Light Dark
March 7, 2017 By Joerg Stephan 3 min read
Intelligence & Analytics

In the modern security operations center (SOC) model, the security intelligence analyst (SIA) represents a core role. In my opinion, it is one of the most important roles in the field of the cybersecurity.

The Role of the Security Intelligence Analyst

Customers often ask me what the role of the SIA actually is. The SIA is responsible for protecting the organization against real-world threats. This requires an intimate understanding of the technology that is used throughout the organization and how it benefits the business.

When security analysts read the latest security intelligence feeds, they must understand how certain events affect clients and know how to respond appropriately to protect customer data.

Three Main Elements of Cybersecurity

To fulfill these responsibilities, an SIA’s decision-making process should revolve around three key elements: threat intelligence, event intelligence and enrichment. Each of these areas is rich for information mining. The more company-focused the fields, the richer the outcome.

1. Threat Intelligence

Basically, threat intelligence describes all the information you can get about actual threats to your company. Nowadays, many companies and communities will share this information with you.

To avoid overloading your feed consumption, especially when you’re getting started, I recommend focusing on industry sector and geolocation. If your organization is part of the financial sector, for example, reach out to the Financial Services — Information Sharing and Analysis Center (FS-ISAC). This industry-specific intelligence is shared by companies just like yours, so the likelihood of facing a common threat is rather high.

The same goes for geolocation. Try to connect with your local computer emergency response team (CERT), such as the European Union Computer Emergency Response Team (CERT-EU), to gain a deeper understanding of actual threats in your area. If your IT infrastructure is located in a specific country, the volume of attacks against a certain region or IP range is very useful intelligence.

2. Event Intelligence

If you have ever taken a look at the input stream of a security information and event management (SIEM) solution or have seen the messages log on a Linux system, you are aware of the need to understand these events. This knowledge, combined with the know-how to tweak this output, is what I mean when I talk about event intelligence.

Event intelligence helps you understand the threat data you can actually use and decide whether certain indicators provide value. Does the data apply to your system? Will the indicators be visible on your SIEM solution, or do you need to tweak the quality, coverage and verbosity of the log sources?

3. Enrichment

Finally, the enrichment stage is when you start to add more information to the indicators and close the gap between threat intelligence and event intelligence.

Let’s say, for example, that your trusted source has shared SHA-1 malware hashes with you (threat intelligence), but you know that your systems are only logging MD5 hashes for email attachments (event intelligence). In this case, you can easily reach out to sources such as the IBM X-Force Exchange or VirusTotal to enrich the indicators. Both platforms are capable of showing the file information behind the SHA-1 hash or providing the MD5 hash required to perform a search on the system. This way, you can produce the right indicators to actually protect your business.

The possible use cases of enrichment are endless. In general, it helps SIAs in two major ways. First, it helps them understand individual indicators by adding the risk indication or getting deeper insight. When checking an IP address, for example, an analyst will receive additional indicators such as country of origin, owner and risk score.

Secondly, you can use the strategy to enrich a complete threat report. Here you can find additional information, such as which system types or software versions are actually affected by a CVE or which delivery method is normally used for a specific malware. All these enrichments can help SIAs better detect, understand and respond to threats.

Listen to the podcast to learn how cognitive technology benefits security intelligence analysts

 |  |  |  | 
Joerg Stephan
Security Consultant, IBM

More from Intelligence & Analytics
October 30, 2023

Hive0051’s large scale malicious operations enabled by synchronized multi-channel DNS fluxing

12 min read - For the last year and a half, IBM X-Force has actively monitored the evolution of Hive0051’s malware capabilities. This Russian threat actor has accelerated its development efforts to support expanding operations since the onset of the Ukraine conflict. Recent analysis identified three key changes to capabilities: an improved multi-channel approach to DNS fluxing, obfuscated multi-stage scripts, and the use of fileless PowerShell variants of the Gamma malware. As of October 2023, IBM X-Force has also observed a significant increase in…

September 12, 2023

Email campaigns leverage updated DBatLoader to deliver RATs, stealers

11 min read - IBM X-Force has identified new capabilities in DBatLoader malware samples delivered in recent email campaigns, signaling a heightened risk of infection from commodity malware families associated with DBatLoader activity. X-Force has observed nearly two dozen email campaigns since late June leveraging the updated DBatLoader loader to deliver payloads such as Remcos, Warzone, Formbook, and AgentTesla. DBatLoader malware has been used since 2020 by cybercriminals to install commodity malware remote access Trojans (RATs) and infostealers, primarily via malicious spam (malspam). DBatLoader…

September 7, 2023

New Hive0117 phishing campaign imitates conscription summons to deliver DarkWatchman malware

8 min read - IBM X-Force uncovered a new phishing campaign likely conducted by Hive0117 delivering the fileless malware DarkWatchman, directed at individuals associated with major energy, finance, transport, and software security industries based in Russia, Kazakhstan, Latvia, and Estonia. DarkWatchman malware is capable of keylogging, collecting system information, and deploying secondary payloads. Imitating official correspondence from the Russian government in phishing emails aligns with previous Hive0117 campaigns delivering DarkWatchman malware, and shows a possible significant effort to induce a sense of urgency as…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature