In episode 77 of The Cyber5, we are joined by our guest, Eric Lekus, Senior Manager for Threat Intelligence at Deloitte. Eric delivers for Deloitte’s internal security team and is not a client-facing consultant.

We talk about how to evolve cyber threat intelligence in a SOC environment, beyond basic indicators of compromise (IOC) integration. We discuss the different stakeholders a CTI team has beyond a SOC, but also focus on what a CTI team needs to push and pull from a SOC to be relevant for a broader audience. We also outline success metrics for a CTI team.

Four Takeaways:

1. Indicators of Compromise are a Baseline Activity, Not Holistic Threat Intelligence

Indicators of compromise consist of known malicious IPs and domains. Stakeholders expect security teams to be doing this as a baseline. However, IPs and domains can change in the matter of seconds so it’s not fruitful to only rely on IOCs to be integrated into a SIEM that alerts with other network traffic and logging.

2. A Security Operations Team Already Has A Rich Source of Baseline Activity; Enrich with Threat Intelligence

Security teams should be integrating many sources of logging, such as IPs from emails, using threat intelligence to alert on malicious activity. This should then establish two-way communication where a threat intelligence team is pulling information from the SOC to enrich and provide feedback. A SOC team is generally writing tickets for alerts and a threat intelligence team can’t just ask for bulk data; therefore automation to integrate into threat intelligence platforms is critical. A SOC analyst will ask, “what’s in it for me” and a threat intelligence professional should address this.

3. Threat Intelligence Should be a Separate Entity from the SOC; They Have Numerous Customers

The following services are generally associated with cyber threat intelligence teams. Since the SOC is a major stakeholder, the CTI usually has the following functions:

• Adversary infrastructure analysis
• Attribution analysis
• Dark Web tracking
• Internal threat hunting
• Threat research for identification and correlation of malicious actors and external datasets
• Intelligence report production
• Intelligence sharing (external to the organization)
• Tracking threat actors’ intentions and capabilities
• Malware analysis and reverse engineering
• Vulnerability Research and indicator of compromise analysis (enrichment, pivoting, and correlating to historical reporting)

4) Success for Security Teams Means Reducing Risk Through Outcomes

Regardless of who the stakeholders are in an organization, improving security should be focused around reducing risk and influencing outcomes for disrupting actors. This should be accomplished in alignment with the executive team and the culture of the organization. Showing how you are reducing risk over time is what makes threat intelligence teams successful in the eyes of business executives.