The SecOps world is a funny place. For those who’ve been in it for a while, it is amazing to see the strides we’ve made in technology. We started with mostly roll-your-own tools, and we now have the capability to remotely examine, in real time, filesystem changes and memory on a system on the other side of the world. So, to say we have advanced, I think, is a crushing understatement. But, for all these advances, we’ve strangely let the content that powers these technology platforms utterly stagnate.
And this creates a serious, and frustratingly familiar, issue for security teams. With all this increased visibility comes literal mountains of additional data being thrown into the mix, drastically skewing the signal-to-noise ratio (again!). Compounding the problem of volume is the fact that many teams and security products still rely mostly on that stagnate content as a primary method of detection. This “content” is often nothing more than simple indicators of compromise (IOCs) that were unreliable back in the day. Now though they are wholly untenable as a detection method.
And the adversaries clearly understand this. In fact, there are entire black-market industries around so-called bulletproof hosting and malicious VPS providers allowing actors to rotate their infrastructure hundreds or thousands of times an hour quickly and seamlessly. Similarly, malware authors have been developing various capabilities to make their malware “fully undetectable” for years. This means that long before the “Next Big Attack” hits the media, the actors have shifted their infrastructure and recompiled their tools dozens of times, or more.
This means that the countless IP addresses, domains, and hashes that teams have amassed over the years aren’t only mostly useless, they are also directly contributing to the analyst fatigue and alert overload that continues to plague SOCs everywhere. Enter the Threat Content Platform.
The Threat Content Platform, at its simplest, is a tool that feeds various security platforms (like SIEM, data lake, EDR, XDR, NDR, and SOAR) with a constant stream of threat content to hunt and detect the latest TTPs, malware, and exploits. This means that organizations, in the face of a compromise like SolarWinds, or an attack like the one that affected the Colonial Pipeline Corporation, have a reliable source of threat content that they can deploy without having to develop and engineer it internally, or lean on unreliable IOCs.
Now, what do I mean when I say threat content?
Threat content is aligned to the top tiers of the infamous Pyramid of Pain. They are complex queries meant to be deployed in-tool and reliably detect suspicious and malicious behaviors and TTPs. This is important because, while adversries may shift their infrastructure and recompile their malware and tools, fundamentally changing their behavior once they have established a foothold is much, much harder. Threat content allows organizations to capitalize on this weakness to hunt and detect malicious activity.
But there is another vital dimension to a threat content platform, and that is that threat content must be living content. As I mentioned above, these adversaries aren’t simple lone wolves anymore. Many of the major actors are closer to traditional businesses. And like any good business they are incentivized to innovate. This means that the threat content must also be living content, constantly evolving with the actors and their actions. Threat Content Platforms will typically have a pipeline being fed by the latest threat intelligence, security research, and incident response data. This allows them to not only develop new content on emerging threats, but also to identify known threats that have modified their behaviors, allowing Threat Content Platforms to continuously re-evaluate their existing threat content to ensure it is still up to date.
Something I have been asked a lot of when discussing the concept of Threat Content Platforms is “but, don’t my tools already do this?” The answer to this is like my relationship status: “It’s complicated.”
If we are talking about a single pane of glass – the SIEM – some do come with some basic default content. However, this content is often simplistic and meant more to serve as a model than production. It must be, because SIEM vendors have no idea what logs you are going to be feeding it. It is engineered to be as broad as possible and rarely gets updated. So, when a new technique or tactic emerges, organizations are on their own to develop or re-engineer their content.
However, if we are talking about individual security appliances (like IDS, NDR, EDR, or the other litany of acronyms), many of those tools do receive constant updates. But the question that should be asked is “updates of what?” As I discussed earlier, many of these tools, despite their advanced capabilities, are still relying primarily on simple IOCs or basic artefacts, like strings contained in files, for detection.
Not much more than noise.
But, even for platforms that do leverage more advanced threat content, another consideration organizations should take into account is threat content parity. For instance, it is common for larger organizations to deploy several vendors’ platforms for a single task.
As an example, I have seen a large enterprise environment that had three different EDR platforms from different vendors. This resulted in selective detections of the same threat across the environment. I have seen the same thing with NDR and IDS platforms across many organizations in my career.
And a simple search on VirusTotal will reveal to you that not every AV detects a threat. This reality can turn security into a crapshoot. Threat Content Platforms ensure organizations have data parity across tools and platforms.
Organizations should also consider threat content portability. With the growing trend to tight integration of security platforms, like XDR, organizations are in a difficult spot if they want to transition away from the ecosystem for any reason.
This means that any proprietary content will vanish with the platform, and any custom developed content will likely need to be re-engineered for the new platform, at great time and expense. Threat Content Platforms give organizations the flexibility to move between platforms without the risk of vendor lock-in or costly re-engineering efforts. This effectively decouples threat content from existing tools and platforms.
As adversaries continue to innovate and advance, being able to reliably detect behaviors – and not just IOCs or simple artefacts – is going to become a necessity. Threat Content Platforms can help power these advanced technologies and platforms with equally advanced, up-to-date, behavioural threat content. These platforms also provide organizations with the benefit of threat content parity and portability, which results in greater flexibility.
If you would like to explore how threat content platforms can help your security team, sign up today for a FREE account to the HUNTER Platform, here!