The document discusses the importance of threat intelligence in enhancing security responses, emphasizing that it encompasses both internal and external data sources. It illustrates how organizations, particularly in the defense sector, leverage threat intelligence for real-time alerts and decision-making, while also highlighting the need for automated processes in analyzing network behavior. Ultimately, effective threat intelligence aids in the prompt identification and resolution of cyber threats.

1. Using Threat Intelligence to
Improve Security Response
Piers Wilson | Head of Product Management | Huntsman Security
+44 (0) 7800 508517 | piers.wilson@huntsmansecurity.com
www.huntsmansecurity.com | @tier3huntsman

2. Setting the Scene
• Threat Intelligence is more than just data
• Examples and applications
• Summary / Benefits

3. A Threat Intelligence “eco-system” ...
Applied Security
Intelligence
“Traditional” Log
Sources
Vulnerability
information
Geographic
information
Cyber-
security/malware/
attack context
External threat
sources
Internal context
databases
Locations, staff
roles, HR systems,
physical controls
IP reputation,
known bad URLs,
phishing sources,
C&C sites,
botnets, CERTs
Scan information, asset
sensitivities, vulnerable
platforms
Countries, sites
that pose risk,
political factors
Networks, systems,
applications, devices
Malware details, network captures

4. Real Threat
Intelligence
Examples

5. Threat Intelligence derived alerts showing the nature of various
connections
Traditional public sources / external “TI”
• Externally available threat data source
lists
– Botnets, C&C systems, known malware sites,
compromised URLs, DLP risks
• Regular updates / scheduled retrieval
• Different sources/feeds used for
different purposes
• Detection of :
– Communication with suspicious/risky
hosts/domains
– Data exfiltration risks
– Etc...

6. Traditional public sources / external “TI”
• Emerging Threats – Raw IP list
– C&C servers (Shadowserver)
– Spam nets (Spamhaus)
– Top Attackers (Dshield)
– Compromised IP addresses
• Abuse.ch
– SSLBL IP Blacklist
– ZeuS Tracker
– Palevo Tracker
– SpyEye Tracker
• Malc0de – IP blacklist
• URLBlacklist.com
• Malware domains
• Threat Expert
• Norse
Plus various commercial sources

7. Geo-location is useful – both external (risky locations) and internal
(sensitive sites)
Geo-location Visualisation
• Display or reference to GeoIP
information
• Risk locations/attack sources used in
security decisions
• Additionally WHOIS and DNS
information useful
Getting to this information quickly in the
decision making process is key

8. Defence sector – Real example
• Defence customers are
major user of Threat
Intelligence
• Intelligence agencies
provide threat information
to Defence network
administrators
• Reference data used to raise real-time alerts of suspicious network traffic
• Information from alerts subsequently adds to their internal threat intelligence
reference data
– i.e. Observed incidents create “new” TI that automatically adds to the reference data set

9. Internal Security Intelligence
• Creation of bespoke/local Threat Intelligence
– Manual or Automated
• Particular value in MSSPs
– Leverage threat observations across customers
• Better decision making in context of “real”, observed threats

10. Government sector use case
• Suspicious network/IP addresses received from intelligence
agency
• Post-analyse logs for traffic to/from those addresses
1. Suspicious hosts data set (high risk destinations)
2. Predefined reports use data for analysis
Threat intelligence MATCHED WITH Observed activity and traffic
• Minimal operational workload
• Data automatically updated in the background
• Scheduled, automated, pre-defined processes

11. Detection and Resolution
Apply Security Intelligence during
resolution
• When an attack occurs, specific information
relating to the threat is vital
• More than just log/event/activity data
– System configurations/registry
– Changes to affected systems files
– Network traffic/connections
– Other behaviour
• Malware - Specific example
– Network sessions/connection patterns
– Known effects of specific malware activity within file
system and registry

12. Summary

13. Applying Security Intelligence
• Meaningful threat intelligence involves all available security data –
internal and external – to give context
• Automatic identification of known attacks and threats needs to happen in
real-time
• Intelligence is vital for both detection AND during the diagnosis and
investigation of cyber attacks
• Dealing with false positives efficiently means having processes and tools
that rapidly provide understanding of threats and confident resolution
Speed and Accuracy are key to Cyber Resilience

14. Any Questions ?
piers.wilson@huntsmansecurity.com
+44 (0) 7800 508517
www.huntsmansecurity.com
@tier3huntsman