Let’s start with a scenario. You’ve finally convinced the business to begin the journey of building up a threat intelligence capability. Executives are pumped. You’re excited to get access to a shiny new tool brimming with data to dive into, start producing some great reports, and block some fresh indicators.
Fast forward six months and the program has stalled; it’s too noisy, you don’t see the value, and you’ve got more pressing things to do. The exuberant spirit you once had for threat intelligence is now dampened by the fire hydrant of indicators you unwittingly unleashed on your security team.
If this sounds familiar, it’s because it happens all the time. I probably hear a story similar to this every week. Do not worry, I’m not going to open the “are IOCs valuable” can of worms (although if you want to read more, I will point you towards David Bianco’s Pyramid of Pain that still stands up seven years later).
I want to talk instead about noise associated with digital risk protection (also referred to as Brand Intelligence and DRPS in other circles), which is now generally regarded as the best starting point for building up your threat intelligence capabilities for its increased relevance and actionability. In this blog, I’ll outline the approach we’ve taken to kill the noise and help organizations start building up a more actionable – and less overwhelming – threat intelligence capability.
Why a focus on actionable threat intelligence?
Digital footprints keep on growing and, while most of that growing footprint is benign, some of it has associated risk – digital risks, if you will. Unfortunately, every year the average organization is mentioned 15 million times across the surface web, technical sources, on the dark web, and within exposed documents.
The average company is mentioned 15 million times a year (Digital Shadows, 2020)
Finding the risks within this vast amount of data is a considerable challenge. Even the most mature security teams in the largest organizations are hard-pressed to correlate and analyze this enormous amount of data in a reasonable timeframe.
Our approach is to filter out the noise, help to automate your response, and then focus on redirecting analyst time on the most challenging and nuanced issues: deciding when it’s worth taking brand enforcement action, evaluating the credibility of dark web information and other cyber threat analysis.
Let’s break that down into threat areas:
- Use software to do the heavy lifting
- Manually analyze the hard bits
- Automate the responses you keep repeating.
Solution 1. Let Software Do the Heavy Lifting
Of the 15 million mentions, this approach can weed out the vast majority. Certain things are relatively binary and straightforward. For example, an exposed credential, a vulnerability detected, or an open port can all be relatively straightforward to detect.
Some algorithms are necessary for specific areas, of course. For example, a domain might look like it is impersonating your company. By analyzing the closeness of the match, the age of the domain, and other factors, it’s possible to reject millions of potential results without requiring a minute of your team’s time.
Similarly, analyzing a document to detect not only mentions of your company, but also if it has sensitive markings, and the age of the document is a simple task for algorithms to do but a tedious manual investigation process for an analyst.
Solution 2. Focus Humans on the Trickier Problems
Even with software to sieve and sort through a mountain of data, many types of cyber threats require further human analysis to interpret the risk and business impact. Threats such as impersonating domains, phishing webpages, dark web mentions, counterfeit goods may be properly detected by software but in actuality are mentioning a different company with a similar name or do not have proof of malicious intent. Large organizations like Fortune 500 companies experience well over 1 million mentions across dark web sources every year.
This is where having a human in the loop comes to your advantage. Of the 13,000 potential alerts detected by SearchLight, our analysts remove approximately 91% of them before they are raised to teams. Often data feeds unleash an unfathomable amount of alerts on security analysts, causing the bulk of their workdays to shift to triaging false positives or threats that may have no real business impact. A Digital Risk Protection solution, however, is there to raise only the important alerts, complete with risk scoring and prioritization, to reduce manual triage time. This, in turn, allows for more time to be spent on remediating real security threats.
The most significant area, however, is for remediation via managed takedowns. You cannot just spam domain registrars and hope it will be successful; successfully getting a domain taken down needs nuance and geographical knowledge.
Solution 3. Leverage Automation to Ease the Burden
“The definition of insanity is doing the same thing over and over again and expecting a different result”- Albert Einstein.
Ever experience facing the same type of alert over and over again? It can feel like insanity— but thankfully, a fair amount of alert noise can be killed with automation.
For example, exposed credential alerts…. some companies choose to validate their exposed credential within SearchLight against a standardized company format or by integrating an identity and access provider such as Azure Active Directory or Okta. If the credentials are invalid, clients can opt to automatically reject the alert, saving hundreds of hours on investigating these credentials per month. For organizations that have enabled this feature in SearchLight, an average of 11,000 exposed credentials have already been auto-rejected with success. You can read more about our credential validation in our Exposed Credential Monitoring Solutions Guide.
This extends to other use cases, too. For example, another organization ingests SearchLight “Unauthorized Commit to Public Code Repository”alerts into their Splunk instance. Automating responses within Splunk Phantom, they have successfully reduced remediation time from 3 weeks to just four hours.
What is Success?
Of the 15 million mentions, the average organization only gets the following alerts a year, all neatly categorized and risk scored to prioritize and respond effectively:
- 10 Phishing Webpages
- 29 Exposed Access Key Alerts
- 29 Impersonating Mobile Apps
- 55 Exploitable Vulnerabilities
- 57 Impersonating Social Media Profiles
- 84 Exposed Document Alerts
- 178 Certificate Issues
- 835 Impersonating Domains
If you can then start to automate your response to those and focus analyst time on the toughies: managed takedowns, language translation, cyber threat analysis.
To find out more about how SearchLight achieves this delicate balance, explore our platform for yourself: register to test drive SearchLight.