Expanding Our Vigilance: Leveraging Cyber Threat Intelligence for Advanced Threat Alerting (Activity 7.2.2)

We’ve laid the groundwork for robust threat detection, developing rules and alerts in our SIEM for common threats and feeding those into automated response workflows (Activity 7.2.1). However, relying solely on known attack patterns or internal anomalies leaves us vulnerable to novel and sophisticated threats. To elevate our detection capabilities, we must look beyond our own four walls and integrate the collective intelligence of the cybersecurity world. This brings us to Zero Trust Activity 7.2.2: Threat Alerting Pt2.

This activity focuses on significantly expanding our threat alerting capabilities within the Security Information and Event Management (SIEM) solution. It mandates that DoD Components expand threat alerting in the SIEM solution to include Cyber Threat Intelligence (CTI) data feeds. This means ingesting curated information about emerging threats, attacker tactics, techniques, and procedures (TTPs), and indicators of compromise (IOCs) from external sources. Building on this, deviation and anomaly rules are developed in the SIEM to detect advanced threats, moving beyond simple signatures to behavioral analysis and baseline deviations.

This activity is vital for proactive threat detection, allowing us to anticipate and identify sophisticated attacks that might otherwise evade traditional defenses. It transforms our SIEM from a reactive log aggregator into a proactive threat hunting and alerting engine.

The outcomes for Activity 7.2.2 highlight this advanced detection capability:

1. Rules developed for advanced threat correlation (e.g., behavioral, baseline deviation).

The ultimate end state underscores the strategic impact of integrating external intelligence: Components augment SIEM with threat data from CTI feeds. This ensures our detection capabilities are continuously informed by the latest threat landscape.

Solutions for Achieving Threat Alerting Pt2

Implementing Activity 7.2.2 requires integrating diverse sources of threat intelligence into your SIEM and leveraging its advanced analytical capabilities to develop sophisticated detection rules:

1. Integrating Cyber Threat Intelligence (CTI) Data Feeds:
   1. Process: Identify and subscribe to reliable and relevant CTI feeds. These can include open-source intelligence (OSINT), commercial threat intelligence platforms (TIPs), government-furnished information (GFI) feeds, and industry-specific sharing groups (e.g., ISACs).
   2. Data Ingestion: Establish secure and automated data pipelines to ingest CTI data directly into your SIEM (e.g., Elastic Security). This includes IOCs (IPs, domains, hashes), TTPs, and contextual information about threat actors and campaigns. This builds on your log parsing efforts in Activity 7.1.2, ensuring the TI is properly formatted.
   3. Prioritization: Prioritize CTI feeds based on their relevance to your organization’s threat landscape and assets.
2. Developing Deviation and Anomaly Rules in the SIEM:
   1. Leveraging Log Analysis (from 7.1.3): Utilize the baselines of common user and device activities developed in Activity 7.1.3. The SIEM (e.g., Elastic Security) uses these baselines to identify deviations from normal behavior.
   2. Behavioral Rules: Develop correlation rules within the SIEM that look for patterns indicating anomalous behavior, often driven by machine learning (e.g., a user accessing a critical system outside of normal hours, unusual data transfer volumes, or rare application usage).
   3. CTI-Informed Rules: Create specific rules that look for internal activity matching IOCs from ingested CTI data. For instance, an alert might trigger if an internal device communicates with an IP address identified in a CTI feed as a known Command & Control (C2) server.
   4. Use Cases: Focus on developing detection use cases for advanced threats like living-off-the-land attacks, supply chain compromises, or sophisticated phishing campaigns that are difficult to detect with traditional signatures.
3. Augmenting SIEM with Threat Data:
   1. Process: Establish a continuous process for enriching the SIEM’s threat data. This includes not only ingesting CTI feeds but also internal threat intelligence derived from incident response analysis (e.g., new IOCs discovered during an investigation, attacker techniques observed).
   2. Feedback Loop: Ensure a feedback loop from your Incident Response (IR) team and threat hunters directly to your SIEM content developers to refine and create new detection rules based on real-world incident data.

How Trellix and Elastic Work Together to Achieve Desired Outcomes and End State:

Your strategic choices of Trellix for endpoint security and Elastic for central SIEM/XDR are fundamental to achieving the goals of Activity 7.2.1 and crucially, realizing the desired outcomes and end state of Activity 7.2.2.

