ThreatConnect makes order out of threat feed chaos

One critical step that most organizations need to take on their path to better cybersecurity maturity is to acquire threat feed data. Looking at intelligence reports about the various threats targeting organizations can provide a lot of awareness about cyber dangers and threat actors. But some organizations equate security with the number of feeds they subscribe to, not realizing that their analysts couldn’t possibly monitor the hundreds or thousands of threat reports generated every day, or even every few minutes.

In that sense, having too many threat feeds is almost as bad as not having any at all. Unless you have some way of managing that information, there is just too much noise to identify the relevant attack reports and create actionable threat intelligence. The ThreatConnect platform is designed to focus those disparate feeds and information on just those threats that pose a real danger, and can even trigger automatic responses against the most dangerous attacks.

ThreatConnect can be installed on premises, or within a private or public cloud. There are different versions of the product including TC Complete, which gives users full access to both management and response capabilities, and TC Identify, which only consolidates and manages the threat feeds. For this article, an instance of TC Complete running within a private cloud was tested.

Main dashboard

The main dashboard for TC Complete gives an overview of threats tracked by feeds that an organization subscribes to, and any specific actions taken by ThreatConnect regarding them. The main program comes with many public feeds already in place and ready to be monitored, plus a specific feed generated by ThreatConnect. Users can add an unlimited number of other feeds to ThreatConnect without affecting their pricing, which is based on which version of the program they are using and how many external programs, like SIEMs, attach to it.

John Breeden/IDG

Users probably won’t spend too much time in the main dashboard before diving deeper into the management portion of the program. Analysts will likely spend much of their time browsing the consolidated lists of threats, which can be sorted in several ways to make them more digestible. Specific threats can also be flagged and highlighted, which is helpful for collaboration efforts and can be used later to set up various automatic triggers if elements of those threats are detected interacting with the protected network.

Use cases

There are likely two potential main use cases for ThreatConnect. First, it would be a great tool for quickly learning more about specific threats that are hitting a network. For example, if a new type of attack hit the SIEM or firewall, analysts could query ThreatConnect to see if any of their subscribed feeds knows more about it. More valuable would be using the platform proactively, learning about threats that are targeting specific industries or equipment, and learning how to build up defenses against relevant ones before they strike.

ThreatConnect is able to integrate with SIEMs to provide a local view of threats, comparing information in the feeds to real-world, local conditions. TC Complete was integrated with Splunk for this review. As such, the program could be queried for any information linking threat information from the feeds, such as the domain registration from a malware command and control server, with any event caught by Splunk. ThreatConnect was able to show that one threat identified in the feeds was interacting, so far unsuccessfully, with the test network. In this way, analysts can link knowledge about potential threats with reports regarding their local network.

John Breeden/IDG

Using Playbooks

TC Complete also provided more than just information. Through the creation of Playbooks, specific threats considered especially dangerous to the protected organization can be given special treatment. Playbooks are designed in flowchart format. They start with triggers, which can be anything from a human analyst starting a process to the SIEM or firewall detecting the presence of a known threat from the feeds.

John Breeden/IDG

After the trigger, users can add a series of processes or actions with various results leading to other actions within the flowchart. For example, a suspected program tied to a threat could be automatically sent to a Palo Alto sandbox. Depending on the outcome of that, actual malware could be automatically blocked on the network, or a cleared program could be listed as a known false positive.

Using Playbooks, which can be quite extensive, enables users to create better situational awareness tying threat feeds directly to their networks, even setting up automatic processes to alert defenders or block malicious programs.

The last word

There is no shortage of threat feeds available today. Subscribing to just the publicly available, free feeds, can net an organization thousands of reports per day. Subscribing to paid ones could potentially provide more targeted information, but the data is no less complicated to manage. Adding a tool like ThreatConnect, which can bridge the gap between theoretical threat information and the real world, is an invaluable tool for managing and optimizing detection and response capabilities.