Recent events such as the activities of REvil and Log4j have once again underscored the necessity of Cyber Threat Intelligence, a key component of modern cyber defence. However, effectively integrating CTI can be expensive for SOCs and especially so for less well financially resourced operations that are typical of those outside of the Financial Services sector.
A large part of the cost of CTI, just as any part of the InfoSec community, is the costs associated with recruiting and retaining even a basic level CTI analyst. According to research by Trident Search, a specialist InfoSec recruiter, even a junior CTI analyst currently commands a fee of between £35,000 to 45,000 per year with more senior roles easily breaking the £100, 000 mark. Given that CTI is a team sport requiring a group of analysts, plus the cost of appropriate tooling, integrating CTI within a SOC with limited budget can be a challenge.
Faced with this a common alternative to a full time CTI role is to partially allocate some elements of a CTI role to another, already resident, persona that can be found within the SOC i.e., SOC analyst or engineer. This approach of distributing CTI functions across other roles is common and certainly cost effective however, it is not without its drawbacks. Aside from any technical details, part distributing responsibility for a role across multiple personas is never really as effective as a single specialist working within a focused area.
So how can Artificial Intelligence such as Elemendar’s READ. help?
CTI as a professional practice is heavily document based with the typical input to a CTI research project being a text document of some kind and the output being similarly a textural document. Within this process lies the challenge, with the skills typically applied by the SOC analyst on a SIEM or SOAR system not translating easily to the more qualitative research demanded by high quality CTI work.
READ. addresses this issue with an interface that is designed around an analyst workflow, that is more familiar to more process driven roles that are typically found within the SOC. Shown below in Figure 1.
Figure 1: the analyst workflow within Elemendar’s READ. tool
At a more substantive level the Machine Learning modules that run within READ. facilitates the human analyst ability to consume more conceptual elements of a larger trove of documents via the STIX/ TAXI platform. In effect this allows an analyst to produce visualisation such as the one shown below
Figure 2: graph automatically extracted by READ. from original report
So what?
With READ. integrated into the analyst’s workflow there are two use cases to provide assurance around a more junior CTI analyst’s work.
- As an additional source to help the analyst produce the report in the first instance: READ. has the ability to pass CTI documents like the one visualised in Figure 2 at scale. As such this would allow any CTI analyst irrespective of experience, to access via graph visualisations a far wider corpus of data than they would ever be able to ingest through conventional reading of CTI reports. This effectively lowers the bar to CTI analyst consuming the large volumes of historical CTI reports that are such a key component of CTI analysis. Additionally, STIX files created by READ. give analysts a ready supply of “crunchy” CTI indicators in a STIX 2.0 format for inclusion into future CTI reporting.
- As Quality Assurance for the content of the report once it has been produced: a more suitable use case is to use READ. to validate an analyst output within a report. How would this work? Take for example the graph show in Figure 2, within this report and resulting STIX file/ graph image “Turla” has been correctly identified by READ.’s machine learning modules as a Threat Actor with an association within the graph with “Russia.” In a hypothetical scenario if a less experienced CTI analyst were to wrongly attribute Turla to another nation state, then this would be revealed as an obvious error when the output of the report is examined via STIX.
Shown below (Figure 3) is a visual representation of how READ. integrates into the analyst workflow and can provide assurance in the two areas outlined above.
Figure 3: CTI analyst workflow with READ. integration
To conclude, the main point of this blog is to demonstrate that Elemendar’s READ. is both easy to use and provides high-quality results that can be applied within an operational environment. However, don’t just take our word for it, request a free demo trial today!
