Cisco: Operationalizing Threat Intelligence to Strengthen Defenses
Many pieces of forensic evidence come into play when investigating a crime scene – analysis of fingerprints, DNA, shoe prints, videos/photos, ballistics, etc. By analyzing the data, a picture of the crime emerges, which in the case of a serial killer often includes his or her MO or method of operation.
In the cyber world, analysts do the same thing. They analyze indicators of compromise (IoCs) or observables as they are often called – IPs, domains, URLs, hashes, etc. Pieces of information that describe an incident that has already happened. Many cyber criminals reuse tactics and techniques that produce the same observables and therefore create a pattern that can be used to detect and prevent future attacks by the same actors.
Many analysts extract the observables from the investigation to create blacklists or pattern-based signatures containing hundreds of observables of the same type, however, these “simple” lists are prone to false positives and can generate volumes of generic threat alerts. These must be manually reviewed and can overwhelm security teams, putting effective security at risk.
Read the entire article here, Operationalizing Threat Intelligence to Strengthen Defenses
via the fine folks at Cisco Systems.