Pivoting- the term has had varied utilization during the pandemic. But pivoting has proved to be a vital factor for detection and response in terms of cybersecurity intelligence
CIOs believe that intelligence pivoting helps security teams get a larger view and enables better detection and response. Detection involves analyzing if the correct data has been collected.
Each security infrastructure product contains its events and logs; it produces a vast amount of data via URLs, IP addresses, hash values, etc. Such factors are the least common factor for all disparate logs and each element exposes nefarious behavior.
When a security team identifies an IP address in the intrusion prevention system (IPS), they may check other systems to detect any other security tools that have backtracked communication to the IP address. Such data is crucial for security teams. However, the element is only an individual piece of data; a full picture is impossible without full context.
Consider the simple example of intelligence pivoting from the view of an external threat, intelligence system identifying an individual IP address associated with malicious actors or an adversary.
With the extra insights, enterprises can pivot to the threat actor and identify various other IP addresses used by them. When additional security tools are analyzed, security teams can potentially identify a whole repository of connected IP addresses. Such repositories are strong indicators of some malicious activity.
On analyzing further, CIOs believe that it’s possible to understand better and improve contextual awareness. Security personnel can even identify the potential connection between an indicator and a threat actor, the related artifacts that can be monitored in other tools, etc.
A security framework like MITRE ATT&CK helps expose threat actors’ techniques, tactics, and procedures (TTPs). Such insights allow enterprises to increase the area of investigation and develop a theory about the particular campaign or enemy who may have breached the network. The same can be pivoted to test the assumption and confirm the results.
CIOs believe that MITRE ATT&CK tech generally defines a nefarious spearfishing attachment as a mode to gain initial illegal access. Going by this assumption, any employee who has received such an email may simply be one of the many who has received such emails.
The detailed investigation would then require searching for other employees who have been targeted in the attack. With insights on the TTP from a previous episode, security teams can harvest different indicators and pivot those to conduct focused searches across the enterprise. The search will help identify a better-fulfilled picture and confirm the threat actor.
Security leaders point out that building a bigger picture based on the techniques and tactics, forces the threat actors to modify their TTPs. Doing so has a higher cost and may induce disinterest in them to lose focus on the target.
All security tools must be analyzed to identify the bigger picture. They will have many indicator types, multiple indicators, and data on threat actors and their TTPs. A more detailed understanding will help enterprises to develop more robust security strategies and mitigate attacks more effectively. Thus intelligence pivoting is a pivotal element for detection and response.