Threat intelligence is becoming an increasingly prominent element of security operations. In fact, Gartner predicts a 15x increase in the number of large enterprises using commercial threat intelligence by 2020. Threat intelligence comes in many forms, with numerous vendors and several distinct use cases. In this article, we’ll look at some of the use cases for threat intelligence that are especially relevant to D3 and our security orchestration and incident response solutions.
D3 is not a threat intelligence vendor, but as a security orchestration provider, we play a key role in leveraging the value of threat intelligence. Specifically, D3 helps users aggregate threat intelligence and turn it into actions. This is an important function because the vast number of threat intelligence sources—each producing a high volume of complex data—makes it difficult for security teams to make sense of the information and use to it make decisions.
D3 integrates with threat intelligence platforms like ThreatQ, VirusTotal, and DomainTools to enrich incident reports with contextual data that helps inform incident response steps. When a SIEM alert is escalated to D3, potential threat indicators from the alert are automatically looked up in integrated threat intelligence platforms, giving analysts a full picture of the threat by the time they open the incident report.
Threat intelligence lookups can also be done as a proactive step. Analysts can use D3 to manually conduct on-demand queries about entities within the system. For example, an IP address from a historical incident could be checked against a threat intelligence database and blacklisted if it is known to be malicious.
D3 doesn’t just intake SIEM alerts; incidents can also be generated by anyone within the organization. This makes D3 a useful tool for leveraging threat intelligence to assess possible instances of phishing. If an employee receives a suspicious email and reports it as an incident, the SOC can query integrated threat intelligence sources to check the domain reputation, identify the domain owner, find connections to internet service providers that are known to host malicious content, and more. If the email turns out to be a genuine phishing attack, the threat indicators will be retained in D3’s entities library for future use.
Whether via user submissions or automatic escalations from other tools, threat intelligence can be used to investigate all kinds of unwelcome activity in the online world. This might include unauthorized parties posing as your brand online, posting malicious links on your social media, or violating your copyrights. This type of activity can be made into an incident in D3 and investigated using threat intelligence in order to understand the context of the activity, such as identifying known malicious actors and domains involved, and geolocating the source of the activity.
Sharing threat intelligence is an important way that organizations are staying one step ahead of (or at least not too far behind) attackers. There are many different networks that bring new threats to light by facilitating the sharing of information. Some of the most prominent include the Financial Services Information Sharing and Analysis Center (FS-ISAC) and the American Bankers Association (ABA). In addition to industry-specific sharing networks, some threat intelligence providers actively promote the bidirectional flow of data so that users can contribute information to their database of threat indicators.
For example, D3’s two-way integration with ThreatQ not only pulls in ThreatQ’s 100+ aggregated sources of threat intelligence into D3 incident reports. It also lets D3 users seamlessly share findings from their investigations with the ThreatQ network, directly from the D3 interface.
For more information about D3’s security orchestration, incident response, and case management solutions, check out our product guide. Or if you’re ready to get hands-on with our platform, schedule a one-on-one demo with one of our CISSP-accredited cybersecurity experts.