Leveraging Threat Intelligence using Bro IDS, CriticalStack and Cyphon
Threat intelligence has been a buzzword over the years, and organizations have invested significant time into operationalizing its use. For some, it is sourced through information-sharing centers like the Financial Services ISAC. Others are consuming open-source IOC's to retroactively mine event-management tools for threats.
Collective intelligence is garnered through groups and individuals with substantive expertise and access to all-source information. Once properly vetted, indicators are distributed as "feeds" that allow analysts to quickly identify and respond to threats which might otherwise go undetected. However, making use of this intelligence requires an organization to adopt processes and technologies that make sense of this information and that keep abreast of updates.
You can get started using threat intelligence with Cyphon. Dunbar's SOC team has integrated threat intelligence by compiling various providers' public "feeds" via a managed Critical Stack Intel sensor and using them in conjunction with the BRO Intelligence Framework. We leverage these feeds across IDS systems that are continuously updated with the latest threat data.
Once deployed, the BRO intelligence framework generates alerts based on known indicators detected on the network and funnels these alerts to Cyphon. This streams all intelligence data into a centrally managed platform for analysts to triage, properly respond to, and remediate any potential compromise or unwarranted network traffic. Analysts can use Cyphon to correlate these events with other security events, query other traffic sources, and launch incident response processes.
Threat intelligence alone can provide an added security value to any organization. When coupled with Cyphon, it can enable real-time insight into cyber threats, permitting a more efficient and targeted response to malicious activity.