• Elastic Security (The Central Intelligence Hub and Rule Engine):
  • Achieving Outcomes: Elastic Security, as your SIEM/XDR platform, is where the core work of developing “rules for advanced threat correlation (e.g., behavioral, baseline deviation)” happens. It efficiently ingests, stores, and analyzes the vast amounts of log data (from all sources, including Trellix and CTI feeds). Its built-in UEBA capabilities allow it to establish behavioral baselines from Activity 7.1.3 and detect deviations. This directly leads to the identification of “advanced threat events.”
  • Achieving End State: By continuously ingesting and correlating CTI data (from TIPs or directly from Trellix’s intelligence feeds), Elastic directly fulfills the end state of “Components augment SIEM with threat data from CTI feeds.” This ongoing enrichment and its advanced analytical engine enable the detection of threats “undetectable by a traditional antivirus program,” providing the holistic view needed for “optimizing the response time of incidents.”
• Trellix (The Advanced Sensor and Threat Intelligence Contributor):
  • Achieving Outcomes: Trellix’s XDR platform (Endpoint Security, EDR, DLP) serves as a primary source of high-fidelity telemetry that fuels Elastic’s advanced detection rules. Its granular endpoint visibility allows Elastic to build precise behavioral baselines for devices and identify subtle anomalies. Furthermore, Trellix often provides its own proprietary Cyber Threat Intelligence (CTI) feeds and insights (e.g., from Trellix Insights or its global threat intelligence network). This direct CTI contribution from Trellix can be integrated into Elastic, directly satisfying the requirement to “expand threat alerting… to include Cyber Threat Intelligence (CTI) data feeds.”
  • Achieving End State: Trellix’s advanced prevention and detection capabilities at the endpoint (e.g., blocking zero-days, fileless attacks) are part of the “advanced protection on endpoint devices.” Its rich telemetry, when combined with Elastic’s correlation, helps “optimize the response time of incidents” by providing deep investigative context and aids in “discarding false positives” through more precise endpoint data. Trellix’s ability to block threats directly at the endpoint contributes to “implement blocking” and “protect against multiple threats happening simultaneously across various threat vectors.”
• The Combined Synergy for Outcomes and End State:
  • Unified Advanced Detection: Trellix provides the raw, high-quality endpoint data and its own CTI. Elastic Security acts as the central brain that ingests this, combines it with other cross-pillar data and external CTI, and then develops the sophisticated “deviation and anomaly rules” for advanced threat correlation. This combined data and analytical power directly enables the identification of “advanced threat events.”
  • Proactive & Optimized Response: The comprehensive view and high-fidelity alerts generated by Elastic (fueled by Trellix’s data and CTI) directly allow for “optimizing the response time of incidents” and enable quicker decisions on “implement blocking.” The continuous flow of CTI into Elastic ensures the SIEM is always augmented with the latest threat data, moving closer to the end state of protecting against advanced threats across multiple vectors.

Key Items to Consider:

• CTI Feed Selection and Vetting: Not all threat intelligence is equally valuable. Carefully select feeds that are relevant, timely, actionable, and reliable for your organization’s specific context. Ensure integration with your SIEM/XDR is robust.
• Data Volume and Management: Behavioral analytics and comprehensive TI ingestion generate massive data volumes. Ensure your SIEM/XDR can handle this scale and that the ingested data is high-quality, normalized, and enriched.
• False Positive Management: Behavioral and anomaly detection rules, especially when new, can generate false positives. A robust process for tuning rules and rapid alert triage is essential to minimize false positives.
• Actionable Intelligence: Ensure that the alerts generated by new rules are actionable and provide sufficient context for security analysts to investigate effectively.
• Integration with Automation (SOAR): Alerts from these advanced detection rules should seamlessly feed into your SOAR platform (e.g., Tines, as set up in Activity 6.2.2) to enable rapid, automated responses.
• Skills Gap: Developing and maintaining advanced correlation and behavioral rules requires specialized skills in threat intelligence analysis, data science, and SIEM content engineering.

For the Technical Buyer

Activity 7.2.2 is about elevating your threat detection and incident response capabilities by integrating sophisticated behavioral analytics and crucial external threat intelligence into your security workflows. For technical buyers, success here means augmenting your SIEM platform (e.g. Elastic Security) to ingest diverse CTI feeds and develop sophisticated deviation and anomaly rules, leveraging its powerful UEBA capabilities. This will be fueled by crucial identity context from your IdP (like Okta) and rich endpoint telemetry from Trellix. By leveraging these integrated insights, further enriched by timely threat intelligence, to build profiles and baselines, you empower your security teams to identify subtle “advanced threat events” that deviate from normal patterns, enabling more proactive investigations and targeted responses.

Pillar: Visibility & Analytics 

Capability: 7.2  Security Information and Event Management (SIEM)

Activity: 7.2.2 Threat Alerting Pt2

Phase: Target Level 

Predecessor(s): 7.2.1 Threat Alerting Pt1, 7.5.1 Cyber Threat Intelligence Program Pt1

Successor(s): 7.2.3 Threat Alerting Pt3