Giacomo Lanzi

Coordination between CTI and SOC: how to further raise the defenses

Estimated reading time: 6 minutes

The Cyber Threat Intelligence (CTI) and a Security Operations Center (SOC) are two important parts in a company’s security process. They help identify and mitigate the risks involved in the digital world. CTI is a proactive measure that helps identify potential threats, while SOC is a reactive measure that helps detect and mitigate an attack. Together, CTI and SOC are two important tools in the IT field.

The CTI helps organizations identify potential threats by collecting data from various sources such as social media, dark web , malware database, etc . It then analyzes this data using advanced analytics tools such as machine learning algorithms and provides useful information to decision makers.

A SOC, on the other hand has a more responsive approach in that it detects and mitigates an attack as soon as it occurs. SOCs use various methods such as firewalls, intrusion detection systems, log management systems, etc.

The relationship between CTI and SOC can be described in one sentence:

The CTI provides valuable information to the SOC, while the SOC provides the CTI with relevant feedback.

CTI and SOC

CTI and SOC: what are they?

Before collaborating in security management, CTI and SOC are two distinct things that have different roles and purposes. Let’s see them briefly together.

What is the CTI

Cyber Threat Intelligence (CTI) is the process of collecting, analyzing and disseminating information on cyber incidents to help identify and combat cyber threats. It is an intelligence discipline that deals with the identification and analysis of cyber threats. The CTI can be used to prevent future attacks on an organization by identifying potential vulnerabilities in the system .

Cyber Threat Intelligence can be considered a form of proactive cyber defense . With CTI, organizations are better able to protect themselves from various types of cyber attacks. There are three main types of cyber threat intelligence:

1) Cyber Attack Intelligence: information on methods and reasons of the attacker

2) Cyber defense intelligence: information on defender vulnerabilities and how they can be exploited by attackers

3) Cyber Threat Intelligence: information about the threat agent’s strategy, intent, capabilities and resources

What is a SOC

A Security Operation Center (SOC) is a central security hub for an organization . It is a place where all security operations are monitored and managed. The SOC can be considered an organization’s cybersecurity “command center”, where all security operations are monitored and managed.

We offer SOC as a service for our customers ( SOC aaS ), relieving them of initial implementation costs and constant infrastructure maintenance costs. Furthermore, our SOCaaS uses a NextGen SIEM system which guarantees speed and punctuality of responses.

CTI and the constant evolution of online threats

Cyber threat intelligence is the key to understanding the evolution of cyber threats and how they are changing. The constant evolution of threats makes it difficult for organizations to keep up with the latest security developments. Cybersecurity teams need to be able to respond quickly and efficiently to avoid damage.

In this ever-changing dynamic environment, Cyber Threat Intelligence comes into play. The CTI is the key element that allows you to understand how to protect yourself from various cyber attacks. In practice, this means that, thanks to a careful series of analyzes, it is possible to actually understand how to avoid becoming a victim of attacks.

The CTI therefore helps in identifying potential threats and provides this valuable information to the SOC, which can then implement specific controls for the threats detected.

It is important for companies to have their own Cyber Threat Intelligence to keep up with the constant evolution of threats. Companies need to understand what is happening in the area of cyber threats, and understand the path taken by various cyber terrorist groups.

The Security Operation Center and Threat Detection

The Security Operation Center (SOC) is the central hub for monitoring and managing IT security. In theory, this is a physical place where IT engineers and technicians work to defend the corporate infrastructure. However, it is not uncommon now to find SOC offered as a service (SOCaaS).

The first step in threat detection is to create a threat intelligence program . This program should be able to collect, analyze and share information about cyber threats and attacks with all interested parties in the organization. This step is carried out by a CTI team, and becomes an integral part of the SOC work process.

The second step is to develop a strategy to respond to these threats and attacks. The third step is to implement the strategy in operations through designed procedures, policies and tools. for a quick response when an attack occurs.

Security Operation Centers (SOCs) are responsible for monitoring networks and systems for any signs of cyber attacks or system failures that could lead to data breaches or other malicious events. Threat detection proactively engages both of us.

CTI and SOC cover

SOC and its importance in the CTI process

Therefore, the relationship between CTI and SOC represents a combination that must always be present if you want to be sure that operating online is an optimal type of operation to perform.

The interesting thing is the interaction that is created between these two tools, thus becoming an increasingly powerful solution in the field of IT security.

The SOCaaS we offer, in fact, contains a behavior analysis tool, very useful in identifying suspicious behavior and connecting them to potential threats, even afterwards. This aspect creates an internal source of information for the CTI, which can then add the results of the SOC behavior analysis to its search clues.

CTI and SOC feed each other, we can say, with information and solutions to support corporate security.

Our SOC and CTI services

As we’ve seen, SOC and CTI complement each other, so to speak. These two services are both offered by us and we are confident of the positive impact they have in the fight against cyber threats for companies.

If your company is looking for information on how to best protect the IT infrastructure from cybercrime, contact us for advice or to ask for more information, we will be happy to answer any questions.

