losses for businesses, undermining sovereignty of many authorities and causing threats to human lives as well. Modern cyber authorities, sovereigns in the cyberspace, need access to better threat intelligence, to support their securitizing functions. But, manual processing even part of threat intelligence feeds takes time — and the network, as well as whole “cyber” space, is evolving all the time.

The trend in analyzing and maintaining accurate threat intelligence today is heavy automation, as processing the vast amount of intelligence on malware on global scale would just incapacitate the organization. Good threat intelligence platform will provide security analysts accurate and well-prepared set of information, something that analysts can the use as basis for further decisions. Raw data is not enough, therefore threat intelligence tools and feeds must, and this is a must, provide automated collection, aggregation and initial analysis, as well as identify potential issues and even facilitate deployment of automated responses. Modern threat intelligence services can even help organizations to spot and predict future threats even before they occur. Luckily today there are good tools available to construct better threat intelligence than perhaps never before. Artificial intelligence solutions can enable organizations to access information related to future threats, malware and other incidents that could undermine their capabilities of the organization in the global space of “cyber”.

Simple intelligence data gathering and analysis is only part of the story, but modern threat management (as part of the risk management of an organization) is all about integration and interoperability. Where simple port scanning and traffic filtering did the job years ago, todays threat intelligence API’s must provide comprehensive systemic analysis and consider the security of an organization as a systemic whole, combining traditional aspects of information security to hard network and application security as well. Modern threat intelligence platforms and application interfaces must therefore focus on detecting anomalies and creating predictive models on the status of the security of an organization in the cyberspace.

Security is not an island

Already years ago, security community used a slogan that stressed how organizational security based on concepts of borders and walls had becoming to be obsolete. Cloud computing was one of the driving forces and key themes in the process of transforming concepts of security towards systemic profiling and integrated mutual stability instead of bordered interoperability. This transformation had immense effect on concepts, applications and services processing threat intelligence. Suddenly, threat intelligence was not a question of execution, implementation and “strength” of walls, but about establishing security regimes among peers and networks that would necessarily not share common trust, and of which some might even be assumed to be hostile or just fail in good faith in their processing.

Modern threat intelligence feeds and services must therefore inhibit capabilities for anomaly detection more than ever, and they must have high degree of visibility to the system in order to accurately process such profiling. With comprehensive integration capabilities, threat intelligence platforms today can integrate into their application environment, but also into foreign or even hostile cyberspace, and therefore use more comprehensive data gathering capabilities to conduct more accurate predictions, profiling and feed in information for human security analysts. In some cases this can give birth for a post-incident management process, where the threat intelligence platform has triggered an automated response, yet, human intervention is mandatory in order to properly consider the accuracy of responses and conduct plans for further action (or rollback).

Lack of sovereigns and unstructured nature of authority in the cyberspace

In an heterogenous and distributed system, within an un-bordered security regime, particular challenge is the lack of, or competing layout of, authority. Threat intelligence analysis is only as good and comprehensive as are its eyes and ears, nothing more would be merely speculation. Modern threat intelligence systems therefore must maximize their penetration into organizational, and also into intra-organizational, frameworks and settings. Similarly, platforms and tools must also include unconventional sources of intelligence and can they should not rely (solely) only on technical layers of networking. Reality, of course, is an evolving process towards ideals, some of which was never materialized in full. Yet, successful organizations in the cyberspace have applied this kind of comprehensive threat analysis — and many have failed to do so.

The challenge for security automation is to merge and combine traditional and unconventional intelligence sources and successfully deploy a transparent input-regime that spans organizational borders and moreover, also “governmental” if not even territorial identities as well (today more acutely so, than perhaps before). Important is to recall, that the development towards un-bordered security concepts is not only expressed in the cyberspace, but it is tightly bound to the surrounding sociopolitical transformation of power in “real world”, particularly establishment of modern non-territorial regimes and authorities.

Truly Useful Cyber API for Threat Intelligence

One example of an usable threat intelligence service Domain Infrastructure Analysis API service, provided by Threat Intelligence Platform, a modern web-enabled aggregated intelligence data and API provider. Following a simplified and “one-click-shoot” nature of many hacker-style tools from the past, accessible only for professional offensive penetration testers, this simple service produces a whole lot of information regarding a specific domain name. Everything is done with a simple HTTP query based on web integration technologies, such as REST and JSON. The use of modern web technologies in the API facilitates its integration into and use within other applications and services.

This kind of service provides good source of intelligence, with preliminary processing well done. Building its intelligence on top of open sources, such as domain name register queries and network block information, this simple service will help organizations more effectively to process domain-specific threat intelligence information within their business applications and risk management processes. This company provides many similar interface-based services for applications to use, such as SSL certificate analysis, domain relations and reputation scoring. This preprocessed and aggregated data retrieved from open source and other data sources will enable organizations to conduct comprehensive threat intelligence analysis, without having to have to process and integrate with each and every individual source within their application.

On higher level, this kind of threat intelligence services and API’s can contribute towards establishment of wider baseline of what open source intelligence data are used and what kind of analysis or conclusions are drawn based on that data. It is important to recall also, that even popular open source intelligence information sources, such as domain registration data, seem to form a coherent and authoritative data set, kind of “global threat scope”, the reality in the world is rather diverse and decentralized. Any threat intelligence services and conclusions must therefore, not only aggregate data and perform initial analysis, but also respond to the challenge of heterogeneous and changing data sources as well as “relativity” of a threat. Furthermore, threat as a concept inhibits strong political motivation, not to mention the vast domain of human mind that is related to the analysis of what constitutes as a threat. Simple data source and aggregation services can therefore be useful in that process, yet, security analysts should keep in mind, that those at the same time propagate specific level, scope and interpretation of security, preferences and choices among values and grievances. This is done in a seemingly coherent way out from an incoherent reality — posing itself as self-proclaimed global authority to do so.

Contact us now to get the best tools to support your cyber operations today!