How We Create High Quality, Actionable Threat IntelligenceGather the Most Complete and Up-to-Date Threat Intelligence By: Eric Hemmendinger - Senior Consultant Product Management
Threat intelligence is like an iceberg. The information you see results from a massive but invisible effort required to deliver and create it. Here at Secureworks, we often highlight intelligence from our Counter Threat Unit™ (CTU™) research and conclusions – content that we see as an important component of an end-to-end Threat Intelligence (TI) program for our customers (See Customer Advisory: Kaseya VSA Software Under Active Attack). While the outcome delivered is strong, it isn’t always the most intuitive, because there are a lot of inputs that come together to deliver high quality, relevant, and trustworthy TI.
In this blog post, we’ll pull back the curtain and look at what is required to create and deliver highly valuable and actionable threat intelligence.
Know the Adversary & Their Behavior
To successfully gather the most complete and up-to-date threat intelligence, it helps to know the adversaries primarily responsible for generating those threats.
At Secureworks, a significant proportion of our intelligence efforts are focused on this bad-actor identification. Secureworks researchers have identified more than 200 distinct threat actor groups around the world.. But we do more than just identify these groups. We continuously track their activity, accurately attributing specific attack clusters back to them based on observed methods, behaviors, and tooling. We then segment and name these groups according to geography and motivation.
We also meticulously inspect malware binaries to track the evolution of their components, which, in addition to shedding light on how various strains of malware work, gives us actionable insight into the affiliations and relationships between known threat actors. This insight helps us surmise how certain threats may propagate and may even lead us to new, previously unknown actors.
The result of all this effort is what you see derived in our actionable, high-value threat intelligence. Notable recent examples include Counter Threat Unit Researchers Publish Threat Group Definitions, Hades Ransomware Operators Use Distinctive Tactics and Infrastructure, Ongoing Campaign Leveraging Exchange Vulnerability Potentially Linked to Iran, and our 2021 State of the Threat report.
Read the 2021 State of the Threat Report
Watch the Adversary Inside Organizations
Watching and researching adversaries proactively is only the start of gathering high quality threat intelligence. Good intelligence is enhanced by seeing how bad actors behave once inside an organization. Secureworks intelligence goes beyond just research; we also derive insights from endpoint and network telemetry from over four billion customer events per day, more than 1,000 incident response engagements a year, proprietary botnet emulation systems, monitoring of underground forums, and intelligence partnerships.
Finally, we also do our share of proactive threat hunting. This doesn’t depend on the passive receipt of data at all, and allows us to discover dangers to your environment before they become widespread and/or newsworthy.
Deliver Threat Intelligence at Scale & at Point of Need
Despite the knowledge that good threat intelligence can bring, it’s not enough to protect organizations unless it’s delivered in a way that allows organizations to leverage it to take action when they need it and with the context they need.
At Secureworks, our knowledge base enables us to create countermeasures, publications, services, and responses to specific customer inquiries:
- Countermeasures are detection capabilities that are integrated with Secureworks products and platforms – identifying threat actor activities.
- Publications such as Threat Group Profiles and Threat Intelligence Executive Reports are publicly available on secureworks.com, and Vulnerability Advisories are available for customers. The Attacker Database comprises a set of threat data feeds and APIs allowing customers to extend Secureworks’ Threat Intelligence into their own security platforms and broaden their prevention strategy.
- Enterprise Brand Surveillance is a customer-specific information service tuned to focus on customers’ threat environment and leverage Secureworks’ collective knowledge and unique vantage point. Our enhanced threat intelligence support services enable customers to send us malware samples and obtain guidance in response to specific concerns.
One of the most direct ways we turn threat intelligence into action is by delivering it in context of an organization’s own environment to better prevent, detect, and respond to threats. Secureworks Taegis™ XDR is a cloud-native security platform that ingests telemetry from third-party security sources (endpoint, network, cloud, and identity) and then analyzes that data using a combination of machine learning-based detection, indicators, and countermeasures to not only alert on threats but also prioritize those that are most critical and ignore false-positives. Those detectors are all derivatives of threat intelligence, and that is how you turn threat intelligence from passive knowledge into actionable insights delivered to an organization in the context of their own IT environment.
More Than Meets the Eye
When looking for a TI partner, it’s important you have access to the information you need, when you need it, in whatever form is most helpful to you—whether that’s a bulletin, a digital download, a phone call, embedded in software, or an expert pair of eyes and hands assisting you live in your environment.
Not all threat intelligence is created equal. So regardless of what TI partner you choose, make sure they have a lot more going on “below the waterline” — just like an iceberg.