Typical outputs of Threat Intelligence are: identification and correlation of cyber threats, production of reports at the executive level, publication and enrichment of indicators of compromise (IoC) from CLOSINT and OSINT sources. From an operational point of view, the Security teams constantly uses IoCs to detect threats in the IT enterprise perimeter. Some examples of IoC are: malicious domains and URLs, IP related to command-and-control systems (C2), malware fingerprints (md5, sha1, sha256), email addresses, certificates and more. From the first day of work, after studying the processes and activities, and collecting information from the various cyber security operational groups, I identified a big point of improvement: integrate Threat Intelligence in all cybersecurity technologies and operational decision-making processes using automation and custom integrations with the pre-existing business environment. In this scenario, we identified the gaps to be filled and set the requirements to be met in order to obtain an actionable and dynamic Threat Intelligence. Specifically, the identified requirements are: sharing information about cyber threats between internal and external analysis teams using TLP standard; enabling one-way (receive only) and two-way (receive and send) info-sharing in the cyber threat environment with Italian Government, group companies, third-party companies; using a decay score related to IoCs based on a model developed in synergy with SIEM; making IoCs received from external sources easily accessible; distributing the IoCs on the IT perimeter for detection and prevention activities; allowing to enrich and store information on cyber threats even in unstructured ways (freetext, pdf, reports). As a first step we started from the choice of the platform, analyzing the strengths and weaknesses of Open-Source and non-Open-Source solutions, compatible with internal requirements. The choice fell on the Threat Intelligence Platform (TIP) MISP, a European project funded by CIRCLE, which allows customized integrations in a flexible way. Assuming that the simple use of the TIP does not create added value, we started organizing all the possible custom improvements, starting from the basic capabilities of the platform, to integrate it with our context and to make it the central tool for the complete management of IoCs. Subsequently, technical-organizational processes were set up, capable of directing the management of IoCs through the creation of additional functions implemented in the platform: massive upload automation of reports from Government institutions and internal anti-malware teams; qualitative selection of IoC feeds; definition of whitelists able to detect and manage possible false positives; management of the temporal decay of IoCs; enrichment of indicators from CLOSINT and OSINT sources (GeoIP, ReverseDNS, UrlScan, Shodan, VirusTotal, Hybrid Analysis).
The technological integrations implemented via API or other methods, starting from the MISP, involved: platforms for the management of security logs (SIEM), web application security solutions (WAF), prevention systems (Firewall, Proxy), sandbox for ‘malware analysis, antivirus systems. With the solutions listed above, one of the most complex aspects was automating the IOC decay process to overcome the technological limitations present on these platforms. This process is enriched by the “sighting” functionality that allows SIEMs to report to the TIP the sighting of a “compromise indicator” in all monitored perimeters and business environments. To better understand this, let me share two examples: IP type IoC: x.y.z.q Life time: 180 days The IoC is propagated on day 0 on all systems. On day 181 the process based on the decay score takes care of eliminating the IoC from the protection systems, leaving it in detection Total time of IoC stay on systems: 180 days IP type IoC: a.b.c.d Life time: 180 days The IoC is propagated on day 0 on all systems. On day 100 the IoC is spotted by SIEM detection systems. The process resets the life time of the IoC to 180 days. Total time of IoC stay on systems: 280 days Cost of realization: obviously nothing. The ingredients of this success have been teamwork, an Open Source platform, tons of python and bash code and API calls.