How Automation Turns CTI Analysts Into Super Heroes
The expanding demand for Cyber Threat Intelligence (CTI) and its extensive use by organizations worldwide, places CTI analysts in a position where they are expected to have super powers. From fraud analysis, through big data analytics to classic intelligence and cyber intelligence, today’s analysts need to know it all, and at the same time combat data overflow, false positives and a ticking clock.
The Top 5 Challenges that Affect Analysts’ Daily Tasks
1. Diverse sources and anonymity – Required skill: Language and HUMINT capabilities
The huge amount of the data that resides in the deep and dark web platforms, arrives in a variety of languages. The analyst has to have knowledge of these languages and the slang used. Unfortunately, automated translation services are not relevant, as the analyst has to know who to talk to, how to embed himself inside the virtual community without appearing suspicious, there are subtleties that require a human being.
2. Financial crime grows more sophisticated – Required skill: Fraud analysis
Since financial organizations are large consumers of CTI, the analyst needs to understand the financial field, what is a BIN, how SWIFT networks work, where to find stolen credit cards, how cybercriminals monetize them etc
3. Data overflow – Required skill: Big Data analytics
The CTI analyst needs to go over a large amount of data, the ability to analyze, correlate, connect and classify data-points, quickly and efficiently requires exceptional skills.
4. Multiple disciplines – Required skill: International relation analysis
The geo-political situation in different parts of the world has a direct effect on the cyber domain. In order to understand, analyze and assess intelligence, the analyst has to have some understanding of the relations between countries, global politics, world history and more
5. Variety of end-users – Required skill: Report writing
Assuming your analysts possess all the above-mentioned skills, there is still the matter of communicating their findings. All analysts’ discoveries should be shared in a report, simplifying the findings so that non-technical people will also understand the discoveries, the impact on the organization and the analyst’s recommendations and action items. With the growing shortage of skilled cyber personnel, finding a “super-analyst” who will possess all the skills listed above, seems like a mission impossible. This is why we have to look at technology solutions that can facilitate the analysts’ work. In this case – automation.
How Automation Benefits CTI Analysts
There are automated tools that take off some of the analyst’s workload, enabling the analyst to focus on specific actions and develop new skills that require the human touch.
Below we review a few automation solutions that can be easily implemented to free up substantial resources.
Collection of data and alert monitoring
Collection of data from open and covert web sources, as well as existing intelligence data bases, can be fully automated. The data searched for is based on the organization’s industry, critical assets and predefined threat hunting requirements.
The process of classifying the risk and prioritizing mitigation actions, can also be automated using treat scoring algorithms that are based on the workflows and analysis processes of experienced Cyber Threat Intelligence researchers.
Automated domain monitoring enables to expose in timely manner newly registered Whois records that can be used in a malicious way to place your business at risk. Combined with SSL monitoring and regular DNS queries, automated domain monitoring provides a more complete CTI picture.
Credit card monitoring and analysis
An automated credit card monitoring tool monitors the Dark Web for any new (relevant) credit card (CC) published. Once there is a new publication detected, the tool downloads it and analyzes data such as BIN/CC number, expiration date, name of CC holder etc., removing the noise and keeping only the ones relevant to the organization. Performing this task manually is time consuming, automating this process can free up some much-needed analyst time.
Vulnerability monitoring and CVE prioritization
The massive amount of data, data sources and data types, creates duplicates and endless noise. Automation enables to fuse different data sources from monitored systems, CVE databases, the open, deep and dark web and more, based on specific keywords regarding vulnerabilities. The aggregated data is analyzed and then presented in a unified format with a risk score, to the analyst, saving a lot of time and providing CVE prioritization.
The developments of machine learning and innovation in automation technologies have already proven to improve productivity and resource allocation and lead to better decision making. It is quite probable that we will see more of the current challenges that analysts struggle with, become automated in the future.
Read more about the role of automation in the most common CTI use cases. Download the e-book: Building a (successful) proactive Cyber Threat Intelligence (CTI) operation