Playbook Series: Operationalizing Threat Intelligence

Playbooks are Python scripts that Phantom interprets in order to execute your mission when you see something that you want to take action on. Playbooks hook into the Phantom platform and all of its capabilities in order to execute actions, ensuring a repeatable and auditable process around your security operations.  Sample Community Playbooks can be customized at will and are synchronized via Git and published on our public Community GitHub repository.   You can read more about Phantom and Playbooks here.

The spotlight playbook for today is on Operationalizing Threat Intelligence.

Threat intelligence is everywhere around us. It comes in various forms such as IP addresses, URLs, file hashes, vulnerability reports, threat actor reports, etc. This list goes on and on. The STIX document format exists solely in order to make threat intelligence shareable.  As security operators we seek out this data wherever we can get it. With all of the sources, it has become increasingly important to operationalize this threat information and turn it into detection and protection mechanisms for the enterprise. How is this done today? Like anything else, there are several ways to solve it. The following is a common, albeit simplified scenario.

An organization has a subscription to a threat intel feed that provides threat data such as raw indicators, threat actor details, and even vulnerabilities. The reports are delivered, and an analyst will perform several steps along the path to protective action. The phases of operationalizing this data can be labeled as “Investigation (i.e. indicator enrichment and hunting) and Defending (i.e. including indicator deployment)”.

Indicator Hunting, Investigation and Enrichment

Determine the type of report on hand:

Raw Indicators

• Indicator reports commonly include IPs, file hashes, and additional details which allow several protective actions to be taken. This includes blocking IP addresses, URLs, and files. These indicators are usually manually validated by researching additional reputation and sandboxing sources to ensure threat validity.
• Seek out any additional resources such as methods, or command and control nodes so that detection and protection schemes can be deployed.

Threat Actor Details

• Determine if the threat actors are targeting nations, specific sectors, or even specific companies. Then determine if the organization falls into the target.
• Seek out any additional resources such as methods, specific malware or exploit kits, and/or command and control nodes so that detection and protection schemes can be deployed.

Vulnerability Report

• It is necessary to determine if the vulnerabilities can be successful against the environment. If so, build/test/deploy IP(D)S rules to alert/block. Other defense mechanisms should be leveraged as well, including application layer firewalling.
• Find if a patch is available from the vendor and deploy.

The prior actions outline only the initial protective measures that need to be implemented. After these actions are taken the Security Operations team must switch focus from threat ingestion and deploying protection measures, to analysis of prior log data to determine if there has been any prior contact from or with the identified threats. This is perhaps the most resource intensive – both from an infrastructure as well as a manpower perspective and is often left incomplete. There are simply so many sources of alerts and threat data that require triage as well as possibly requiring all of the prior outlined steps.

Containment and Recovery (Defending):

• Assemble list of different data types: IPs, URLs, domains, file hashes.
• Build queries in SIEM or the data store to determine any prior contact with the threat.
• If contact is determined, incident response is required based on the potential impact from the threat. This sequence of events will require a well defined incident response methodology. We will hold that for a future discussion, as it merits full detail.
• Some response examples:
  • Find any running processes that match the identified malware.
  • Terminate these malicious processes.
  • Quarantine any infected hosts.
  • Notify Security Operations, and Help-desk of identification and containment.
  • Potentially even regenerate any hosts after identification of malware.
• Identify and contain any lateral movement in the environment.
• A full audit of the Investigation and Defending steps should be performed.

All of these steps are repeated on each intel report received by the organization, both in the “Protection” stage as well as in the “Detection” stage.

The steps above can easily be automated in Phantom, and the savings can be substantial.

Interested in seeing how Phantom Playbooks can help your organization?  Get the free Phantom Community Edition.