IBM Security Global Forum

 View Only

“My Threats” – The less travelled path on CP4S Threat Intelligence Insights App

By Betala Shanbhag posted Mon September 05, 2022 10:19 AM

  

IBM Cloud Pak® for Security (CP4S) is an open security platform that connects to customers' existing data sources to generate deeper insights and enables them to act faster with automation.

Threat Intelligence Insights (TII) is an app on CP4S that delivers unique and relevant threat intelligence prioritized for your organization. It seamlessly integrates with other apps on CP4S to further continue the investigation and remediation processes.

While security analysts, threat investigators and/or threat hunters discover the new IOCs such as IP addresses, malware hashes etc., they find it worth to save it in a repository that they can share, collaborate with, and contain information on an existing or emerging threat. “My Threats” is one such feature they can use to save reports on indicators of compromise (IoC), text comments, or any other content that can help them in forensic investigations.

Before getting into the (My) Threats, let me take an example of Avaddon ransomware and here is what you see the details about Avaddon Ransomware on Threat intelligence

Am I Affected scan results

As seen in the above screenshot, CP4S Threat Intelligence AM I AFFECTED scan has found that 3 of the 3 Indicators are detected. Threat Intelligence also creates a Case (incident) automatically, for further investigation.

Analyst can use Case Management Application & Data Explorer Application to further investigate the spread of the threat. Below is the screenshot from Data Explorer that shows additional IOC’s found in the course of investigation.

Data Explorer Investigation results

While analysts proceed with investigation they discover more valuable information: (a) Additional IOC’s (b) Internal IP’s (offender IP’s) (c) The notable information such as the approach analyst would take, the vulnerabilities, Assets & Risks (d) Any noteworthy information that aids the future investigation. Now there is a need arises, to save all these information into a report-kind of document, that can be (1) shared across other analysts in investigation team (b) Add the investigation information (listed above) as you go (3) Preserve that information for future investigation – for threat hunting or when the new variant of same ransomware hits. – This is when “My Threat” comes into picture.

With My Threats analysts and Threat Hunters can:

Create Threat: Create your own private threat that only you can view and edit unless you opt to share to individuals whom you want to collaborate.Create CUSTOM Threat
Once the custom threat is created, analyst can provide Overview, relevant Indicators etc. Saving this threat report will show this under Threat Intelligence Insights  -->Threats -->My threats.
Add Overview for My Threat

Add Indicators of Compromise to My Threats

My Threat published on TII app

This custom threat can also be SHARED with other analysts or teams with "Share" capability in My threats

Share My Threat

Analyst(s) and Threat Hunters can use this information to run “AM I AFFECTED” scan, as needed

Am I Affected scan for My Threat

And update further relevant information.
Here for Avaddon example, there is a Virus total finding, which can be added into the “My Threats”.  

Update Overview
Update IOCs

This process goes on as long as Analysts, Threat hunters investigate and find latest Information. This custom threat report under “My threats” acts as a live report and one point stop to understand investigation history, current situation and proceed from ‘where we have left!’

The other important Usecase where “My threats” comes handy is to capture IOC’s from any advisory from Government, Customers, Threat feeds etc. Instead of traditional approach where Analyst create ticket for these advisories (and get into loop of SLA), they can use “My threats” to create report, run “Am I Affected” scan and “Auto create incident(s) only if Affected!”

 

With this blog I have listed the possible approach with CP4S Threat Intelligence app. GSI Ecosystem Lab Security team is actively developing more such use cases and deep dive demonstrations.

If you have any questions regarding any of the points mentioned above or want to discuss this further, feel free to get in touch.

Betala R. Shanbhag: beshanb1@in.ibm.com


#Featured-area-1
#Featured-area-1-home
#Highlights-home
#Highlights
0 comments
3005 views

Permalink