The Crucial Component of Detection and Response: Intelligence Pivoting
Intelligence Pivoting Allows You to Build a Broader Picture and is Pivotal to Detection and Response
Pivot. It’s a word we’re hearing more frequently since the pandemic and I find it interesting for its dual meaning. One on the one hand it means “turn.” Schools are pivoting to online learning. Businesses are pivoting to a remote workforce. Retailers are pivoting to contactless commerce. But it also means “crucial.” Measures like these are pivotal to keeping Covid-19 infection rates down. While it may be a trendy term, in cybersecurity, intelligence pivoting is pivotal to detection and response.
The first step is detection, having the right data from the right tools at the right time. But what is the right data? Each product within your security infrastructure creates its own logs and events, generating a massive amount of data – IP addresses, URLs, hash values, etc. These indicators are the lowest common denominator of all these disparate logs, and each of these indicators could reveal malicious behavior. For instance, you may see an IP address you don’t recognize in your intrusion prevention system (IPS). So, you decide to query other systems to see if any of your other security tools have detected communication back to that IP address, which is valuable information. But an indicator is just one piece of data. Without context you can’t have a full picture of what is happening.
In my previous article I discussed the concept of intelligence pivoting with a simplified example of looking at external threat intelligence to see if a particular IP address is associated with a specific adversary. With that intelligence, you can pivot to that adversary and learn that there are numerous additional IP addresses related to that adversary. Searching across your other tools, you find a substantial subset of those associated IP addresses. That’s a fairly solid sign that something may be going on.
Digging deeper, you can gain greater contextual awareness and understanding. For instance, is this indicator associated with a specific campaign or adversary, and are there associated artifacts you can look for in other tools, like your endpoint detection and response (EDR) solution? A framework like MITRE ATT&CK that describes threat actor tactics, techniques and procedures (TTPs), allows you to expand your investigation further and formulate a hypothesis about a specific campaign or adversary that may have infiltrated your network. Now you can pivot to test your hypothesis and confirm or disprove an attack.
Say MITRE ATT&CK defines a malicious spearphishing attachment as a technique to gain initial access. The hypothesis could be that any employee spearphished with an email containing a malicious attachment is only one of many under attack. The investigation could then focus on taking a known spearphishing attempt and searching for any other staff affected by the same or similar attacks. With intelligence on a TTP from a known attack, you extract additional indicators and pivot to conduct a targeted search across the organization to reveal a more complete picture and confirm the presence of an adversary. What’s more, building a broader picture based on campaigns and methods forces attackers to change TTPs which has a significantly higher cost for them and may result in their disinterest and dropping their focus on your business. We’ll get into that in more detail in a future article.
As this more detailed example shows, you can’t stop with the first tool that reveals an indicator. You need to look across all your tools to see a broader picture – enriched by multiple indicators and indicator types, and intelligence on adversaries and their methods – so you can gain a deeper understanding of what is going on and can respond effectively. Intelligence pivoting allows you to build that broader picture and is pivotal to detection and response.