Typical use cases for analysts and how to set up the use cases by administrators.
The following examples illustrate typical use cases for Threat Intel Management analysts.
Proactive blocking of known threats
The security team needs to leverage threat intelligence to block or alert on known bad domains, IPs, hashes, etc. (indicators). The indicators are collected from many sources, which need to be normalized, scored, and analyzed before pushing to security devices such as firewalls for alerting. Detection tools can only handle limited amounts of threat intelligence data and need to constantly re-prioritize indicators.
Solution
Indicator prioritization. Cortex XSIAM can ingest phishing alerts from email inboxes through integrations. Once an alert is ingested, a playbook is triggered and can have any combination of automated or manual actions that users desire. The playbooks can have filters and conditions that execute different branches depending on certain values.
Alert enrichment using Threat Intel data
Most tools that Security Operations Centers and Incident Response teams use to respond to alerts are very generic. There is little correlation between network data and understanding of threats and attacker movements. There is often a dump of information, including bad IP addresses or domains, and someone has to be assigned to manually resolve to figure out false positives. There is also a lack of understanding of malicious families, hacking tools, and their patterns of attacks.
Solution
Accelerate alert response with TIM and alert enrichment using threat intelligence data. The incident enrichment workflow in Cortex XSIAM leverages threat intelligence from our centralized threat intelligence library, including information on:
Data from Unit 42 Intel to learn about known malware campaigns or families
IPs and domains with WHOIS data
Passive DNS data
Web categorization data
External threat landscape modeling
Threat Intelligence teams must understand attack details and how their organization may be vulnerable. The foundational element of understanding risk/impact on an organization begins when threat analysts start profiling the attacks.
Solution
Threat modeling to prevent or mitigate the effects of threats to the system. The intel team builds profiles of threat actors, identifies if there are related attacks, and then identifies which techniques and tools the threat actor used. This information is shared with stakeholders, including security operations and leadership.