Cybersecurity has become an important challenge for organizations. As businesses and organizations have become increasingly reliant on digital systems to operate, the surface for attackers has broadened and the risk has increased. To combat these threats, organizations need to have a comprehensive understanding of the threats they face and of the tools and tactics used by cybercriminals. This is where Cyber Threat Intelligence (CTI) comes into play.
More than being a software vendor, Sekoia.io is one of the top European CTI producers. The Threat & Detection Research team (TDR), composed of passionate analysts, produces high-level intelligence on worldwide cyber threats.
Presentation of Sekoia.io CTI
The CTI produced and ingested in Sekoia.io provides a comprehensive vision of the most active and documented cyber-threats alongside technical indicators of compromise (IOCs), revealing the presence of attackers. We are in a “one-to-many” model where we are building global and contextualized intelligence to be used by any organization operating in any sector. As of today, our database includes approximately 6 millions objects related to malicious activities.
Sekoia.io philosophy is to offer CTI that supports the operational objectives of your security teams. The intelligence is designed to be used and operationalized to enhance your detection and hunting capabilities.
This is why we have chosen to rely on a standard modeling patterning : The STIX 2.1 (Structured Threat Information eXpression), developed by the OASIS foundation (Sekoia.io is a member of the OASIS foundation), where every threat intelligence objects are related to each other. STIX is the language spoken by analysts to model and exchange their data transparently and enable their use in vendor-agnostic security systems. At Sekoia.io, we believe that STIX is the best way to offer interoperable intelligence, consolidated in a single database.
Illustration of the relationships between a malware and the other STIX objects
Our team of analysts produces exclusive intelligence with dedicated resources. We are constantly tracking command & control infrastructures to proactively detect new servers hosting malicious source codes or tools that might be used in future attacks. The quality, exclusivity and relevancy of our intelligence have been praised by multiple public and private actors.
Furthermore, the team also relies on third-party sources that are enriching, completing and validating our intelligence.
Example of the page of an IOC with all associated context and relations
Using CTI within Sekoia.io SOC platform
CTI can be operationalized easily within Sekoia.io SOC platform, for detection, analysis and investigation purposes. In such scenario, analysts would benefit from advanced features.
Detection rules are natively present and constantly verify, in real-time, if one of the IOC from the CTI database is present on the logs of your infrastructures. Combined with a wide catalog of integrations to ingest your logs to Sekoia.io, you can benefit instantaneously from strong detection capacities, based on a list of thousands of valid IOCs.
Illustration of an alert raised on a CTI indicator and enriched with context
Automatic retrohunt capabilities
When a new IOC is added to the CTI database, the SOC platform will look for this indicator in your logs, even the ones from the past. This feature, combined by default validity periods for every single IOC, will grant you the opportunity to conduct retrohunt surveillance, with a very limited risk of false-positives.
Bring Your Own IOCs
The SOC platform allows you to input your own custom lists of IOC and to use them for detection throughout your logs through specific detection rules. Obviously, retrohunt also works as mentioned above when it comes to your own IOC!
Comprehensive telemetry reports
For each IOC, either ours or yours, you have the ability to visualize the presence of an indicator on your Sekoia.io tenant and on all the Sekoia.io tenants. This will bring you the opportunity to see if an indicator you might be observing on your systems has been spotted on other systems of our customers (obviously anonymized). This will also help you, on any indicator of compromise, to see if this indicator has been present on your systems.
Example of a telemetry dashboard on a Sekoia.io IOC (sightings in all Sekoia.io tenants)
All-the-way contextualization with intelligence
The intelligence is infused all over Sekoia.io SOC platform to bring context to analyst’s work. Context is provided on what is observed in the logs of the organization and during all the steps of the security operations (detection, hunting, alerting, case management, etc.).
Most importantly, CTI will bring context when it comes to working on a specific threat impacting the infrastructures. CTI will provide timely intelligence to the analysts regarding the specific threat that they are facing and the details about a malware, an intrusion set, etc.
Illustration of the investigation on a potential threat on the information system with links between the users and the related observed threats
Disseminating CTI in third-party solutions
Sekoia.io CTI can also be externalized and operationalized in third-party systems. We intend to be offering multiple possibilities to disseminate and leverage this intelligence.
It is important to keep in mind that some third-party solutions (TIP platforms, SIEM, etc.) do not offer the same features and threat exploration capabilities as within the Sekoia.io SOC platform. In some cases, you will not be able to access all the STIX object types or all the relationships amongst threat objects. This can be caused by the fact that some solutions might not be supporting the STIX 2.1 standard for example.
Still, even when disseminating intelligence and IOC, you will still have access to our platform to be able to access intelligence within its full context.
Sekoia.io CTI can be disseminated :
- Within SIEM to extend your detection & hunting capabilities by using additional IOCs or to bring an extended contextualization to your SIEM operations.
- Within SOAR, to enrich, contextualize and support the analysts in their incident response activities. IOCs can then be matched with specific threats.
- Within Threat Intelligence Platforms (TIP) to add an intelligence source to a consolidated database that then can be used for detection.
- Directly within security equipments (EDR, firewall, etc.) to feed the solution with additional indicators such as IP lists or file hashes to enhance preventive blocking or detection capabilities. For example, you could export our list of IPV4 and IPV6 addresses and input them in the blacklist of your firewalls. You would then benefit from preventive blocking on a list of thousands of addresses, known from our services as being malicious.
These integrations, depending on the technology, can rely on a Sekoia.io application available on the editor’s marketplace, a TAXII connector (STIX transportation protocol), a MISP connector or the use of an API.
The complete list of integrations can be accessed on our website, following this link.
Sekoia.io CTI can also be disseminated in your cloud services such as AWS or Azure through the help of dedicated applications available on these cloud marketplaces.
Finally, the intelligence can also be consumed and disseminated through APIs that are publicly documented here.
Overall vision of the construction and dissemination of the intelligence
Through this article, we wanted to provide you with an overall understanding of our CTI and to demonstrate how it can be operationalized for the use-cases that you may encounter in your day-to-day security operations.
For more information, do not hesitate to contact us and to have a look at our website!
Thank you for reading this blogpost. Feel free to share your feedback, and read other contents: