June 8, 2022by Cybersixgill

How to Organize the Flood of Threat Intelligence Data to Make it More Actionable

On a recent episode of our podcast, Dr. Dark Web hosted by Chris Roberts, we had the opportunity to pick the brain of Cecil Pineda, the SVP/CISO at R1 RCM. Pineda is the co-founder of CISO XC, and works for dozens of CIOs, CISOs and CPOs of Fortune 100 companies, helping them maneuver through acquisitions and mergers while balancing the tightrope of regulatory compliance and cybersecurity resilience.

During the half-hour podcast, Pineda discussed the many challenges facing cybersecurity departments as they attempt to sort through overwhelming volumes of disparate and largely irrelevant TI data feeds – while simultaneously trying to keep track of the constant influx of Indicators of Compromise (IOCs), which pose new and potentially devastating threats to their organizations each day.

Listen to the full episode How to Make Your Data More Meaningful and Turn It Into Usable Intelligence with Cecil Pineda

The Old Way: Too Many Data Sources with No Context or Relevance

Every day brings an incessant flood of updates to firewalls, browsers and software that desensitizes an already overwhelmed IT team, resulting in slack cybersecurity and difficulties meeting compliance requirements.

“I get two or three dozen emails every day from all of our partners, from Microsoft to CSA. There is just so much noise,” Pineda said. She added that the main source of the struggle is that security teams must consume and process cybersecurity information from far too many sources, or fear missing out on a new IOC. “The problem with too many data sources is that we don’t have time to analyze and do actionable work to address them.”

This can be an especially daunting challenge for global organizations with thousands of employees, all speaking different languages and operating under different local regulatory systems, and yet must all follow the same internal directives.

“Sometimes I feel like we’re losing the bigger picture of why we do all these things,” Pineda said. “People have no time. We are hoping automation can help us. But from a CISO’s perspective I’ve not yet found a solution that can give me my time back.”

Organizations are beginning to embrace automation as an effective solution to address these challenges, helping to alleviate the struggles of the cybersecurity skills gap and lack of internal resources, as well as a means to improve productivity and optimize existing operational processes. AI, after all, is both faster and more accurate than what can be produced manually.

As a forward-thinking threat intelligence company, we at Cybersixgill understand the challenges faced by overstretched cybersecurity teams. While there is no shortage of vendors that provide threat intel feeds, the real question is: how do you pick the right feed that’s best matched to the needs of your organization?

Manual Threat Intelligence Collection is Stuck in the Past

Manual methodologies for threat intelligence collection are highly time-consuming, and simply can’t keep up with the needs of today’s enterprises, and the never-ending barrage of attacks. Pineda said that even with the best systems that manually track and collect threat intelligence, work is duplicated and internal communication lines become muddy and confused.

Pineda described a common scenario that he has experienced many times himself, whereby although he’s assured that IOCs and several other threat intel feeds are digested and incorporated within the company’s cyber defense systems, serious threats are still missed, leaving the company exposed to attack.

He added that cybersecurity professionals  remain wary of trusting AI. Some members of a security team may still want to manually approve every operation - an understandable hesitation, he said. People become attached to the tools and processes they’ve been using, some of which they fought hard to purchase in the first place.

“The challenge for me is really: how can I harmonize people and process and technology?” Pineda said.

An Industry Cry: “Give me my time back!”

According to Pineda, there is one thing everyone is running out of: time. No one has time to start new cybersecurity projects, no one has time to work on old ones, no one has time to make sure existing systems are communicating well with one another.

“So far I have not found a solution that can give me my time back,” Pineda said, adding that he remains hopeful a new software solution will be able to help him and other CISOs, as well as their overworked cybersecurity departments, drown out the noise and cut to the facts.

What Pineda wants is a software solution that combines all the collected cyber intel and data, morphing it into a correlation tool that can be easily read and interpreted, while omitting irrelevant information and alerts.

Our podcast host Chris Roberts agreed. “As an industry we have advanced. When you look at where we're at on the macrocosm and you've got everything, we’ve got so much information that we can distill into intelligence.”

But the pain point is building an intelligence package that’s customized to an organization - a solution that hones in on the threats that are the most relevant, right now, to the cyber defense of this organization only.

“Give me something that I can actually use,” Roberts said. “Let me build an intel package for my organization and just help me understand where I need to focus.”

Pineda agreed and added that security information management (SIM) - which is supposed to collect, monitor and analyze security-related data from various computer systems and logs - was supposed to create a system that would distill only the most essential information, but it hasn’t quite turned out that way.

“SIM provides a lot of value, but, as an industry as a whole, I don't think we've figured it out,” Pineda said. “We may not be able to find a silver bullet, but there are a lot of smart people in our industry today, and I'm hoping we can find a solution that’s beyond SOAR.”

Trusting the Machine and AI

Pineda and Roberts recognized that there is a trust issue when it comes to applying AI-based solutions - like Cybersixgill’s Darkfeed - but they both agreed that machines are more accurate - and faster - than humans.