Link utili:

Share


RSS

More Articles…

Categories …

Tags

RSS Dark Reading

RSS Full Disclosure

  • Backdoor.Win32.Delf.eg / Unauthenticated Remote Command Execution October 3, 2022
    Posted by malvuln on Oct 03Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/de6220a8e8fcbbee9763fb10e0ca23d7.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Delf.eg Vulnerability: Unauthenticated Remote Command Execution Description: The malware listens on TCP port 7401. Third-party adversarys who can reach infected systems can issue commands made available by the...
  • Backdoor.Win32.NTRC / Weak Hardcoded Credentials October 3, 2022
    Posted by malvuln on Oct 03Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/273fd3f33279cc9c0378a49cf63d7a06.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.NTRC Vulnerability: Weak Hardcoded Credentials Family: NTRC Type: PE32 MD5: 273fd3f33279cc9c0378a49cf63d7a06 Vuln ID: MVID-2022-0646 Disclosure: 10/02/2022 Description: The malware listens on TCP port 6767....
  • Wordpress plugin - WPvivid Backup - CVE-2022-2863. October 3, 2022
    Posted by Rodolfo Tavares via Fulldisclosure on Oct 03=====[ Tempest Security Intelligence - ADV-15/2022 ]========================== Wordpress plugin - WPvivid Backup - Version < 0.9.76 Author: Rodolfo Tavares Tempest Security Intelligence - Recife, Pernambuco - Brazil =====[ Table of Contents]================================================== * Overview * Detailed description * Timeline of disclosure * Thanks & Acknowledgements * References =====[ […]
  • ZKBioSecurity 3.0.5- Privilege Escalation to Admin (CVE-2022-36634) October 1, 2022
    Posted by Caio B on Sep 30#######################ADVISORY INFORMATION####################### Product: ZKSecurity BIO Vendor: ZKTeco Version Affected: 3.0.5.0_R CVE: CVE-2022-36634 Vulnerability: User privilege escalation #######################CREDIT####################### This vulnerability was discovered and researched by Caio Burgardt and Silton Santos. #######################INTRODUCTION####################### Based on the hybrid biometric technology and...
  • ZKBiosecurity - Authenticated SQL Injection resulting in RCE (CVE-2022-36635) October 1, 2022
    Posted by Caio B on Sep 30#######################ADVISORY INFORMATION####################### Product: ZKSecurity BIO Vendor: ZKTeco ( https://www.zkteco.com/en/ZKBiosecurity/ZKBioSecurity_V5000_4.1.2) Version Affected: 4.1.2 CVE: CVE-2022-36635 Vulnerability: SQL Injection (with a plus: RCE) #######################CREDIT####################### This vulnerability was discovered and researched by Caio Burgardt and Silton Santos....
  • Backdoor.Win32.Augudor.b / Remote File Write Code Execution September 27, 2022
    Posted by malvuln on Sep 27Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/94ccd337cbdd4efbbcc0a6c888abb87d.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Augudor.b Vulnerability: Remote File Write Code Execution Description: The malware drops an empty file named "zy.exe" and listens on TCP port 810. Third-party adversaries who can reach the infected […]
  • Backdoor.Win32.Psychward.b / Weak Hardcoded Credentials September 27, 2022
    Posted by malvuln on Sep 27Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/0b8cf90ab9820cb3fcb7f1d1b45e4e57.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Psychward.b Vulnerability: Weak Hardcoded Credentials Description: The malware listens on TCP port 8888 and requires authentication. However, the password "4174" is weak and hardcoded in cleartext within the PE...
  • Backdoor.Win32.Bingle.b / Weak Hardcoded Credentials September 27, 2022
    Posted by malvuln on Sep 27Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/eacaa12336f50f1c395663fba92a4d32.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Bingle.b Vulnerability: Weak Hardcoded Credentials Description: The malware is packed using ASPack 2.11, listens on TCP port 22 and requires authentication. However, the password "let me in" is weak […]
  • SEC Consult SA-20220923-0 :: Multiple Memory Corruption Vulnerabilities in COVESA (Connected Vehicle Systems Alliance) DLT daemon September 27, 2022
    Posted by SEC Consult Vulnerability Lab, Research via Fulldisclosure on Sep 27SEC Consult Vulnerability Lab Security Advisory < 20220923-0 > ======================================================================= title: Multiple Memory Corruption Vulnerabilities product: COVESA DLT daemon (Diagnostic Log and Trace) Connected Vehicle Systems Alliance (COVESA), formerly GENIVI vulnerable version:
  • Backdoor.Win32.Hellza.120 / Authentication Bypass September 20, 2022
    Posted by malvuln on Sep 19Discovery / credits: Malvuln (John Page aka hyp3rlinx) (c) 2022 Original source: https://malvuln.com/advisory/2cbd0fcf4d5fd5fb6c8014390efb0b21_B.txt Contact: malvuln13 () gmail com Media: twitter.com/malvuln Threat: Backdoor.Win32.Hellza.120 Vulnerability: Authentication Bypass Description: The malware listens on TCP ports 12122, 21. Third-party adversarys who can reach infected systems can logon using any username/password combination....

Customers

Newsletter