Establish robust threat intelligence with Elastic Security

As a powerful search engine, Elasticsearch provides various ways to collect and enrich data with threat intel feeds, while the Elastic Security detection engine helps security analysts to detect alerts with threat indicator matching. In this blog post, we’ll provide an introduction to threat intelligence and demonstrate how Elastic Security can help organizations establish robust cyber threat intelligence (CTI) capabilities. CTI is contextual information obtained through research and analysis of emerging threats and the application of defensive countermeasures to enhance the protective posture of contested environments. It helps organizations to better understand past, current, and future threats.  Threat feeds that can be obtained from various open source and commercial platforms become actionable “threat intelligence” when raw feeds are processed, parsed, and interpreted by security platforms to detect and understand the statistical breakdowns of the source and targets of attack activities.  Threat intelligence in security operation centres (SOCs)Threat information is typically delivered via data feeds that can be of different types, such as file hashes, FQDN, IP addresses, URL reputation data, CVE, etc. — generally referred to as indicators of compromise (IOC) — and such intelligence has an important role in the SOC.  IOCs are the main deliverable for such tactical threat intelligence feeds and these are particularly useful for updating signature-based defence systems to defend against known attack types. IOCs also prove useful in proactive measures such as threat hunting. The SOC team will typically be responsible for processing threat data and using it to add additional context to internal sources of data that are malicious. This is particularly valuable to SOC analysts that are responsible for analysing big data sets across SIEM platforms. Threat intelligence integration with SIEM detection capabilities helps with the prioritisation of alerts. Threat intelligence integration with SIEM detection capabilities helps detect threats that might currently prevail inside the network through indicator lookups. Detections with known indicators increase the detection maturity in day-to-day security operations. Planning and collection of threat feedsThreat feeds from various sources can be of different types and in different forms. Methods to process and collect these feeds vary depending on the source platform but are mostly supported with APIs and standard file formats such as STIX, JSON, CSV, etc. Elastic, with its rich API-driven capabilities, provides a comprehensive data collection module for threat feeds from various sources. Filebeat Threat Intel module supports different threat feed streams, including open source feeds, and has rich flexibility in enabling and disabling feeds, filtering the types of feed, time intervals to pull the feeds and, importantly, it automatically deduplicates feeds from the same source. This blog post covers the detailed steps for ingesting threat data with the Filebeat Threat Intel module.

Figure 1: Prebuilt threat intel dashboard - Alienvault OTX threat feed Analytics with threat intelligenceThe data collected by threat feeds provide previously identified indicators of a potential compromise and can assist in improving the effectiveness of the security devices that can leverage this information to detect or even block these known threats. Dynamic or static indicators (threat data) that are streamed into an Elasticsearch index can be used with multiple use cases such as: 

Detecting malicious events and traffic through indicator match rules
Enriching incoming traffic to add additional context 

Indicator match detection rulesThe Detection Rules GitHub repository is the home for rules created by the community and the Elastic Intelligence and Analytics team. Elastic provides out-of-the-box prebuilt detection rules addressing different threat use cases and this library of rules is continuously growing. Additionally, Elastic also provides the user with the ability to define and create their own detection rules to match their environmental use case requirements. Indicator match rules are one of the detection rule types used to generate alerts when network or host events are observed that match the data provided by threat feeds.  The indicator match rule compares the field values of the specified event and the indicator field values in the threat intel index. When the field values are identical, an alert is generated in the detection engine. Elastic detection provides various out-of-the-box detection rules, including threat intel detection. Threat Intel detection rule is triggered when indicators from the threat intel Filebeat module have a match against local file or network observations. Additionally, Elastic detection also provides the ability to create your own detection rules across various rule types. As an example, let’s create an indicator match rule to identify a Network connection to a Malicious IP. With this indicator match rule, we can detect and generate an alert for outgoing network traffic to an IP address from a threat feed. When this alert is generated, this may indicate that the host generating the connection may be compromised or engaged in other suspicious user activity that could warrant further investigation.

https://www.elastic.co/blog/establish-robust-threat-intelligence-with-elastic-security