“The problem is, people feel like if they don’t do things manually, how can they trust the tools? How can I know if the tools are getting the IOCs” Pineda said.

Roberts agreed, adding that machines are more effective than 95 percent of humans, and that SOAR misses important threats.

“And when the bloody thing fails, because let’s face it, it is going to, then who’s accountable?” Roberts asked.

Roberts said he is frustrated with the industry because there are so many intel feeds out there, yet few are able to produce a consolidated, effective channel of information and intelligence that’s truly actionable.

“Just give me something I can use,” he said.

The New and Better Way: Accurate and Relevant Intelligence

At Cybersixgill, our mission is to help security professionals continuously expose the earliest indications of risk. We understand the daily challenge of sorting through a flood of irrelevant data and alerts to focus on specific threats aimed at one organization. And we do so with an accuracy that makes it easy to trust the intelligence we curate.

Cybersixgill has proven to have the broadest threat intelligence collection capabilities available, covertly extracting data from a wide range of sources including content from limited-access deep and dark web forums and markets, invite-only messaging groups, code repositories, paste sites and clear web platforms, enriching it with context to provide comprehensive insight into the nature and source of each threat.

What Makes Cybersixgill Threat Intelligence Unique

Cybersixgill allows cybersecurity analysts to hit the ground running, because it reduces the amount of incoming information to only data that is relevant. Our fully automated collection and source-infiltration has the ability to scrape data that is inaccessible to other vendors, such as high-value sources with complex CAPCHA and posts that may have been deleted.

We use advanced AI & ML algorithms to index, correlate, analyze, tag and filter raw data, enriching each item with context to derive critical intelligence regarding the nature, source and evolution of each threat.

Our advanced collection mechanisms autonomously extract, process and index intel at scale, digesting tens of millions of intelligence items per day, ensuring that our intel is relevant, up-to-date and accurate.

With our powerful AI and ML processes, we have compiled over 7 million threat actor profiles, while detailing each actor’s history, aliases, languages, arenas of activity, peer networks and other connections and relations. 

While most threat intelligence feeds are generated from telemetry - detecting attacks already in progress - Cybersixgill’s Darkfeed collects, tags and filters IOCs sourced directly from chatter among cybercriminals in the underground, capturing emerging threats as they surface on the forums and markets of the deep and dark web.

Multi-layered filtering and tagging processes eliminate false-positives and ensure data fidelity.

We collect from 700+ sources from the deep and dark web. Our competition collects from only 20 percent of our sources.

Cybersixgill Reduces Duplicate Work and Alert Fatigue

Cybersixgill captures, processes and alerts teams to emerging threats, TTPs and IOCs as they surface on the clear, deep and dark web. Using advanced AI and machine learning algorithms, we immediately prioritize, enrich and score data according to each customer’s unique assets and attack surface. This allows us to swiftly publish profiles and identify behavioral patterns, giving cybersecurity teams time to apply timely, practical solutions to areas of risk exposure before a new attack mission is launched. Our intel extraction is 24 times faster than that of our competitors, and because we only pass on relevant IOCs and intel, we reduce the level of alert fatigue and numbness.

Our fully automated crawlers infiltrate and maintain access to limited-access sources, extracting data as it is posted. We then process, index, tag, filter and enrich it using advanced AI and ML algorithms - and shoot it off to our customers in minutes.

Our DVE scoring engine does not rely on NVD’s scoring. Instead, it is based on AI analysis of underground discourse reflecting threat actor intent. We often identify a high-severity CVE well before the NVD had even assigned those CVEs a CVSS score. One example is the log4j vulnerability.

We published a DVE Score of 9.53 for the Spring4Shell vulnerability nine days before the CVSS added and scored the vulnerability. During this period, 16 percent of affected organizations had already been attacked.

Our DVE Score continuously updates exploitation probability for more than 200K CVEs at any given time.

Cybersixgill’s Darkfeed operates at machine speed, feeding malicious IOCs into our customer’s existing security system as they are detected, blocking IOCs before they can be weaponized, and that’s how we enrich end-point protection in real-time.

If you want us to follow up, feel free to contact us.

If you want a demo, give us a shout here.

Alternatively, you can continue listening to our podcast episodes on Dr. Dark Web.

You may also like

SANS Report Blog-Thumbnail

July 18, 2024

SANS CTI Survey 2024: Reports Rise to the Top for Communicating Critical Information

Read more
Analyst looking at multiple monitors

July 11, 2024

Chinese APT40 Hackers Hijack SOHO Routers: Unleashing Cyber Espionage Attacks

Read more
Abstract digital landscape with flowing lines of glowing binary code in blue and orange, representing data streams and modern technology.

July 08, 2024

CVE-204-6387 Poses Risk to Organizations Relying on OpenSSH’s Server (sshd)

Read more