Threat intelligence is a critical component in the field of cyber security. Providing security professionals with the information they need to make decisions, such as a list of command and control (C2) systems, a list of hashes for a known malware family, or simply the most commonly used MITRE ATT&CK techniques used by the ALPHV Ransomware Group. Threat intelligence informs professionals on what they need to watch for and generate alerts on. Without this intelligence, security tools would be nothing more than blinking lights diligently refining and curating our production data into something called security data.
If you really want to go down the rabbit hole on what data security is, you should check out NIST. To keep things simple, security data is used to keep our production data, systems, and users safe against a defined risk. When security tools fail to keep the attackers out, resulting in a security incident, security data can also be used to determine the what, where, when, and how of the incident.
Threat Intelligence comes in many forms and numerous organizations build, curate, and distribute–either through giving or selling–their security data. Naturally, the dissemination of threat intelligence is widely encouraged, as the more people who know about an attack, the more secure our global society can become. But, threat intelligence can become very complex and highly nuanced, making it onerous to use.
We live in a laissez-faire and competitive society. The sad but honest truth is that some threat intelligence may never be publicly shared when it is most critical. Instead, it is used as a market differentiator to boost a security vendor’s detection capabilities over that of its competitors. This article is not being written to attack security vendors, nor is it Truss’ mission to disrupt or damage the reputations or capabilities of security vendors or their tooling. Security vendors are critical in the collection, analysis, reporting, and dissemination of threat intelligence. They oftentimes have the most visibility into the threat landscape and they employ some of the best and brightest minds to build the defenses we all rely on.
Rather, this article is dedicated to delivering the concept of how Truss can make security smarter and faster by facilitating the wider dissemination of threat intelligence in a way that is both simple and profitable for the sharer.
Every security tool uses threat intelligence to generate alerts. Security Information Event Management (SIEM) and Endpoint Detection and Response (EDR) tools are two of the most commonly used security tools that actively employ threat intelligence. Vendors often have their own particular focus on security and the intelligence they produce powers their tools. Additionally, each tool may have its own syntax for how to query for a given indicator of compromise (IOC) such as a malicious source IP address, a malicious malware hash value, or a system logging event.
Security Operation Centers (SOC) maintain multiple security tools, many of which use and require threat intelligence data to operate properly. However, it is unlikely that the same threat intelligence can be used by every security tool. The SOC operators are required to use a different query method for each security tool they use. There are some toolsets, like that of Security Orchestration Automation and Response (SOAR), that can assist in the automation of security operations, but their scope and flexibility are limited and they primarily rely on a security tool to trigger an alert before that automation can begin.
The key questions that Truss wants to answer are: Can we dramatically speed up the process of providing security tools with the threat intelligence data needed to detect emerging threats, regardless of the security tool? Moreover, can we make threat intelligence available regardless of its source?
As stated previously, threat intelligence comes in many forms and from many sources. Ask yourself, how can any single source facilitate such a wide range of threat intelligence and make it useful to anyone? We believe that Truss has the solution. Truss makes threat intelligence usable by any security tool, shares it globally in seconds, and enables provisioning by any threat intelligence source.
Threat Intelligence at its most basic is categorized by types. Some of these types include IP addresses, domains, hash values, file names, file paths, mutexes, user-agent strings, MITRE Tactics and Techniques, CVEs, malware families, tools, APTs, and 100s of more categories. While every security tool doesn’t use the same formatting or syntax for building a query or alert, they do build queries and alerts based upon one, two, or hundreds of these threat intelligence types.
A Truss agent is a software service that pulls threat intelligence data from the Truss network, an application dedicated to the storing and transmission of threat intelligence. The Truss Agent configures data to supply the required queries, alerts, reports, and dashboards for the security tool it supports (see Figure 1). For example, Truss has a Splunk Agent that leverages Splunk’s API to build the required query or alert using Splunk syntax. Similarly, Truss will have agents for other security tools, which use that security tool’s API to ingest the threat intelligence data into the format used by that particular security tool.
Figure 1. The Truss Platform Overview
This level of flexibility is provided by allowing the same set of threat intelligence to be usable across multiple security tools and by allowing organizations to choose what types of threat intelligence they want to ingest and which types of security tools they wish to use.
Separating the acquisition of security data from the adoption of security tools is helpful for an organization that may wish to change its EDR security vendor for another due to advancements in its detection capabilities. With Truss, that organization owns the threat intelligence they have purchased for their previous EDR solution. This intelligence can be quickly ingested into their new solution by using a Truss Agent for the new tool. All of the policies, queries, and alerts they depended upon in their old EDR are immediately integrated into the new one. Security engineers are no longer required to ingest their customer alerts, queries, or policies manually.
It is common practice to rely on a single security tool to protect all assets. However, maintaining redundant security alerting policies or investigating incidents across multiple security requires additional resources, either in the time to perform multiple investigations or in the number of personnel. Truss allows the same threat intelligence data to be sent to multiple tools. For example, both an EDR and a SIEM can use the same intelligence. Should an EDR agent detect malicious network traffic it will flag an alert. But is may miss an alert from a system where that EDR’s agent wasn’t installed. The SIEM, via a firewall log, can trigger an alert to detect the same type of network traffic. Truss enables both of these tools to be updated simultaneously.
In the next article, we will talk more about where Truss Threat Intelligence comes from and how it is formatted. Stay tuned!
Interested in learning more?
Join our newsletter and connect with us on Discord
Experience our growing community of
Decentralized Security Intelligence
developers and researchers.