Steven Rogers advises companies on ways for security teams to optimize protection with relevant threat intelligence By Steven Rogers, CEO, Centripetal Networks
Threat intelligence feeds – like firewalls and virus protection – have become part of the core tools, a necessity, for most security teams. However, constant alarms and alerts make it difficult to find time for anything else. On one hand, hiring a full team of security professionals to sort through all of the alerts, may not be financially possible for many companies. On the other hand, there is real concern that a threat could be missed that would severely cripple the company. Additionally, a false positive may lead to an unnecessary system shutdown, which would result in a major loss of productivity and profit.
For those charged with the job of sorting through the alarms, there are several steps that can immediately reduce the amount of alerts, allowing the ability to optimize the data based on relevant threat intelligence.
Five of these steps are:
1. Country Blocking. The OFAC (Office of Foreign Assets Control) list is the first place I recommend looking at. You can add to the list from ITAR (The International Traffic in Arms Regulations) and add any other countries unfriendly to your country's Law Enforcement. If your company does not have any locations, employees or customers located in specific regions of the world, you can block them from the network with little to no business risk. Reducing the geographic area will immediately reduce the scope of alerts your security team needs to comb through. However it is important to keep employees informed on which countries are blocked. Specific decisions, changes to the blocked countries, will need to be made if someone is going to work from or communicate with one of those locations.
2. Block specific malicious domain-based IOCs (indicators of compromise). Domains are reused and resurface periodically, therefore, keep the blocked list updated and activated. Keep a close eye out for domains that look similar to your company domain – a simple spelling mistake, for example, inverting a number or two, can take your network down an unseemly path.
3. Block high-fidelity URL based IOCs (indicators of compromise). A malicious URL string (eg,http://www.example.com/path/badfile.exe) is high-fidelity, it points to a specific resource that is known to be malicious. When users access these URLs, either through spearphishing or browsing compromised sites, security tools produce intelligence matches that could be avoided by blocking access in the first place. Blocking these indicator types provides an immediate increase in security.
4. End-user education is a key line of defense. Employee education and training needs to be ongoing, hackers are always looking for new ways to attack but will also rely on tried and true attack methods. Employees need be kept up to date on how to spot a malicious email, be able to decipher when not to open an attachment, and understand that erring on the side of caution is good. Scammers are becoming more complex with their attacks, creating elaborate and frighteningly on-point digital profiles for targeted attacks, many of which are successful. Employees need to be equipped with the proper education to combat these new attacks and report suspicious activity.
5. “You can’t be too Careful” Employee need to know the importance of every threat and trust the members of the security team. If someone thinks they might have downloaded a malicious document, they should immediately reach out to the security team. Even if they are incorrect and the email is not suspicious, employees need to be in the habit of quickly alerting the security team. Employees should know there’s no embarrassment in a false positive, but the effects of a breach can hurt them along with the company.
Hackers are always finding new ways to infiltrate networks, the more time dedicated to new and notable threats, the better off your organization will be. And with just these five steps, your organization will be able to optimize analyst’s time immediately. For analysts, without the need to examine a surplus of avoidable alerts, they will be able to focus their efforts on the threats at hand.