How to Integrate Threat Intelligence With Your Cloud Security Operations

What roadblocks will attackers come across when attempting to penetrate your workload? If you’re drawing a blank, chances are your attackers will have it easy when they decide to attack your environment.

The fact is, there are only two types of companies: those that have been hacked and those that will be. So your options come down to one of two things:

  • Put in place a system that will notify you of a breach, or
  • Run blindly, hoping you find out about breaches before your customers do

The better choice is, of course, the first option, and that’s where threat intelligence comes in. In short, threat intelligence tells you when and where you’re at risk. With this intel, you’ll know if you’re at risk so you can take action. Without it, you’re leaving a lot up to chance.

Let’s take a look at how threat intelligence works and how you can integrate this capability into your cloud security operations.

Command and Control’s Role In Threat Intelligence


You’ve probably heard of the Cyber Kill Chain, a series of steps that advanced cyber attacks generally follow. Well, command and control (C2) is the most significant stage in the Kill Chain and it’s also what threat intelligence is largely based upon. That’s because it’s an attacker’s final task before they get into your systems, using an external connection to an illegitimate bad IP address.

From a defense perspective, C2 is the last step before it’s too late to detect a threat and prevent it from wreaking havoc within your environment. By the time an attacker gets to this stage, your main objective should be to contain the damage and limit what the attacker can access to curb the exploit’s impact.

Monitoring for Command and Control Activity


What you need to monitor when it comes to threat intelligence is workload communication with the bad hosts. If you want to know when your workloads talk to active APT command and control servers (a.k.a. the bad guys), here is what you should be monitoring for:

  • Outbound connections to a town botnet
  • Outbound connections to a scan host

Integrating Threat Intelligence With Security Operations


Chances are, your security operations team runs a lot of third party services, with each service connecting to a corresponding backend. This means there is really no way to control or monitor the Command and Control part of the Cyber Kill Chain without manually comparing the IP addresses that your cloud environment is connecting to with known bad IP lists.

This is where Threat Stack’s Cloud Security Platform™ comes in, gathering threat intelligence straight from workload communication with bad hosts and alerting your ops and security teams so you can take action before attackers go to town, so to speak, in your environment.

The Threat Stack Cloud Security Platform™ lets companies:

  • Know when workloads are communicating to known bad hosts
  • Receive granular alerts about who servers are talking to

How Threat Stack’s Threat Intelligence Works


Threat Stack collects every accept and connect from every host, so that each time a connect or accept is detected, we compare the IP to over a few million IPs (and growing) on the bad IP list, which is curated and continuously updated from the top commercial and open sources for the most accurate threat intelligence.

This always-on approach to threat intelligence monitoring quickly helps Threat Stack users determine if there is a threat present somewhere along the Cyber Kill Chain, so that remediation can begin immediately.

With Threat Stack, users can receive and set alerts based on:

  • Source (e.g. “tscommercial”)
  • Type (e.g. “IP”)
  • Reason (e.g. “C&C, “malicious host”, “scanning” or “malware domain”

With Threat Intelligence based alerts, customers can clearly see the complete kill chain along with the critical step in the chain, the command and control.

An example of alerts from Threat Stack alerts console:

threat_stack_alerts_console.png

Configuring for Threat Intelligence alerts is very simple on Threat Stack

  1. Enable Threat Intelligence rule
  2. Apply the rule to the servers you want to monitor.

Screen_Shot_2016-02-25_at_10.45.11_AM.png

 

How to Get Started

To know when your workloads are talking to active APT command and control servers, leverage Threat Stack’s Cloud Security Platform™ for complete visibility into your environment — even up to the very last stage in the Cyber Kill Chain.

New customers can get started for free here and current customers can simply enable the default threat intelligence rule set and begin assigning the rule set to servers they want to monitor.

Try Threat Stack Free Today