Threat Intelligence Vendor is a modern-day necessity for every organization. It has become paramount for companies who want to protect themselves through reactive components, which include SOC (Security Operations Center), IR (Incident Response), and Forensics.
They also aspire to protect themselves with the proactive components, which include Threat Intelligence, Red Teaming, and exercises that help you gather critical intel from a country, region, or sector-based aspect, to assist in identifying security sinkholes, through which it is possible to compromise an organization.
In this blog, we will focus on Threat Intelligence and will discuss the most important factors an organization needs to focus on while partnering with a third-party Threat Intelligence vendor.
1. Does your Proposed Partner Share IOC Intelligence?
While performing a POC with a potential Threat Intelligence partner, it is essential to know whether the partner provides IOC-based intelligence. IOC – Indicator of Compromise acts as the first line of defense against any known malicious sources. These sources can be in the form of IP, hash, domain name, URL, and many others if your tech stack hosts relevant technologies.
The indicators are blocked on relevant devices, like IP addresses can be blocked at firewalls, and DDoS protection tools, while hashes can be blocked by Endpoint Security tools or through Antivirus tools. In addition to this, it is also a good practice to add IOCs to a SIEM or SOAR platform in order to monitor them via rule-based monitoring.
The second aspect to keep in mind is the quality of IOCs. It is very easy for an attacker to change IOC values. Hence, a malicious IP address of XYZ threat actor that was used four months back is not of good quality.
Instead, a hash value of a word document being used by a threat actor in their phishing campaign, and this hash value is being shared in closed circles like ISACs, Public-Private partnerships which would be out in public at a later stage gives a buffer time to your company to monitor the unknown campaign, targeted or general ones.
2. Does your Proposed Partner Provide you With Brand Monitoring Abilities?
Brand Monitoring is a personalized monitoring of your organization, which investigates malicious campaigns, and activities being performed against your organization.
A few scenarios of the same can be fake domains such as public domains that target customers for financial gains. For example, if your employees are using their private credentials through a stealer-infected system, it may result in the publishing of those credentials for sale on the dark web; a fake job campaign is started on LinkedIn in order to lure potential employees, and gaining monetary funds in exchange of a job. Such campaigns affect the reputation of the organization; a particular port has been opened publicly from one of your IP addresses, which is often used by a trojan/malware, indicating suspicious activity inside the environment.
There are various other scenarios; however, be it any scenario, such attacks affect the brand reputation resulting in business impact, customer data loss probabilities, compliance, and regulation penalties. So, it is very important that a Threat Intelligence and Brand Monitoring solution is implemented to reduce the external threat profile of a company.
3. You Must Know the Takedown Abilities of Your Threat Intelligence Vendor
Now you have understood what Brand Monitoring is and how important it is for an organization to monitor any such activities, it is also important what action you take against such activities that affect your brand’s reputation. The takedown ability provided by your partner allows you to shut down malicious activities that affect your organization, provided you have enough evidence to share with the ruling authority that will remove such sources from the Internet.
A simple example of the same is a phishing domain targeting organizations’ customers is an exact image of your website’s front end. Here, your partner could reach out to the hosting provider where the website is hosted to lodge a complaint, after which the malicious phishing website can be taken down.
Another scenario can be that you as an IT company have developed an application (any platform), and a security researcher has identified a vulnerability or bug (in the case of web applications) that he decided to share publicly without a responsible disclosure (something that Payatu Bandits never do, responsible disclosure is a must), and the exploit is published on GitHub, in such case, TI partner must be capable of contacting with GitHub personnel and with valid proofs be able to take down the exploit code, while your organization patches the vulnerability.
Your external threat landscape is covered, but do you also know what is going on around you?
“It is only the enlightened ruler and the wise general who will use the highest Intelligence of the army for the purposes of spying, and thereby they achieve great results.” -Sun Tzu, Art Of War
4. You Must Know About Research Intelligence
Research Intelligence is one of the important aspects of Threat Intelligence as research assists you with relevant knowledge about your sector or industry. It is good to have a TI partner who also shares knowledge of the outside world; for instance, an organization that works in healthcare and healthcare solutions would be better secured if they knew what attack trends often target their sector/industry.
Top 5 malware targeting the Healthcare industry, so that better vigilance can be kept on the set of malware; certain vulnerabilities that could not be patched due to heavy downtime cases are being targeted by a threat group targeting healthcare so monitoring rules under SIEM for such vulnerabilities would be a good practice. Research Intelligence in such cases can be helpful and assist in building better defense posture.
Another aspect of Research Intelligence is on-demand research. Let’s say you have certain IT solutions or support solutions company onboard and it is hit by a ransomware attack, or a threat actor selling their data over the dark web. Since your organization is a direct partner of the compromised company, it becomes imperative for you to know what all data is breached and how the breach affects your organization.
In such a scenario, it is good to have a partner solution that has the capabilities of identifying the threat actor, engaging in direct contact with the threat actor, and collecting samples of data that might be relevant to your organization.
“Quickness is the essence of the war.” -Sun Tzu, Art of War
So, now that you have covered all the other points, we can focus on the most important point of all, which is SLA and TAT.
5. Focus on SLA and TAT:
SLA (Service Level Agreement) is a signed document shared between the TI partner and your organization that provides specific terms of the service to be delivered, designated SPOC (Single Point of Contact) since you do not want to run around with an issue to everyone in the partner organization.
In this agreement, it is also discussed as to what would be the TAT (Turn Around Time) for different alerts at different severity levels. In simple terms, how much time would the partner take while actioning upon the requested alert.
A scenario of the same would be that your organization has been listed on a dark web forum with a threat actor claiming to have compromised your environment. In such a scenario, it is very critical to report down an initial report to you, even at odd hours, so an expected TAT for the first response is expected to be within 30 minutes to 1 hour of such a post, followed by interactions, data samples and other activities within 2-3 hours. This also depends upon threat actors’ responsiveness.
If an actor responds back a day later, the partner cannot share random intel with you.
Another scenario, which focuses on the phishing domains created is expected to be reported within 4-6 hours of creation and taken down within 12-24 hours of confirmation from your organization. Again the takedown scenario depends upon various aspects such as the responsiveness of the hosting provider.
Severity levels of alerts should be properly defined and regularly updated as per the change of state observed.
As per our research, the matrix below may contain some of the vendors you are looking at:
*Disclaimer: The above-mentioned data may or may not be accurate to date. Kindly confirm the data with respective companies for the latest updates.
Conclusion
Through all the pointers shared above, we hope you get a better understanding of the checklist, and that a TI partner an organization deals with must be dynamic and involved thoroughly in research in order to provide the best Threat Intelligence to an organization. Threat Intelligence acts as a first step of security by collecting relevant data from a vast pool of information depending upon the specific structure of the organization’s security posture.
If you are new to Cyber Threat Intelligence, feel free to go through our blog, a Guide to CTI.
About Payatu
Payatu is a research-powered, CERT-in empanelled cybersecurity consulting company specializing in security assessments of IoT (Internet of Things) product ecosystems, Web applications & Networks with a proven track record of securing applications and infrastructure for customers across 20+ countries.
Want to check the security posture of your organization? Browse through Payatu’s Service and get started with the most effective cybersecurity assessments.
